converting openSSL x509 into Kubernetes secrets

Serving an application in Kubernetes via https requires an openssl key and secret, so you can prove that the application can be trusted and the trafiic through the internet can be encrypted. That has been the way since https was created and never changed.
You either have a certificate and key from a trusted certificate authority (ca) or create your own.
Web browsers usually do not recognize self-created certificates, so you should choose a trusted ca. Usually they cost money and provide a pretty simple way of creating private keys and certificates. One exception is Let's encrypt, which comes for free, but also has it's own way of creating those keys and certs directly from your web server directly.
If you have a bunch of applications talking directly to each other like I do in my private cloud, you can pretty much create your own CA and manage certs from there, because the web browser is not in the way. As long as the certificates are valid within the CA chain, all is good and your traffic is encrypted. Plus, the traffic cannot be decrypted by 'bad boys' if you set up your CA properly hidden in the cloud. I did write a puppet module for that and am using it myself, it works great.

However, Kubernetes does not recognize x509 certificates per se, you will have to convert it into a tls secret. Not to worry though, there are only few steps to run through to get this finished.

1. Create your certificate.
How this is done is explained a gazillion times in the internet and depends also on your type of CA.

2. Convert your key and certificate into a secret
Once you have your key and certificate locally available, run the following command:

$ kubectl create secret tls tls-secret-<secret-name> --key <key-name>.key --cert <certificate-name>.crt

Replace the variables in <*-name> with your own values. like tls-secret-example.net. The secret does not have to be called tls-secret-<secret-name> either, it can be anything. I just find it helpful when you browse your environment with possibly hundreds or thousands of names to recognize what it is.

This creates the secret, but usually you want to use that secret in your kubernetes manifest defining your application, so you need the encrypted secret spelled out.
To get this, run the following command:

$ kubectl get secrets/tls-secret-<secret-name> -o yaml

This will give you some output like

apiVersion: v1
data:
    tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS
    tls.key: LS0tLS1CRUdJTiBQUklWQVRFIE

Only much longer. That set you can use in your manifests.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Leave a Reply Cancel reply