Skip to content
Latchkey

kubectl create secret: Manage Secrets in CI

Create generic, TLS, or docker-registry secrets from literals or files.

kubectl create secret materializes a Secret from literals, files, or registry credentials. In CI it injects credentials a workload needs. Because create fails if the secret exists, pipelines often pair it with --dry-run=client -o yaml | kubectl apply -f - for idempotency.

Common flags

  • generic NAME --from-literal=k=v - key/value secret
  • generic NAME --from-file=path - file-backed secret
  • docker-registry NAME --docker-server/--docker-username/--docker-password - pull secret
  • --dry-run=client -o yaml - render without creating (for apply piping)

Example in CI

Create-or-update a secret idempotently.

shell
kubectl create secret generic api-env \
  --from-literal=DB_PASS="${DB_PASS}" -n prod \
  --dry-run=client -o yaml | kubectl apply -f -

Common errors in CI

  • secrets "api-env" already exists - use the dry-run | apply pattern for idempotency
  • error reading ...: no such file or directory - --from-file path wrong
  • Forbidden: secrets is forbidden - RBAC denies create on secrets

Key takeaways

  • Creates generic, TLS, or registry-pull secrets in CI.
  • Pipe --dry-run=client -o yaml into kubectl apply for idempotency.
  • A bare create fails with AlreadyExists on re-run.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →