Kubernetesdevops~5 mins

Secret types (Opaque, docker-registry, TLS) in Kubernetes - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Kubernetes secrets store sensitive information like passwords or certificates safely. Different secret types help Kubernetes understand how to use the stored data correctly.

When you need to store a username and password for accessing a private Docker registry.

When you want to keep TLS certificates safe for your web server inside the cluster.

When you have custom sensitive data like API keys or tokens that your app needs.

When you want to avoid putting sensitive info directly in your pod configuration files.

When you want Kubernetes to handle secret data securely and inject it into your containers.

Config File - secrets.yaml

secrets.yaml

apiVersion: v1
kind: Secret
metadata:
  name: my-opaque-secret
type: Opaque
data:
  api-key: YXBpa2V5MTIz
---
apiVersion: v1
kind: Secret
metadata:
  name: my-docker-secret
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOnsidXNlcm5hbWUiOiJteXVzZXIiLCJwYXNzd29yZCI6Im15cGFzc3dvcmQiLCJhdXRoIjoiTXlBdXRoVG9rZW4ifX19
---
apiVersion: v1
kind: Secret
metadata:
  name: my-tls-secret
type: kubernetes.io/tls
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCg==
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQo=

This file defines three secrets:

Opaque: Stores generic base64-encoded data like API keys.
docker-registry: Stores Docker registry credentials in a JSON format.
TLS: Stores TLS certificate and private key for secure communication.

Kubernetes uses the type field to know how to handle each secret.

Commands

This command creates the three secrets in Kubernetes from the secrets.yaml file.

Terminal

kubectl apply -f secrets.yaml

Expected OutputExpected

secret/my-opaque-secret created secret/my-docker-secret created secret/my-tls-secret created

This command lists all secrets in the current namespace to verify they were created.

Terminal

kubectl get secrets

Expected OutputExpected

NAME TYPE DATA AGE my-opaque-secret Opaque 1 10s my-docker-secret kubernetes.io/dockerconfigjson 1 10s my-tls-secret kubernetes.io/tls 2 10s

This command shows detailed info about the docker-registry secret, confirming its type and data keys.

Terminal

kubectl describe secret my-docker-secret

Expected OutputExpected

Name: my-docker-secret Namespace: default Labels: <none> Annotations: <none> Type: kubernetes.io/dockerconfigjson Data ==== .dockerconfigjson: 223 bytes

Key Concept

If you remember nothing else from this pattern, remember: Kubernetes secret types tell the system how to use and interpret your sensitive data correctly.

Common Mistakes

Creating a secret with type Opaque but storing Docker registry credentials without proper JSON format.

Kubernetes won't recognize the data as Docker credentials, so image pulls from private registries will fail.

Use type kubernetes.io/dockerconfigjson and encode the Docker config JSON correctly.

Storing TLS certificates in a secret with type Opaque instead of kubernetes.io/tls.

Kubernetes and some tools expect TLS secrets to have specific keys and type to work properly.

Use type kubernetes.io/tls and include tls.crt and tls.key keys with base64-encoded data.

Not base64 encoding secret data before applying the secret manifest.

Kubernetes requires secret data to be base64 encoded; otherwise, it rejects the secret or stores invalid data.

Always base64 encode your secret values before adding them to the manifest.

Summary

Create secrets with the correct type to match the kind of sensitive data you store.

Use kubectl apply to create secrets from YAML files and kubectl get/describe to verify them.

Base64 encode all secret data values before adding them to the secret manifest.