DEV Community

Cover image for K8s QuickBites: Creating Secure TLS Certificates for Kubernetes Deployments
Kaye Alvarado for Developers @ Asurion

Posted on • Edited on

K8s QuickBites: Creating Secure TLS Certificates for Kubernetes Deployments

This is the first of a series of blogs about Kubernetes Fundamentals, providing a quick step-by-step guide for each management scenario that is relevant when maintaining K8s workloads.

Image description

A Kubernetes application can be secured by adding a an SSL certificate to the deployment configuration. This quick bites shows how to manually do this.

Pre-requisites

It is assumed that the reader has set up their kube config file in addition to having the following tools available in their machine:

  • openssl
  • kubectl

Let's dive in to the steps!

Creating the Private Key and Certificate Files

  • Create a private key file using an encryption of your choice
openssl genrsa -aes256 -out privatekey.pem 4096 
Enter fullscreen mode Exit fullscreen mode
  • Now, create a certificate signing request (csr) from the key. A series of questions will come after this command prompting for details of the certificate such as country, state, city, domain name, etc.
openssl req -new -sha256 -key privatekey.pem -out certreq.csr
Enter fullscreen mode Exit fullscreen mode
  • Then get a trusted certificate authority (CA) to sign your certificate. Optionally, you can also make the certificate self-signed. Download the generated crt tls.crt and key file. To get the unencrypted privatekey, decrypt it. You can use openssl to do this.
#for CA-signed
openssl rsa -in privatekey.pem -out tls.key
#for self-signed
$ openssl req -x509 -new -nodes -days 365 -key privatekey.pem -out tls.crt -subj "/CN=domain.com"
Enter fullscreen mode Exit fullscreen mode
  • Rename the private key to tis.key. By this time you would have the two files needed for the K8s deployment.
$ls tls*
tls.crt tls.key
Enter fullscreen mode Exit fullscreen mode
  • Now, create the secret in the namespace that you need it for, replacing secretname and namespace with the proper values respectively
kubectl create secret tls <secretname> --cert=tls.crt --key=tls.key -n <namespace>
Enter fullscreen mode Exit fullscreen mode
  • A secret will be created in the namespace you specified. You can verify this with the commands below:
kubectl get secrets -n <namespace>
kubectl get secret <secretname> -n <namespace>
Enter fullscreen mode Exit fullscreen mode
  • The secret will have values for tls.crt and tls.key. You can decode this using base64 to view the value.
echo <tls.crt value>|base64 --decode
echo <tls.key value>|base64 --decode
Enter fullscreen mode Exit fullscreen mode

Adding the TLS secret to the Deployment
—--
The second part is how you will update the K8s deployment to include the certificate files and update the config to use this as the application’s certificate.

  • First, get the deployment name that you need to edit. Then open the file for editing.
kubectl get deployments -n <namespace>
kubectl edit deployment <deployment_name> -n <namespace>
Enter fullscreen mode Exit fullscreen mode
  • In the volumes section, add an item for the secret
      volumes:
      - name: <secretname_used_for_deployment>
        secret:
          defaultMode: 420
          secretName: <secretname_in_secrets>
Enter fullscreen mode Exit fullscreen mode
  • In the volumeMounts section, add the mount path where the certs will be stored
        volumeMounts:
        - mountPath: /etc/ssl/certs
          name: <secretname_used_for_deployment>
          readOnly: true
Enter fullscreen mode Exit fullscreen mode
  • Once done, you can quickly verify if the certificate is present in the path you provided.
kubectl get pods -n <namespace>
kubectl exec -it <gateway_pod_name> -- ls /etc/ssl/certs
Enter fullscreen mode Exit fullscreen mode

Depending on the configuration of the deployment, you can point it to pick up the certificate from the path of the certificate and private key paths. Deployments may use different directories so just replace the /etc/ssl/certs directory when applicable.

...and that's it!


Let me know if there are any quick bites requests you want me to publish next!

Top comments (0)