354 words
2 minutes
Working with TLS Certificates in Kubernetes - A Step-by-Step Guide

In this blog post, we’ll walk through the process of working with TLS certificates in Kubernetes. This is a crucial skill for ensuring secure communication within your Kubernetes cluster. We’ll cover everything from generating private keys to retrieving and verifying certificates.

Prerequisites#

Before we begin, make sure you have:

  • A running Kubernetes cluster
  • kubectl installed and configured to interact with your cluster
  • OpenSSL for generating keys and CSRs

Step 1: Generate a Private Key and CSR#

First, let’s generate a private key and a Certificate Signing Request (CSR):

Terminal window
openssl genrsa -out learner.key 2048
openssl req -new -key learner.key -out learner.csr -subj "/CN=learner/O=example"

Step 2: Create a CertificateSigningRequest#

Now, we’ll create a CertificateSigningRequest in Kubernetes:

Terminal window
CSR=$(cat learner.csr | base64 | tr -d '\n')
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: learner-csr
spec:
request: $CSR
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 604800 # 1 week
usages:
- client auth
EOF

Step 3: Approve the CSR#

Approve the CSR using kubectl:

Terminal window
kubectl certificate approve learner-csr

Step 4: Retrieve the Certificate#

Retrieve the certificate from the CSR:

Terminal window
kubectl get csr learner-csr -o jsonpath='{.status.certificate}' | base64 --decode > learner.crt

Step 5: Export the Certificate to YAML#

Export the issued certificate to a YAML file:

Terminal window
kubectl get csr learner-csr -o yaml > learner-cert.yaml

Step 6: Extract and Decode the Certificate#

Extract the certificate value from the YAML and decode it:

Terminal window
cat learner-cert.yaml | grep certificate: | awk '{print $2}' | base64 --decode > learner.crt

Verification#

To verify that everything worked correctly, you can use the following commands:

Terminal window
openssl x509 -in learner.crt -text -noout

This command will display the details of the certificate, including its validity period and subject.

Conclusion#

In this tutorial, we’ve walked through the process of working with TLS certificates in Kubernetes. We’ve covered generating keys and CSRs, creating and approving CertificateSigningRequests, and retrieving and verifying certificates. These skills are essential for managing secure communication within your Kubernetes clusters.

In the next part of this series, we’ll explore how to use these certificates in practical Kubernetes scenarios. Stay tuned!


This blog post template covers the main points of the task you described. It provides a step-by-step guide that readers can follow to work with TLS certificates in Kubernetes. The content is structured to be informative and practical, suitable for a technical audience familiar with Kubernetes concepts.

Working with TLS Certificates in Kubernetes - A Step-by-Step Guide
https://mranv.pages.dev/posts/kubernetes-tls-certificates/
Author
Anubhav Gain
Published at
2024-09-27
License
CC BY-NC-SA 4.0