You can support us by downloading this article as PDF from the Link below. Download the guide as PDF

How can I copy a Kubernetes secret from one namespace to a different namespace?. A Secret is a Kubernetes object that stores sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in an image but for sharing across Pods and services it is better be done as Kubernetes object. Kubernetes cluster users can create secrets and the system also creates some secrets.

In this guide we will copy a secret already created in a namespace or project if using OpenShift and apply it to a different namespace. This is often applicable to secrets such registry secrets, shared git credentials, SSL Certificates and Keys, shared API credentials e.t.c. We will create a test secret and show you how to copy it from one project to another.

Creating Kubernetes Secrets

We will create a secret with username and password from file.

echo -n 'admin' > ./username.txt
echo -n 'Password' > ./password.txt

Run the kubectl create secret command to package these files into a Secret and create the object on the API server.

$ kubectl create secret generic my-user-pass --from-file=./username.txt --from-file=./password.txt
secret/my-user-pass created

You can as well create a Secret directly with kubectl without file.

kubectl create secret generic my-user-pass --from-literal='username=admin' --from-literal='password=Password'

The name of a Secret object must be a valid DNS subdomain name.

List secrets:

$ kubectl get secrets

Converting your secret data to base-64

This is how you’ll manually convert a secret data to a base-64 representation:

$ echo -n 'admin' | base64

$ echo -n 'Password' | base64

Your yaml manifest file will like below.

apiVersion: v1
kind: Secret
  name: my-user-pass
  username: YWRtaW4=
  password: UGFzc3dvcmQ=

Copy Kubernetes Secrets Between Namespaces

Use the following command syntax to copy a secret from one namespace to a different namespace.

kubectl get secret <secret-name> \
  --namespace=<source-nemespace> \
  --export -o yaml | \
  kubectl apply --namespace=<new-namespace> -f -

In my example I’ll run:

kubectl get secret my-user-pass \
  --namespace=namespace1 \
  --export -o yaml | \
  kubectl apply --namespace=namespace2 -f -

Command execution output:

secret/my-user-pass created

Confirm secret creation in the namespace.

$ kubectl get secret -n namespace2 my-user-pass
my-user-pass Opaque 2    38s

Decrypt secret to confirm data is correct:

kubectl get secret -n $namespace $secret_name -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'

Command output:

password.txt: Password
username.txt: admin

If you have jq you can use the following command to decrypt.

$ kubectl get secret my-user-pass -o json | jq '.data | map_values(@base64d)'
  "password.txt": "Password",
  "username.txt": "admin"


That is how you can easily copy secret between namespaces in Kubernetes and OpenShift Cluster.

Kubernetes Learning Videos:

in stock
in stock
in stock

More guides:

Using Horizontal Pod Autoscaler on Kubernetes EKS Cluster

How to force delete a Kubernetes Namespace

How To Migrate Docker Compose Application to Kubernetes With Kompose

You can support us by downloading this article as PDF from the Link below. Download the guide as PDF