This is the first of a series of blogs about Kubernetes Fundamentals, providing a quick step-by-step guide for each management scenario that is relevant when maintaining K8s workloads.

Pre-requisites

It is assumed that the reader has set up their .KUBE config file in addition to having the following tools available in their machine:

• openssl
• kubectl

Let's dive in to the steps!

Creating the Private Key and Certificate Files

• Create a private key file using an encryption of your choice

openssl genrsa -aes256 -out privatekey.pem 4096 

• Now, create a certificate signing request (csr) from the key

openssl req -new -sha256 -key privatekey.pem -out certreq.csr

• Then get a trusted certificate authority (CA) to sign your certificate. Download the generated crt tls.crt and key file. To get the unencrypted privatekey, decrypt it. You can use openssl to do this.

openssl rsa -in privatekey.pem -out tls.key

• By this time you would have the two files

$ls tls*
tls.crt tls.key

• Now, create the secret in the namespace that you need it for, replacing secretname and namespace with the proper values respectively

kubectl create secret tls <secretname> --cert=tls.crt --key=tls.key -n <namespace>

• You should have a secret created in the namespace

kubectl get secrets -n <namespace>
kubectl get secret <secretname> -n <namespace>

• The secret will have 2 values for tls.crt and tls.key. You can decode this using base64 to view the value.

echo <tls.crt value>|base64 --decode
echo <tls.key value>|base64 --decode

Adding the TLS secret to the Deployment

• First, get the deployment name that you need to edit. Then open the file for editing.

kubectl get deployments -n <namespace>
kubectl edit deployment <deployment_name> -n <namespace>

• In the volumes section, add an item for the secret

      volumes:
      - name: <secretname_used_for_deployment>
        secret:
          defaultMode: 420
          secretName: <secretname_in_secrets>

• In the volumeMounts section, add the mount path where the certs will be stored

        volumeMounts:
        - mountPath: /etc/ssl/certs
          name: <secretname_used_for_deployment>
          readOnly: true

• Once done, you can quickly verify if the certificate is present in the path you provided.

kubectl get pods -n <namespace>
kubectl exec -it <gateway_pod_name> -- ls /etc/ssl/certs

Depending on the configuration of the deployment, you can point it to pick up the certificate from the path of the certificate and private key paths.

...and that's it!

Let me know if there are any quick bites requests you want me to publish next!