kubectl create secret: Manage Secrets in CI
Create generic, TLS, or docker-registry secrets from literals or files.
kubectl create secret materializes a Secret from literals, files, or registry credentials. In CI it injects credentials a workload needs. Because create fails if the secret exists, pipelines often pair it with --dry-run=client -o yaml | kubectl apply -f - for idempotency.
Common flags
generic NAME --from-literal=k=v- key/value secretgeneric NAME --from-file=path- file-backed secretdocker-registry NAME --docker-server/--docker-username/--docker-password- pull secret--dry-run=client -o yaml- render without creating (for apply piping)
Example in CI
Create-or-update a secret idempotently.
shell
kubectl create secret generic api-env \
--from-literal=DB_PASS="${DB_PASS}" -n prod \
--dry-run=client -o yaml | kubectl apply -f -Common errors in CI
- secrets "api-env" already exists - use the dry-run | apply pattern for idempotency
- error reading ...: no such file or directory - --from-file path wrong
- Forbidden: secrets is forbidden - RBAC denies create on secrets
Key takeaways
- Creates generic, TLS, or registry-pull secrets in CI.
- Pipe --dry-run=client -o yaml into kubectl apply for idempotency.
- A bare create fails with AlreadyExists on re-run.
Related guides
kubectl apply: Deploy Manifests in CIApply Kubernetes manifests declaratively in CI: the flags you use most, a pipeline example, and the apply err…
kubectl delete: Remove Resources in CIDelete Kubernetes resources in CI: file, selector, and ignore-not-found flags, a cleanup example, and the err…
kubectl get pods: Inspect Pods in CIList and inspect pods in CI: output and selector flags, a scripting example, and the errors that point to acc…