Kubernetes Secrets are... key-value pairs of secrets. You can create one by passing in either a raw string or a base64 encoded string.
1apiVersion: v1
2kind: Secret
3metadata:
4 name: a-secret
5stringData:
6 foo: aaa
7 bar: bbb
8data:
9 hello: Y2Nj
10 world: ZGRk
While the stringData field is certainly convenient for both writing and reviewing,
it unfortunately has problems when you try to remove a field.
Apply the following updated version:
1apiVersion: v1
2kind: Secret
3metadata:
4 name: a-secret
5stringData:
6 foo: aaa
7data:
8 hello: Y2Nj
And you get this.
Note bar is set to an empty string while world is correctly removed.
1apiVersion: v1
2data:
3 bar: ""
4 foo: YWFh
5 hello: Y2Nj
6kind: Secret
7metadata:
8 annotations:
9 kubectl.kubernetes.io/last-applied-configuration: |
10 {"apiVersion":"v1","data":{"hello":"Y2Nj"},"kind":"Secret","metadata":{"annotations":{},"name":"a-secret","namespace":"default"},"stringData":{"foo":"aaa"}}
11 creationTimestamp: "2021-07-31T08:09:07Z"
12 name: a-secret
13 namespace: default
14 resourceVersion: "1346808"
15 uid: 1ea0a085-fe05-4244-bdd2-79a9f6e9c51d
16type: Opaque
What can you do about this?
You could just never use stringData
or use kustomize or the like to create a new secret every time.