Most common forms:

From literal key-value pairs:

kubectl create secret generic db-creds \
  --from-literal=username=admin \
  --from-literal=password='s3cr3t'

From files:

kubectl create secret generic tls-config \
  --from-file=./cert.pem \
  --from-file=./key.pem

From an env file:

kubectl create secret generic app-env \
  --from-env-file=.env

For a TLS secret specifically (handy with EKS/ArgoCD cert chains):

kubectl create secret tls my-tls \
  --cert=tls.crt --key=tls.key

Add -n <namespace> to target a namespace, and --dry-run=client -o yaml if you want to render the manifest for GitOps instead of applying it directly:

kubectl create secret generic db-creds \
  --from-literal=password='s3cr3t' \
  --dry-run=client -o yaml