Configure a TLS Secret in Kubernetes
Janne Kemppainen |Quite often, when you’re working with a Kubernetes cluster, you also need to handle TLS secrets. Projects like cert-manager can take much of that load off your shoulders but sometimes you still need to configure a certificate manually.
If you got the certificate from a certificate authority such as GoDaddy you’ll probably have some intermediate certificates in addition to the cert for your domain. Together they form the certificate chain that verifies the validity of your certificate.
These certificate files need to be combined to a single file so that it starts with your certificate and is followed by the intermediate certs.
You can do it manually with a text editor, or on the Linux command line like this:
$ cat c3d4scga8hdf0f74.crt gd_bundle-g2-g1.crt > cert.crt
In this example c3d4scga8hdf0f74.crt
is the site certificate, gd_bundle-g2-g1.crt
contains the intermediate certificates, and cert.crt
is the combination of the two. I’m also assuming that the private key is in a file named cert.key
.
Ingress controllers, such as the NGINX Ingress Controller, expect the secret to be of type kubernetes.io/tls
. Use this command to create a TLS secret (switch the namespace to match yours):
$ kubectl create secret tls my-certificate \
--cert=cert.crt \
--key=cert.key \
--namespace ingress
Upon creating the certificate kubectl
checks that the certificate data is valid, i.e., that the private key matches the certificate. If cert.crt
does not start with your certificate you’ll get this error
$ kubectl create secret tls my-certificate --cert=cert.crt --key=cert.key
error: tls: private key does not match public key
See also how to edit Kubernetes secrets.
Previous post
Upgrade Ubuntu on WSL2