When working with Kubernetes secrets, you may need to export them in a format that can be version controlled or transferred between clusters. This guide will show you how to export Kubernetes secrets as JSON while preserving important metadata like labels and annotations.

The Basic Approach

The fundamental command to export a secret in JSON format is straightforward:

kubectl get secret <secret-name> -o json

However, this raw output includes cluster-specific information that you typically don’t want to include when exporting secrets for reuse. Let’s look at how to clean this up.

Cleaning Up Cluster-Specific Information

To create a clean export that removes cluster-specific metadata, we can use jq to process the JSON output. Here’s the recommended approach:

kubectl get secret <secret-name> -o json | \
jq 'del(.metadata.creationTimestamp,.metadata.resourceVersion,.metadata.selfLink,.metadata.uid,.metadata.namespace,.metadata.ownerReferences)'

This command removes the following fields:

  • creationTimestamp: When the secret was created in the source cluster
  • resourceVersion: The internal version number used by Kubernetes
  • selfLink: The API URL for this resource
  • uid: The unique identifier in the source cluster
  • namespace: The namespace in the source cluster
  • ownerReferences: References to parent resources

Working with Multiple Secrets

If you need to export all secrets from a namespace, you can modify the command slightly:

kubectl get secrets -o json | \
jq '.items[] | del(.metadata.creationTimestamp,.metadata.resourceVersion,.metadata.selfLink,.metadata.uid,.metadata.namespace,.metadata.ownerReferences)'

Example Output

Here’s what a cleaned export might look like:

{
  "apiVersion": "v1",
  "kind": "Secret",
  "metadata": {
    "labels": {
      "app": "myapp",
      "environment": "production"
    },
    "annotations": {
      "kubernetes.io/description": "Application credentials"
    },
    "name": "mysecret"
  },
  "type": "Opaque",
  "data": {
    "username": "YWRtaW4=",
    "password": "MWYyZDFlMmU2N2Rm"
  }
}

Best Practices

When working with exported secrets, keep these tips in mind:

  1. Always verify the exported secret contains all necessary metadata (labels and annotations) before using it in a new environment
  2. Consider using tools like SOPS or sealed-secrets for encrypting secrets before storing them in version control
  3. Document any environment-specific values that might need to be modified when importing the secret into a new cluster
  4. Use meaningful labels and annotations to make secrets self-documenting

Conclusion

Exporting Kubernetes secrets as JSON is a common task in cluster management and application deployment. By following this guide, you can ensure your exported secrets are clean, portable, and ready for use in other environments while maintaining important metadata like labels and annotations.