How To Copy Kubernetes Secret Between Namespaces

Posted on 301 views

How can I copy a Kubernetes secret from one namespace to a different namespace?. A Secret is a Kubernetes object that stores sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in an image but for sharing across Pods and services it is better be done as Kubernetes object. Kubernetes cluster users can create secrets and the system also creates some secrets.

In this guide we will copy a secret already created in a namespace or project if using OpenShift and apply it to a different namespace. This is often applicable to secrets such registry secrets, shared git credentials, SSL Certificates and Keys, shared API credentials e.t.c. We will create a test secret and show you how to copy it from one project to another.

Creating Kubernetes Secrets

We will create a secret with username and password from file.

echo -n 'admin' > ./username.txt
echo -n 'Password' > ./password.txt

Run the kubectl create secret command to package these files into a Secret and create the object on the API server.

$ kubectl create secret generic my-user-pass --from-file=./username.txt --from-file=./password.txt
secret/my-user-pass created

You can as well create a Secret directly with kubectl without file.

kubectl create secret generic my-user-pass --from-literal='username=admin' --from-literal='password=Password'

The name of a Secret object must be a valid DNS subdomain name.

List secrets:

$ kubectl get secrets

Converting your secret data to base-64

This is how you’ll manually convert a secret data to a base-64 representation:

$ echo -n 'admin' | base64

$ echo -n 'Password' | base64

Your yaml manifest file will like below.

apiVersion: v1
kind: Secret
  name: my-user-pass
  username: YWRtaW4=
  password: UGFzc3dvcmQ=

Copy Kubernetes Secrets Between Namespaces

Use the following command syntax to copy a secret from one namespace to a different namespace.

kubectl get secret  \
  --namespace= \
  --export -o yaml | \
  kubectl apply --namespace= -f -

In my example I’ll run:

kubectl get secret my-user-pass \
  --namespace=namespace1 \
  --export -o yaml | \
  kubectl apply --namespace=namespace2 -f -

Command execution output:

secret/my-user-pass created

Confirm secret creation in the namespace.

$ kubectl get secret -n namespace2 my-user-pass
my-user-pass Opaque 2    38s

Decrypt secret to confirm data is correct:

kubectl get secret -n $namespace $secret_name -o go-template='range $k,$v := .dataprintf "%s: " $kif not $v$velse base64decodeend"\n"end'

Command output:

password.txt: Password
username.txt: admin

If you have jq you can use the following command to decrypt.

$ kubectl get secret my-user-pass -o json | jq '.data | map_values(@base64d)'

  "password.txt": "Password",
  "username.txt": "admin"

Copy Secret between Kubernetes Clusters

For seprate clusters you need to save the secret to file.

$ kubectl get secret  --export -o yaml > secret-name.yaml

Then copy the secret to where you’re authenticated on the other cluster and apply.

$ kubectl apply -f secret-name.yaml

Confirm the secret has been created.

$ kubectl get secret

If you’ve configured kubectl with multiple contexts then you can use the following approach:

$ kubectl get secret  --context  --export -o yaml \
 | kubectl apply --context  -f -

That is how you can easily copy secret between namespaces in Kubernetes and OpenShift Cluster.


Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.