Working with secrets in the oc terminal can speed up work for routine tasks. In this blog post, we review sample command to perform these typical tasks on a secret:
- create a secret
- view the secret
- back up the secret
- update/change the secret
- restore the secret
Create a secret
First, we create a secret called mysecret1 to work with in the rest of the samples.
oc create secret generic mysecret1 --from-literal=username=myuser1 --from-literal=password=mypwd1
secret/mysecret1 created
View the secret
Now we can view the contents of the secret right at the terminal with the following command:
oc extract secret/mysecret1 --to=-
# password
mypwd1
# username
myuser1
Please note that this command decrypts the secret key values. Do not run it in front of other people or on a remote session on secrets with data that should not be shared.
Back up the secret
We can back up secret data to the file system with the following command:
oc extract secret/mysecret1 --to=./mysecret1_backup --confirm
mysecret1_backup/password
mysecret1_backup/username
An explanation of the parameters:
--to=./mysecret1_backup: create the secret files in this subdirectory
-- confirm: forces the creation of the directory
We can change directories to the subdirectory, and verify the files and their contents:
cd mysecret1_backup
tail -n +1 *
==> password <==
mypwd1
==> username <==
myuser1
There is one file for each secret key. The content of the file is the key value. Again, the values are decrypted. Do not send or upload this information to anyone who should not see it.
Update/change the secret
We can update the secret data with the following command, for example:
oc patch secret mysecret1 -p '{"data":{"password": "'$(echo "mypwd2" | base64)'"}}'
The command above updates the value of the password key. In other words, we change the password from mypw12" to mypwd2".
It is possible to update multiple key values at once, and to add new key/value pairs. For example:
oc patch secret mysecret1 -p '{"data":{"password": "'$(echo "mypwd3" | base64)'", "accountname": "'$(echo "myaccount1" | base64)'" }}'
In the command above, we updated the password key value again, and also added a new key "accountname" with the value of "myaccount1".
We can verify the results by viewing the secret:
oc extract secret/mysecret1 --to=-
# accountname
myaccount1
# password
mypwd3
# username
myuser1
Restore the secret
We must delete the secret first. Then, we can use the backup we generated to restore the secret with its original data.
oc delete secret mysecret1
secret "mysecret1" deleted
oc create secret generic mysecret1 --from-file=./mysecret1_backup
secret/mysecret1 created
In the command above, the --from-file=./mysecret1_backup parameter references the subdirectory we created when we backed up the secret.
We can verify the results by viewing the secret:
oc extract secret/mysecret1 --to=-
# password
mypwd1
# username
myuser1