Skip to content
Latchkey

kubectl create secret: Command Reference for CI/CD

Build a Secret from literals, files, or registry credentials.

kubectl create secret builds Secrets from flags: generic key/value, docker-registry pull credentials, or tls cert/key pairs. This reference covers the subcommands and the pipe-to-apply pattern that makes secret creation idempotent in re-run pipelines.

Common flags and usage

  • create secret generic <name> --from-literal=k=v: inline key/value
  • --from-file=<path>: load a file as a Secret key
  • --from-env-file=<file>: load many keys from a dotenv file
  • create secret docker-registry: an imagePullSecret
  • create secret tls <name> --cert=... --key=...: a TLS pair

Example

shell
kubectl create secret generic db-creds \
  --from-literal=password=${DB_PASSWORD} \
  --dry-run=client -o yaml | kubectl apply -f -

kubectl create secret docker-registry regcred \
  --docker-server=ghcr.io --docker-username=ci \
  --docker-password=${{ secrets.GHCR_TOKEN }} \
  --dry-run=client -o yaml | kubectl apply -f -

In CI

A plain create secret fails with AlreadyExists on a re-run. Pipe through apply (--dry-run=client -o yaml | kubectl apply -f -) so the value is updated idempotently. Pass secret values from your CI secret store, never inline literals committed to the repo.

Key takeaways

  • create-pipe-apply makes secret creation idempotent across re-runs.
  • docker-registry secrets are the standard imagePullSecret.
  • Source values from the CI secret store, not committed literals.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →