From 6e29638724e0dbff4b46015fec35d0ec30902152 Mon Sep 17 00:00:00 2001
From: Sebastian Melchior <sebastian@melchior.me>
Date: Thu, 13 Jul 2017 13:09:08 +0200
Subject: [PATCH] improve documentation for secrets

---
 docs/secrets.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/docs/secrets.md b/docs/secrets.md
index d526d5b9fa010..870cdc8a295f1 100644
--- a/docs/secrets.md
+++ b/docs/secrets.md
@@ -10,7 +10,7 @@
 
 `kops describe secret`
 
-### create secret 
+### create secret
 
 `kops create secret sshpublickey admin -i ~/.ssh/id_rsa.pub`
 
@@ -24,6 +24,7 @@ The ID form can be used when there are multiple matching keys.
 example:
 `kops delete secret sshpublickey admin`
 
+Note: it is currently not possible to delete secrets from the keystore that have the type "Secret"
 
 ### adding ssh credential from spec file
 ```bash
@@ -35,3 +36,12 @@ metadata:
 spec:
   publicKey: "ssh-rsa AAAAB3NzaC1 dev@devbox"
 ```
+
+## Workaround for changing secrets with type "Secret"
+As it is currently not possible to modify or delete + create secrets of type "Secret" with the CLI you have to modify them directly in the kops s3 bucket.
+
+They are stored /clustername/secrets/ and contain the secret as a base64 encoded string. To change the secret base64 encode it with:
+
+```echo -n 'MY_SECRET' | base64```
+
+and replace it in the "Data" field of the file. Verifiy your change with get secrets and perform a rolling update of the cluster.