Search code examples

How to generate a random string / password in Kubernetes secrets

For now, I deploy my application pods using static files and one of them is app-secrets.yaml with all secrets to deploy an application

apiVersion: v1
kind: Secret
  name: app-secrets
type: Opaque
  root: xxxxxx
  user1: xxxxxx
  user2: xxxxxx

but this is not neither secure nor convenient (if I need another app instance, I have to create another file with human-generated password).

I'm looking to generate random passwords at application creation but I don't know if it's possible. I've already looked to the topic secret and especially secretGenerator but this is not directly what I want as I understand it, because it does not create a random string but a random secret name like secret/app-secrets-ssdsdfmfh4k but I have to provide still the passwords.


  • You may want to use kubernetes-secret-generator. I've tested it and it's doing exactly what you need.

    To accomplish it you have to have helm in your cluster and follow these instructions:

    Clone repository

    $ git clone

    Create helm deployment

    $ helm upgrade --install secret-generator ./deploy/chart

    Now you to use it, you just have to

    Add annotation to any Kubernetes secret object .The value of the annotation can be a field name (or comma separated list of field names) within the secret; the SecretGeneratorController will pick up this annotation and add a field [or fields] (password in the example below) to the secret with a randomly generated string value. From here.

    $ kubectl apply -f mysecret.yaml
    apiVersion: v1
    kind: Secret
      name: mysecret
      annotations: password
      username: UGxlYXNlQWNjZXB0Cg==

    After applying this secret you can take a look at it to check if the passward was generated as expected:

    $ kubectl get secrets mysecret -o yaml
    apiVersion: v1
      password: dnVKTDBJZ0tFS1BacmtTMnBuc3d2YWs2YlZsZ0xPTUFKdStDa3dwUQ==
      username: UGxlYXNlQWNjZXB0Cg==
    kind: Secret
      annotations: |
          {"apiVersion":"v1","data":{"username":"UGxlYXNlQWNjZXB0Cg=="},"kind":"Secret","metadata":{"annotations":{"":"password"},"name":"mysecret","namespace":"default"}} password 2020-01-09 14:29:44.397648062
          +0000 UTC m=+664.011602557 "yes"
      creationTimestamp: "2020-01-09T14:29:44Z"
      name: mysecret
      namespace: default
      resourceVersion: "297425"
      selfLink: /api/v1/namespaces/default/secrets/mysecret
      uid: 7ae42d71-32ec-11ea-92b3-42010a800009
    type: Opaque

    As we can see, the password was generated.