Overview
This tutorial shows you how to create a Secret using a Certificate & Key file and apply it to an ingress.
Introducing Secret
Secrets are objects that contain a small amount of sensitive data, such as passwords, tokens, or keys. Without them, sensitive information could be included in pod specifications or container images.
Secrets are similar to ConfigMaps, but are specifically designed to hold confidential data.
Secret type
When creating a secret, you can specify the type of the secret using the type field of the Secret resource, or (if available) a similar specific command-line flag for kubectl . Secret types are used to facilitate programmatic manipulation of secret data.
This guide covers creating a TLS secret of the built-in type kubernetes.io/tls .
TLS Secret
Kubernetes provides a built-in secret type kubernetes.io/tls to store keys associated with certificates typically used for TLS. This data is primarily used for TLS termination of Ingress resources, but may also be used directly by other resources or workloads. When using this type of secret, the keys tls.key and tls.crt must be provided in the data (or stringData) field of the secret configuration. However, the API server does not actually validate the values for each key.
The following YAML contains an example configuration for a TLS secret.
apiVersion: v1 kind: Secret metadata: name: secret-tls type: kubernetes.io/tls data: # 본 예시를 위해 축약된 데이터임 tls.crt: | MIIC2DCCAcCgAwIBAgIBATANBgkqh ... tls.key: | MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ...
The TLS secret type is provided for user convenience only. Users can also create an Opaque for credentials used for TLS servers and/or clients. However, using the built-in secret type helps to unify the format of the user's credentials, and the API server also verifies that the required key is provided in the secret configuration.
Generate TLS Secret
First, prepare the certificate and key files.
Remove key file password
If a password is set in the key file, secret creation may fail.
Remove the password from the key file through the following steps.
Copy file
$ sudo cp path/to/cert/certfile.pem . $ sudo cp path/to/key/keyfile.pem .
2. Change of owner
$ sudo chown 소유자 keyfile.pem
3. Remove password
$ cp keyfile.pem keyfile.pem.enc $ openssl rsa -in keyfile.pem.enc -out keyfile.pem
Creating a TLS secret using kubectl
The public key certificate for --cert must be encoded as .PEM (base64 encoded DER format) and must match the private key given for --key . The private key must be in unencrypted form, commonly referred to as PEM private key format. For both formats, the start and end lines of the PEM (e.g. --------BEGIN CERTIFICATE----- and -------END CERTIFICATE---- in the certificate) must not be included.
Create a TLS secret using kubectl
$ sudo kubectl create secret tls my-tls-secret \ --cert=path/to/cert/certfile.pem \ --key=path/to/key/keyfile.pem
Create a TLS Secret in the Modernization Platform Console
Go to the Resources tab in the Deployment Groups of the project where you want to create a secret.
Select cluster from the left menu of the Resources screen, and select the Secrets menu from the cluster's submenu.
A screen where you can create a secret and a list of secrets registered in the cluster will be displayed.
Create a new secret file by writing the following items.
Name: Enter the Secret name.
Type:
kubernetes.io/tlsPlease select a type.Certificate File: Select the certificate file.
Key File: Select the key file.
After writing, click the Save button, and the Secret will be created and automatically added to the list at the bottom of the screen as shown below.
Click the Deploy button at the top of the screen to deploy the created Secret resource to the cluster.
Applying the generated secret to Ingress
The following YAML is an example ingress configuration using a TLS secret.
# my-tls-ingress.yaml apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: my-tls-ingress namespace: test-namespace annotations: nginx.ingress.kubernetes.io/rewrite-target: / kubernetes.io/ingress.class: "nginx" spec: tls: - hosts: - test.demo.cloudzcp.com secretName: my-tls-secret rules: - host: test.demo.cloudzcp.com http: paths: - path: /test pathType: Prefix backend: service: name: test-service port: number: 80
In the TLS entry, set the name of the TLS secret you created earlier.
After that, redistribute the ingress to which the TLS secret is applied.
Online consultation
Contact us