A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in a container image. Using a Secret means that you don’t need to include confidential data in your application code.
Because Secrets can be created independently of the Pods that use them, there is less risk of the Secret (and its data) being exposed during the workflow of creating, viewing, and editing Pods. Kubernetes, and applications that run in your cluster, can also take additional precautions with Secrets, such as avoiding writing secret data to nonvolatile storage.
Secrets are similar to ConfigMaps but are specifically intended to hold confidential data.
Kubernetes provides several built-in types for some common usage scenarios. These types vary in terms of the validations performed and the constraints Kubernetes imposes on them. Kubernetes provides a builtin Secret type kubernetes.io/tls
for storing a certificate and its associated key that are typically used for TLS.. In this guide we are going to learn how to create TLS secret (kubernetes.io/tls
) which stores data for a TLS client or server.
One common use for TLS secrets is to configure encryption in transit for an Ingress, but you can also use it with other resources or directly in your workload. When using this type of Secret, the tls.key
and the tls.crt
key must be provided in the data
(or stringData
) field of the Secret configuration, although the API server doesn’t actually validate the values for each key.
Generating the certificates
Before proceeding, let us generate some test ssl certificate files to work with. Ensure that you have the openssl
command for this to work:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout citizix.key -out citizix.crt
This will prompt you to fill. This command produces two files: citizix.key
and citizix.crt
. In production, you’d generate a key file and use it to obtain a certificate from a certificate authority.
This is how I did it
➜ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout citizix.key -out citizix.crt
Generating a 2048 bit RSA private key
......................................+++
.................................+++
writing new private key to 'citizix.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:KE
State or Province Name (full name) []:Nairobi
Locality Name (eg, city) []:Nairobi
Organization Name (eg, company) []:Citizix
Organizational Unit Name (eg, section) []:Devops
Common Name (eg, fully qualified host name) []:k8s.citizix.com
Email Address []:admin@citizix.com
Next make sure you also have access to a kubernetes cluster and are in the right kubernetes cluster. Confirm with this command:
kubectl cluster-info
Kubernetes provides two ways to add a secret: directly on the command line, and from a YAML source file. We will learn them both and also learn how to use terraform to achieve the same function.
Creating TLS Secret using Command line
We can issue the kubectl create command to create a secret from the commandl ine.
When creating a TLS Secret using kubectl
, you can use the tls
subcommand as shown in the following example:
kubectl create secret tls citizix-tls \
--key=citizix.key \
--cert=citizix.crt
The public/private key pair must exist before hand. Verify that the secret was added using this command:
➜ kubectl get secret citizix-tls NAME TYPE DATA AGE citizix-tls kubernetes.io/tls 2 42s
To view the YAML source of the secret:
kubectl get secret citizix-tls -o yaml
To delete the secret
kubectl delete secrets citizix-tls
Creating TLS Secret using Command line
The advantage to using configuration files to manage kubernetes resources is that it can be added in a versioning system like git thus make it easy to review, document and manage it later.
At a minimum, get the YAML file that corresponds to your secret and save it to a private Git repo. Encrypt the repo and back it up off-site.
We can also create a YAML source file by hand and use it to create the secret, but this is a little trickier. The skeleton of the YAML file is:
apiVersion: v1
kind: Secret
metadata:
name: citizix-tls
namespace: default
type: kubernetes.io/tls
data:
tls.crt:
tls.key:
The trick is that you have to base64 encode the key and certificate data. In Bash:
cat citizix.crt | base64 cat citizix.key | base64
Paste each piece of base64 encoded data into the appropriate sections of the YAML file as one line. Make sure your text editor doesn’t add any carriage returns to wrap the lines.
