Configure a TLS Secret in KubernetesJanne Kemppainen |
Quite often, when you’re working with a Kubernetes cluster, you also need to handle TLS secrets. Projects like cert-manager can take much of that load off your shoulders but sometimes you still need to configure a certificate manually.
If you got the certificate from a certificate authority such as GoDaddy you’ll probably have some intermediate certificates in addition to the cert for your domain. Together they form the certificate chain that verifies the validity of your certificate.
These certificate files need to be combined to a single file so that it starts with your certificate and is followed by the intermediate certs.
You can do it manually with a text editor, or on the Linux command line like this:
$ cat c3d4scga8hdf0f74.crt gd_bundle-g2-g1.crt > cert.crt
In this example
c3d4scga8hdf0f74.crt is the site certificate,
gd_bundle-g2-g1.crt contains the intermediate certificates, and
cert.crt is the combination of the two. I’m also assuming that the private key is in a file named
Ingress controllers, such as the NGINX Ingress Controller, expect the secret to be of type
kubernetes.io/tls. Use this command to create a TLS secret (switch the namespace to match yours):
$ kubectl create secret tls my-certificate \ --cert=cert.crt \ --key=cert.key \ --namespace ingress
Upon creating the certificate
kubectl checks that the certificate data is valid, i.e., that the private key matches the certificate. If
cert.crt does not start with your certificate you’ll get this error
$ kubectl create secret tls my-certificate --cert=cert.crt --key=cert.key error: tls: private key does not match public key
See also how to edit Kubernetes secrets.
Previous postUpgrade Ubuntu on WSL2