如何在 kubernetes 中创建秘密文件

Question

I have yaml which I used to create a secret using below command.

kubectl create secret generic -n <NAMESPACE> gitlab-openid-connect --from-file=provider=provider.yaml

below is Provider.yaml :

name: 'openid_connect'
label: 'OpenID SSO Login'
args:
  name: 'openid_connect'
  scope: ['openid','profile','email']
  response_type: 'code'
  issuer: 'https://keycloak.example.com/auth/realms/myrealm'
  discovery: true
  client_auth_method: 'basic'
  client_options:
    identifier: 'gitlab.example.com-oidc'
    secret: '<keycloak clientID secret>'
    redirect_uri: 'https://gitlab.example.com/users/auth/openid_connect/callback'

I want to convert it into a Secret yaml file so that I can run kubectl apply -f provider.yaml

I tried to create below file but it does not work, provider-new.yaml

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: 'openid_connect'
  label: 'OpenID SSO Login'
data:
  scope: ['openid','profile','email']
  response_type: 'code'
  issuer: 'url'
  discovery: true
  client_auth_method: 'basic'
  client_options:
    identifier: 'identifier'
    secret: 'secret-key'
    redirect_uri: 'url'

Answer 1

To make this work you need to use --from-env-file instead --from-file . And the file containing the variables should be in the plain text.

To create a Secret from one or more files, use --from-file or --from-env-file. The file must be plaintext, but the extension of the file does not matter.

When you create the Secret using --from-file, the value of the Secret is the entire contents of the file. If the value of your Secret contains multiple key-value pairs, use --from-env-file instead.

File provider.yaml with variables:

scope= ['openid','profile','email']
response_type= 'code'
issuer= 'url'
discovery= true
client_auth_method= 'basic'
identifier= 'identifier'
secret= 'secret-key'
redirect_uri= 'url'

kubectl create secret generic -n default gitlab-openid-connect --from-env-file=provider.yaml

Result:

apiVersion: v1
data:
  client_auth_method: ICdiYXNpYyc=
  discovery: IHRydWU=
  identifier: ICdpZGVudGlmaWVyJw==
  issuer: ICd1cmwn
  redirect_uri: ICd1cmwn
  response_type: ICdjb2RlJw==
  scope: IFsnb3BlbmlkJywncHJvZmlsZScsJ2VtYWlsJ10=
  secret: ICdzZWNyZXQta2V5Jw==
kind: Secret
metadata:
  creationTimestamp: null
  name: gitlab-openid-connect
  namespace: default

Another thing is that isn't possible to establish a hierarchy in the secret data scope, so the following isn't gonna work:

client_options
  identifier= 'identifier'
  secret= 'secret-key'
  redirect_uri= 'url'

source: google cloud