kubectl create secret: Command Reference for CI/CD
Build a Secret from literals, files, or registry credentials.
kubectl create secret builds Secrets from flags: generic key/value, docker-registry pull credentials, or tls cert/key pairs. This reference covers the subcommands and the pipe-to-apply pattern that makes secret creation idempotent in re-run pipelines.
Common flags and usage
- create secret generic <name> --from-literal=k=v: inline key/value
- --from-file=<path>: load a file as a Secret key
- --from-env-file=<file>: load many keys from a dotenv file
- create secret docker-registry: an imagePullSecret
- create secret tls <name> --cert=... --key=...: a TLS pair
Example
shell
kubectl create secret generic db-creds \
--from-literal=password=${DB_PASSWORD} \
--dry-run=client -o yaml | kubectl apply -f -
kubectl create secret docker-registry regcred \
--docker-server=ghcr.io --docker-username=ci \
--docker-password=${{ secrets.GHCR_TOKEN }} \
--dry-run=client -o yaml | kubectl apply -f -In CI
A plain create secret fails with AlreadyExists on a re-run. Pipe through apply (--dry-run=client -o yaml | kubectl apply -f -) so the value is updated idempotently. Pass secret values from your CI secret store, never inline literals committed to the repo.
Key takeaways
- create-pipe-apply makes secret creation idempotent across re-runs.
- docker-registry secrets are the standard imagePullSecret.
- Source values from the CI secret store, not committed literals.
Related guides
kubectl Cheat Sheet: Commands for Everyday KubernetesA kubectl cheat sheet - get, describe, logs, apply, rollout, debug, and context commands for daily Kubernetes…
kubectl create configmap: Command Reference for CI/CDReference for kubectl create configmap: build a ConfigMap from literals, files, or a directory, the create-pi…
kubectl rollout restart: Command Reference for CI/CDReference for kubectl rollout restart: trigger a fresh rolling restart with no spec change, to pick up a rota…
kubectl apply: Command Reference for CI/CDReference for kubectl apply: declarative create-or-update from manifests, server-side apply, dry-run validati…