Serving an application in Kubernetes via https requires an openssl key and secret, so you can prove that the application can be trusted and the trafiic through the internet can be encrypted. That has been the way since https was created and never changed.
You either have a certificate and key from a trusted certificate authority (ca) or create your own.
Web browsers usually do not recognize self-created certificates, so you should choose a trusted ca. Usually they cost money and provide a pretty simple way of creating private keys and certificates. One exception is Let’s encrypt, which comes for free, but also has it’s own way of creating those keys and certs directly from your web server directly.
If you have a bunch of applications talking directly to each other like I do in my private cloud, you can pretty much create your own CA and manage certs from there, because the web browser is not in the way. As long as the certificates are valid within the CA chain, all is good and your traffic is encrypted. Plus, the traffic cannot be decrypted by ‘bad boys’ if you set up your CA properly hidden in the cloud. I did write a puppet module for that and am using it myself, it works great.
However, Kubernetes does not recognize x509 certificates per se, you will have to convert it into a tls secret. Not to worry though, there are only few steps to run through to get this finished.
1. Create your certificate.
How this is done is explained a gazillion times in the internet and depends also on your type of CA.
2. Convert your key and certificate into a secret
Once you have your key and certificate locally available, run the following command:
$ kubectl create secret tls tls-secret-<secret-name> --key <key-name>.key --cert <certificate-name>.crtReplace the variables in <*-name> with your own values. like tls-secret-example.net. The secret does not have to be called tls-secret-<secret-name> either, it can be anything. I just find it helpful when you browse your environment with possibly hundreds or thousands of names to recognize what it is.
This creates the secret, but usually you want to use that secret in your kubernetes manifest defining your application, so you need the encrypted secret spelled out.
To get this, run the following command:
$ kubectl get secrets/tls-secret-<secret-name> -o yaml This will give you some output like
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIE
Only much longer. That set you can use in your manifests.
Author Profile
Latest entries
blog18.04.2026ConfDroid Puppet Modules – java- blog18.04.2026ConfDroid Puppet Modules – SSH
- blog11.04.2026ConfDroid Puppet Modules – Selinux
- blog07.04.2026ConfDroid Puppet Modules – Automatic
