flux create secret git
flux create secret git
Create or update a Kubernetes secret for Git authentication
Synopsis
The create secret git command generates a Kubernetes secret with Git credentials. For Git over SSH, the host and SSH keys are automatically generated and stored in the secret. For Git over HTTP/S, the provided basic authentication credentials or bearer authentication token are stored in the secret.
flux create secret git [name] [flags]
Examples
# Create a Git SSH authentication secret using an ECDSA P-521 curve public key
flux create secret git podinfo-auth \
--url=ssh://git@github.com/stefanprodan/podinfo \
--ssh-key-algorithm=ecdsa \
--ssh-ecdsa-curve=p521
# Create a Git SSH authentication secret with a passwordless private key from file
# The public SSH host key will still be gathered from the host
flux create secret git podinfo-auth \
--url=ssh://git@github.com/stefanprodan/podinfo \
--private-key-file=./private.key
# Create a Git SSH authentication secret with a passworded private key from file
# The public SSH host key will still be gathered from the host
flux create secret git podinfo-auth \
--url=ssh://git@github.com/stefanprodan/podinfo \
--private-key-file=./private.key \
--password=<password>
# Create a secret for a Git repository using basic authentication
flux create secret git podinfo-auth \
--url=https://github.com/stefanprodan/podinfo \
--username=username \
--password=password
# Create a Git SSH secret on disk
flux create secret git podinfo-auth \
--url=ssh://git@github.com/stefanprodan/podinfo \
--export > podinfo-auth.yaml
# Print the deploy key
yq eval '.stringData."identity.pub"' podinfo-auth.yaml
# Encrypt the secret on disk with Mozilla SOPS
sops --encrypt --encrypted-regex '^(data|stringData)$' \
--in-place podinfo-auth.yaml
Options
--bearer-token string bearer authentication token
--ca-crt-file string path to TLS CA certificate file used for validating self-signed certificates
-h, --help help for git
-p, --password string basic authentication password
--private-key-file string path to a passwordless private key file used for authenticating to the Git SSH server
--ssh-ecdsa-curve ecdsaCurve SSH ECDSA public key curve (p256, p384, p521) (default p384)
--ssh-key-algorithm publicKeyAlgorithm SSH public key algorithm (rsa, ecdsa, ed25519) (default ecdsa)
--ssh-rsa-bits rsaKeyBits SSH RSA public key bit size (multiplies of 8, min 1024) (default 2048)
--url string git address, e.g. ssh://git@host/org/repository
-u, --username string basic authentication username
Options inherited from parent commands
--as string Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
--as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
--as-uid string UID to impersonate for the operation.
--cache-dir string Default cache directory (default "/opt/buildhome/.kube/cache")
--certificate-authority string Path to a cert file for the certificate authority to authenticate the Kubernetes API server
--client-certificate string Path to a client certificate file for TLS authentication to the Kubernetes API server
--client-key string Path to a client key file for TLS authentication to the Kubernetes API server
--cluster string The name of the kubeconfig cluster to use
--context string The name of the kubeconfig context to use
--disable-compression If true, opt-out of response compression for all requests to the server
--export export in YAML format to stdout
--insecure-skip-tls-verify If true, the Kubernetes API server's certificate will not be checked for validity. This will make your HTTPS connections insecure
--interval duration source sync interval (default 1m0s)
--kube-api-burst int The maximum burst queries-per-second of requests sent to the Kubernetes API. (default 300)
--kube-api-qps float32 The maximum queries-per-second of requests sent to the Kubernetes API. (default 50)
--kubeconfig string Path to the kubeconfig file to use for CLI requests.
--label strings set labels on the resource (can specify multiple labels with commas: label1=value1,label2=value2)
-n, --namespace string If present, the namespace scope for this CLI request (default "flux-system")
--server string The address and port of the Kubernetes API server
--timeout duration timeout for this operation (default 5m0s)
--tls-server-name string Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
--token string Bearer token for authentication to the API server
--user string The name of the kubeconfig user to use
--verbose print generated objects
SEE ALSO
- flux create secret - Create or update Kubernetes secrets