How to change a sops encrypted secret without redeploy

Question

I have a cronjob deployed. I need to update a parameter -- rotate an AES key -- contained in the secret. The secret is sops encrypted.

Is it possible to update the AES key without redeploying the job?

What I have tried:

"kubectl edit secret jobsecret" -- edits the sops encrypted file but it is still encrypted
"helm edit secrets jobsecret.yaml" -- edits/encrypts the parameter file before deploy

My next thought is to create a file, then encrypt it with sops and copy/paste the result into the editor for "kubectl edit secret jobsecret". I was hoping that there was a better way.

I am a developer, not a k8s admin. But, not by choice. Filling in until we can remedy the "no k8s admin" issue.

Answer 1

TL;DR

You can use $ kubectl patch to update fields of resources.

Example:

kubectl patch secret YOUR_SECRET -p '{"data":{"key":"NEW_BASE64_ENCODED_VALUE"}}'

You can find more reference here:

• Kubernetes.io: Docs: Tasks: Managed Kubernetes objects: Update api object kubectl patch

I've included more explanation below.

---

Example of "patching" a secret:

• $ secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: super-secret
data:
  username: a3J1aw==
  password: b2xkLXBhc3N3b3Jk

A side note!

Values of keys like username and password are base64 encoded!

To change the value of password you will need to run:

• kubectl patch super-secret -p '{"data":{"password":"bmV3LXBhc3N3b3Jk"}}'

Displaying the newly updated secret should show (the output is only partial):

• $ kubectl get secret super-secret -o yaml

data:
  password: bmV3LXBhc3N3b3Jk 
  username: a3J1aw==

---

I highly encourage you to check the additional reference:

• Kubernetes.io: Docs: Concepts: Configuration: Secret
• Itnext.io: How to automatically update your Kubernetes app configuration