Securely Store TLS Certificates as Kubernetes Secrets

Published: August 13, 2020 by Author's Photo Shane Rainville | Reading time: 1 minute
Learn how to securely store your your application's TLS certificate key-pairs in Kubernetes using secrets

Certificates provide a means of securing communication on the Internet.

In order to store TLS certificates in Kubernetes a public/private key pair must exist. The public key certificate must be .PEM encoded and match the given private key.

Creating a TLS Secret

The kubectl CLI provides a command to easily store TLS certificate key-pairs in Kubernetes as secrets.

kubectl create secret tls <SECRET-NAME> --cert=<PATH/TO/CERT/FILE> --key=<PATH/TO/KEY/FILE>

For example, to create a secret name webapp-tls-production in Kubernetes with a public\private key pair, you would execute the following command.

kubectl create secret tls webapp-tls-production --cert=webapp.pem --key=webapp.key

Dryrun

The kubectl command provides a way to perform a dryrun of the kubectl create secret command. Use this as away to verify your secret is created correctly and minimize errors.

kubectl create secret tls webapp-tls-production --cert=webapp.pem --key=webapp.key

Manifest File

Manifest files can also be used to create TLS secrets in Kubernetes.

In order to correctly store TLS key-pairs in Kubernetes as a secret, you must do the following in your manifest file:

  • Set type to kubernetes.io/tls
  • Base64 encode contents of your key-pair files, and add them as data keys: tls.crt and tls.key
apiVersion: v1
kind: Secret
metadata:
  name: webapp-tls-production
type: kubernetes.io/tls
data:
  tls.crt: --BASE64 ENCODED STRING--
  tls.key: --BASE64 ENCODED STRING--
Last updated on August 17, 2020 by Shane Rainville: Fix typos and grammar 591191981f7cc28a26f41f02745ecc0ba7650649
Author Photo
Blogger, Developer, pipeline builder, cloud engineer, and DevSecOps specialist. I have been working in the cloud for over a decade and running containized workloads since 2012, with gigs at small startups to large financial enterprises.

How to Configure Node-based apps in Kubernetes

Publised September 9, 2020 by Shane Rainville

Learn how to securely store your your application's TLS certificate key-pairs in Kubernetes using secrets

How to Deploy Jekyll on Kubernetes

Publised September 15, 2020 by Shane Rainville

Learn how to securely store your your application's TLS certificate key-pairs in Kubernetes using secrets

How to Update Kubernetes Deployments

Publised September 11, 2020 by Shane Rainville

Learn how to securely store your your application's TLS certificate key-pairs in Kubernetes using secrets

How to Backup and Restore MongoDB Deployment on Kubernetes

Publised September 3, 2020 by Shane Rainville

Learn how to securely store your your application's TLS certificate key-pairs in Kubernetes using secrets

How to Immediately Start Kubernetes CronJobs Manually

Publised September 2, 2020 by Shane Rainville

Learn how to securely store your your application's TLS certificate key-pairs in Kubernetes using secrets

How to Copy Files to a Pod Container in Kubernetes

Publised August 27, 2020 by Shane Rainville

Learn how to securely store your your application's TLS certificate key-pairs in Kubernetes using secrets

How to Set PHP Options for Wordpress in Docker

Publised August 27, 2020 by Shane Rainville

Learn how to securely store your your application's TLS certificate key-pairs in Kubernetes using secrets

How to Solve Wordpress Redirects to Localhost 8080

Publised August 27, 2020 by Shane Rainville

Learn how to securely store your your application's TLS certificate key-pairs in Kubernetes using secrets