How can I update a secret on Kubernetes when it is generated from a file?

This should work:

kubectl create secret generic production-tls \    --save-config --dry-run=client \    --from-file=./tls.key --from-file=./tls.crt \    -o yaml |   kubectl apply -f -

You can delete and immediately recreate the secret:

kubectl delete secret production-tls --ignore-not-foundkubectl create secret generic production-tls --from-file=./tls.key --from-file=./tls.crt

I put these commands in a script. The --ignore-not-found prevents getting a warning on the first run.

Alternatively, you can also use jq's = or |= operator to update secrets on the fly.

TLS_KEY=$(base64 < "./tls.key" | tr -d '\n')TLS_CRT=$(base64 < "./tls.crt" | tr -d '\n')kubectl get secrets production-tls -o json \        | jq '.data["tls.key"] |= "$TLS_KEY"' \        | jq '.data["tls.crt"] |= "$TLS_CRT"' \        | kubectl apply -f -

Although it might not be as elegant or simple as the kubectl create secret generic --dry-run approach, technically, this approach is truly updating values rather than deleting/recreating them. You'll also need jq and base64 (or openssl enc -base64) commands available, tr is a commonly-available Linux utility for trimming trailing newlines.

See here for more details about jq update operator |=.