apiVersion: v1 kind: Secret metadata: name: citizix-tls namespace: default type: kubernetes.io/tls data: tls.crt: | LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURuakNDQW9ZQ0NRRE4vUUlSTmlCL2JqQU5CZ2txaGtpRzl3MEJBUXNGQURDQmtERUxNQWtHQTFVRUJoTUMKUzBVeEVEQU9CZ05WQkFnTUIwNWhhWEp2WW1reEVEQU9CZ05WQkFjTUIwNWhhWEp2WW1reEVEQU9CZ05WQkFvTQpCME5wZEdsNmFYZ3hEekFOQmdOVkJBc01Ca1JsZG05d2N6RVlNQllHQTFVRUF3d1Bhemh6TG1OcGRHbDZhWGd1ClkyOXRNU0F3SGdZSktvWklodmNOQVFrQkZoRmhaRzFwYmtCamFYUnBlbWw0TG1OdmJUQWVGdzB5TWpBMk16QXgKT1RBNE5ERmFGdzB5TXpBMk16QXhPVEE0TkRGYU1JR1FNUXN3Q1FZRFZRUUdFd0pMUlRFUU1BNEdBMVVFQ0F3SApUbUZwY205aWFURVFNQTRHQTFVRUJ3d0hUbUZwY205aWFURVFNQTRHQTFVRUNnd0hRMmwwYVhwcGVERVBNQTBHCkExVUVDd3dHUkdWMmIzQnpNUmd3RmdZRFZRUUREQTlyT0hNdVkybDBhWHBwZUM1amIyMHhJREFlQmdrcWhraUcKOXcwQkNRRVdFV0ZrYldsdVFHTnBkR2w2YVhndVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QQpNSUlCQ2dLQ0FRRUEyK3k4d0dpZ3YwWWhGK3BmMGxXazJUOFRUSnpiRGxVRXgxT3N0eW8yaWxnUW5PaWYxV254CnkrLzRPZCtUTFpIMStpR3RyUERaVEVZKzJqQTYvTkgydlN6VE82ei9DbVVMdVV0Y0dqK25CcXBoSUtjd3dGd1EKNndRc0ZYbE1YOHFBdlBHU1RRMnRwTUVjcG13YjRHV3FVM2NpUTU4QkxZdXhyRExDZ0ZvYTFKYW9sbVdNOHd4ZwpJaC9PdnZGaFFRUkZINUNiNHNaTURKckxscTIraGtPSjR2QndGc2NlTW5yeU9id3lCTzZQT1dEWCt2cXI2eUpXClRkSFMveHpxeU8xYkpjU0dYVTBIODE3SGxVeEp4ZytIVEtLbTZCTzlKY3orTnpFelVMdWNiTTZnNlM4eCs3am4KNjg5QjNRVmcrdS80TGNSWk8xYUZnakg1TmdNNXhJMlVOUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQgpBUUMyZ0VqdnhnZVoyRkxvMTRCUmVpQ0MwT0MzWEx5Nm9KL2hMaUF0TXl0bUZyenM1TWZOTGpMeTBySW94RUlZCk5SOFRwWkFxSWtmUG5QSmg3MHdodE9USEhwV2hnUUtTWHRONUhGQ2NXc3VnSWs3RnA3ejJ6a3RraFdjb2Y4cmQKU2ZSNWU4b2lIa2gxNjlIdDVWYUF1Rk5IejFoN0UrdXE5WGhSYzNLWktaSng5TXFST0phMHZmZk84aWlyTC9pbQpLNmdaQ0VTajUxRGpuNjZibWVkVGVpTDhYTlhBK3hpc0pXRzZaTUYrUnVKWmNLQXVYeFAzbTA1Y3hLVnRvamxHCkZWSUt6OHA3a3E0dTQ1Q1ExeGJweFIrZDlPcWdTd2NBQjlYSlpzd1JQaC82OXpEaFFIRk05THZRWUhpS2FaTmsKTFN1NlBqZHNFSXBJR254R2dzQkUvcTA3Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K tls.key: | LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRGI3THpBYUtDL1JpRVgKNmwvU1ZhVFpQeE5Nbk5zT1ZRVEhVNnkzS2phS1dCQ2M2Si9WYWZITDcvZzUzNU10a2ZYNklhMnM4TmxNUmo3YQpNRHI4MGZhOUxOTTdyUDhLWlF1NVMxd2FQNmNHcW1FZ3B6REFYQkRyQkN3VmVVeGZ5b0M4OFpKTkRhMmt3UnltCmJCdmdaYXBUZHlKRG53RXRpN0dzTXNLQVdoclVscWlXWll6ekRHQWlIODYrOFdGQkJFVWZrSnZpeGt3TW1zdVcKcmI2R1E0bmk4SEFXeHg0eWV2STV2RElFN284NVlOZjYrcXZySWxaTjBkTC9IT3JJN1ZzbHhJWmRUUWZ6WHNlVgpURW5HRDRkTW9xYm9FNzBselA0M01UTlF1NXhzenFEcEx6SDd1T2ZyejBIZEJXRDY3L2d0eEZrN1ZvV0NNZmsyCkF6bkVqWlExQWdNQkFBRUNnZ0VCQUpKTXlUL0NHblZEcE00eEJ1OTRNOEtsZUNRMkVHOVhWV2Q0SFdSM3UzS0sKcFBxTXNZOFovRlVyWE5pN0IwQ0FZYjYwMnNFNk00UFBFdzY0bVBVSWcvaFNzbTUzWmU0M1MvWkcwSTFSbkw0TgpaN0YrSnlzLzA2MVR5RE84em5iRzBwOWVvSEdMME9EUjZrbzNqcy9YTWRoMlh4L1d6Y1RMc2pVWVMxVnhHM29oClJ4bVlYaGZ2amplYkgyaG1QNkNLS3dSYW1ueHFHWmJ0OWQwY1RvMHRudDQ1czVkZmxYYWlrelh4cnd6L2RxZjUKOEwvTDFGdXZDUTZvQWlXREVBVUZpOUFCSUx1ZG5pZER5Z0RNVUl0NXZ5eW42ZWFweERjUHFxaUE3ZDI1NUxzRAovZ094aytBR1dueVZFeHM2UFBYWUV4b3F3c2VwVTF2K0hqeFNiQW5KNGdFQ2dZRUErS1dmd1pwUmZ4c2RScWNlCmJoajU5Sm1CK0hSTGlTU21nNGk1WjVSR1VuY2VkcUViQXB2MGFUNGQ5WXpqcTlKZU9vY2VYVktldFRvdTJCbC8KVXlNQmNoano4ZXN1eVRlTERBcUhYZEVrQ2hLK2hsSURUeWxMRHF2NFNaMmpVTHl6YzlGSnQ2d2w2dXpmTGt4cgo4SWFSV1pGR2VBRzkzNEVCK0wzVmptcEFOSUVDZ1lFQTRtMnNKRHdQSzQ4c1FIZzdZRzNVYkp5d29ST3BDY3hSClNlamR1b3JzWko1Yld5SXFnN1ZYWTliMFJiSVZlTHJPTlpwQ2czVkJzRVp3dzZJQkxBQzNaSG02Y2JEdHNPNnQKdWtneWFJZ2ExTHZRVE42QXIwY1pqU3o2enc5OTNiOW5mTzR2TW1xMmlqMk5tWHdsTW1BcysvTmJRazIrQy8rdgo5bHIzcHFwcDliVUNnWUFodExIM1dLZjdodjFzK25LUmtpa3dFeThmTXdTYVRyR1QyeERuRFo2S3gwTUY2Y2p6CmpaaVFPNjlyL2ZGTzlYRjRsYUIwSGlNTmhobWJpYmxNMTgzMlhaT1VFOEYvM1Z1b0FqVmZibDVvVHlvc295bDMKcmExVEM5VFloZG9CczlMUHZHczF6c3hGRUY4Z3M1TmVRNStvZUowSTM1T1JuTGRidE1BaVVoenFBUUtCZ1FDQgp5aGZJVlZ6a3ZSYkNoYWlUWjZGQitMY09QYlRCVndxcGNQL1g4OVg0L3dTaXduellMbFEvZUhGZ21lblE0Rk5mClNtTWg4MDZKK25hY3pQb2EvUFlpYzl3NVd3K0VRZXYzUVhjVGtDREJIRDhVTU41V21reTlMYkUraTBTOG5RQjMKRGhpanI2T2VyaFhDaXZUUFlXMm5waUVEYW9pclhBN0RDZlcyNVN3RG1RS0JnUUNiZ215am5WMklzNXpPZUUrMQpqb0luWGEvZ0ZnZ3M0N2IrSWlLVjRYUG93Slp6OFpTUy9McWVkTGRTTDQ1YmJsaHNReEtwaVJnRHBVOStoakhRCm9iazZPUnBBUkhXeTZCaEkxbjBUUzM5R3NpZkQyWHE0RUVad2p1QWdnblAwU2ZhUGhGWmNueVR4WWd0am5ONlcKNC9nNU1QUVpmZ3JQbFNWb0EycTh3UVJkT1E9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==
Finally, use the YAML file to create the secret:
kubectl create -f tls.yaml
Using Terraform to Create the TLS Secret
You can also use Terraform to create the secret. This is the terraform provider definition and secret:
terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "2.11.0"
}
}
}
provider "kubernetes" {
# Configuration options
}
locals {
tls_crt = file("citizix.crt")
tls_key = file("citizix.key")
}
resource "kubernetes_secret" "tls" {
metadata {
name = "tls"
namespace = "default"
}
type = "tls"
data = {
"tls.crt" = local.tls_crt
"tls.key" = local.tls_key
}
}
A kubernetes.io/tls
Secret stores the Base64-encoded DER data for keys and certificates. If you’re familiar with PEM format for private keys and for certificates, the base64 data are the same as that format except that you omit the initial and the last lines that are used in PEM.
For example, for a certificate, you do not include --------BEGIN CERTIFICATE-----
and -------END CERTIFICATE----
.
Checkout these related content: