In this blog post, we’ll walk through the process of working with TLS certificates in Kubernetes. This is a crucial skill for ensuring secure communication within your Kubernetes cluster. We’ll cover everything from generating private keys to retrieving and verifying certificates.
Prerequisites#
Before we begin, make sure you have:
- A running Kubernetes cluster
kubectl
installed and configured to interact with your cluster- OpenSSL for generating keys and CSRs
Step 1: Generate a Private Key and CSR#
First, let’s generate a private key and a Certificate Signing Request (CSR):
1openssl genrsa -out learner.key 20482openssl req -new -key learner.key -out learner.csr -subj "/CN=learner/O=example"
Step 2: Create a CertificateSigningRequest#
Now, we’ll create a CertificateSigningRequest in Kubernetes:
1CSR=$(cat learner.csr | base64 | tr -d '\n')2
3cat <<EOF | kubectl apply -f -4apiVersion: certificates.k8s.io/v15kind: CertificateSigningRequest6metadata:7 name: learner-csr8spec:9 request: $CSR10 signerName: kubernetes.io/kube-apiserver-client11 expirationSeconds: 604800 # 1 week12 usages:13 - client auth14EOF
Step 3: Approve the CSR#
Approve the CSR using kubectl:
1kubectl certificate approve learner-csr
Step 4: Retrieve the Certificate#
Retrieve the certificate from the CSR:
1kubectl get csr learner-csr -o jsonpath='{.status.certificate}' | base64 --decode > learner.crt
Step 5: Export the Certificate to YAML#
Export the issued certificate to a YAML file:
1kubectl get csr learner-csr -o yaml > learner-cert.yaml
Step 6: Extract and Decode the Certificate#
Extract the certificate value from the YAML and decode it:
1cat learner-cert.yaml | grep certificate: | awk '{print $2}' | base64 --decode > learner.crt
Verification#
To verify that everything worked correctly, you can use the following commands:
1openssl x509 -in learner.crt -text -noout
This command will display the details of the certificate, including its validity period and subject.
Conclusion#
In this tutorial, we’ve walked through the process of working with TLS certificates in Kubernetes. We’ve covered generating keys and CSRs, creating and approving CertificateSigningRequests, and retrieving and verifying certificates. These skills are essential for managing secure communication within your Kubernetes clusters.
In the next part of this series, we’ll explore how to use these certificates in practical Kubernetes scenarios. Stay tuned!
This blog post template covers the main points of the task you described. It provides a step-by-step guide that readers can follow to work with TLS certificates in Kubernetes. The content is structured to be informative and practical, suitable for a technical audience familiar with Kubernetes concepts.