Secrets in Kubernetes

Learn how to set up Spinnaker secrets in a Kubernetes secret.

Note: Storing Spinnaker secrets in a Kubernetes secret is only supported if you’re using the Operator to deploy and manage Spinnaker. Additionally, you cannot encrypt configuration secrets for the UI (Deck) using the Kubernetes secret engine.

Creating a Kubernetes secret for Spinnaker to use

This example uses a Kubernetes secret to store GitHub credentials and a kubeconfig file.

SpinnakerTM can read secrets only within its own namespace. It cannot access Kubernetes secrets stored in a different namespace. In this document, assume that Spinnaker lives in the namespace spinnaker.

You can store files as well as individual text values in Kubernetes secrets to be referenced by Spinnaker. To create the secret you can use this command, assuming you have a file named kubeconfig-prod where you are running the command:

kubectl -n spinnaker create secret generic spin-secrets \
    --from-file=kubeconfig-prod \

The command will create a secret named spin-secrets in the spinnaker namespace, having two keys: one is a kubeconfig file with key kubeconfig-prod , and the other is a text value for a GitHub token with key github-token.

Kustomize also has a secret generator, so you can automatically deploy secrets using Kustomize along with the SpinnakerService manifest. This is a kustomization.yml file that creates the same secret as above:

kind: Kustomization

  - name: spin-secrets
      - kubeconfig-prod
      - github-token=aaaaaabbbbbbbbccccccccc

For more information on how to create secrets in Kubernetes refer to the official Kubernetes docs or the Kustomize docs.

Referencing secrets

You reference secret values in your config with the following format:

encrypted:k8s!n:<secret name>!k:<secret key>

Similarly you can reference secret files:

encryptedFile:k8s!n:<secret name>!k:<secret key>

For example, to reference the GitHub token:


And to reference the content of our kubeconfig file:


Last modified December 9, 2022: (77a2e500)