Kaye AlvaradoThis is the first of a series of blogs about Kubernetes Fundamentals, providing a quick step-by-step guide for each management scenario that is relevant when maintaining K8s workloads.
A Kubernetes application can be secured by adding a an SSL certificate to the deployment configuration. This quick bites shows how to manually do this.
Pre-requisites
It is assumed that the reader has set up their kube config file in addition to having the following tools available in their machine:
- openssl
- kubectl
Let's dive in to the steps!
Creating the Private Key and Certificate Files
- Create a private key file using an encryption of your choice
openssl genrsa -aes256 -out privatekey.pem 4096
- Now, create a certificate signing request (csr) from the key. A series of questions will come after this command prompting for details of the certificate such as country, state, city, domain name, etc.
openssl req -new -sha256 -key privatekey.pem -out certreq.csr
- Then get a trusted certificate authority (CA) to sign your certificate. Optionally, you can also make the certificate self-signed. Download the generated crt
tls.crtand key file. To get the unencrypted privatekey, decrypt it. You can use openssl to do this.
#for CA-signed
openssl rsa -in privatekey.pem -out tls.key
#for self-signed
$ openssl req -x509 -new -nodes -days 365 -key privatekey.pem -out tls.crt -subj "/CN=domain.com"
- Rename the private key to
tis.key. By this time you would have the two files needed for the K8s deployment.
$ls tls*
tls.crt tls.key
- Now, create the secret in the namespace that you need it for, replacing
secretnameandnamespacewith the proper values respectively
kubectl create secret tls <secretname> --cert=tls.crt --key=tls.key -n <namespace>
- A secret will be created in the namespace you specified. You can verify this with the commands below:
kubectl get secrets -n <namespace>
kubectl get secret <secretname> -n <namespace>
- The secret will have values for
tls.crtandtls.key. You can decode this using base64 to view the value.
echo <tls.crt value>|base64 --decode
echo <tls.key value>|base64 --decode
Adding the TLS secret to the Deployment
—--
The second part is how you will update the K8s deployment to include the certificate files and update the config to use this as the application’s certificate.
- First, get the deployment name that you need to edit. Then open the file for editing.
kubectl get deployments -n <namespace>
kubectl edit deployment <deployment_name> -n <namespace>
- In the volumes section, add an item for the secret
volumes:
- name: <secretname_used_for_deployment>
secret:
defaultMode: 420
secretName: <secretname_in_secrets>
- In the volumeMounts section, add the mount path where the certs will be stored
volumeMounts:
- mountPath: /etc/ssl/certs
name: <secretname_used_for_deployment>
readOnly: true
- Once done, you can quickly verify if the certificate is present in the path you provided.
kubectl get pods -n <namespace>
kubectl exec -it <gateway_pod_name> -- ls /etc/ssl/certs
Depending on the configuration of the deployment, you can point it to pick up the certificate from the path of the certificate and private key paths. Deployments may use different directories so just replace the /etc/ssl/certs directory when applicable.
...and that's it!
Let me know if there are any quick bites requests you want me to publish next!
