Working with TLS Certificates in Kubernetes - A Step-by-Step Guide

In this blog post, we’ll walk through the process of working with TLS certificates in Kubernetes. This is a crucial skill for ensuring secure communication within your Kubernetes cluster. We’ll cover everything from generating private keys to retrieving and verifying certificates.

Prerequisites#

Before we begin, make sure you have:

A running Kubernetes cluster
kubectl installed and configured to interact with your cluster
OpenSSL for generating keys and CSRs

Step 1: Generate a Private Key and CSR#

First, let’s generate a private key and a Certificate Signing Request (CSR):

1
openssl genrsa -out learner.key 2048
2
openssl req -new -key learner.key -out learner.csr -subj "/CN=learner/O=example"

Step 2: Create a CertificateSigningRequest#

Now, we’ll create a CertificateSigningRequest in Kubernetes:

1
CSR=$(cat learner.csr | base64 | tr -d '\n')
2

3
cat <<EOF | kubectl apply -f -
4
apiVersion: certificates.k8s.io/v1
5
kind: CertificateSigningRequest
6
metadata:
7
  name: learner-csr
8
spec:
9
  request: $CSR
10
  signerName: kubernetes.io/kube-apiserver-client
11
  expirationSeconds: 604800  # 1 week
12
  usages:
13
  - client auth
14
EOF

Step 3: Approve the CSR#

Approve the CSR using kubectl:

1
kubectl certificate approve learner-csr

Step 4: Retrieve the Certificate#

Retrieve the certificate from the CSR:

1
kubectl get csr learner-csr -o jsonpath='{.status.certificate}' | base64 --decode > learner.crt

Step 5: Export the Certificate to YAML#

Export the issued certificate to a YAML file:

1
kubectl get csr learner-csr -o yaml > learner-cert.yaml

Step 6: Extract and Decode the Certificate#

Extract the certificate value from the YAML and decode it:

1
cat learner-cert.yaml | grep certificate: | awk '{print $2}' | base64 --decode > learner.crt

Verification#

To verify that everything worked correctly, you can use the following commands:

1
openssl x509 -in learner.crt -text -noout

This command will display the details of the certificate, including its validity period and subject.

Conclusion#

In this tutorial, we’ve walked through the process of working with TLS certificates in Kubernetes. We’ve covered generating keys and CSRs, creating and approving CertificateSigningRequests, and retrieving and verifying certificates. These skills are essential for managing secure communication within your Kubernetes clusters.

In the next part of this series, we’ll explore how to use these certificates in practical Kubernetes scenarios. Stay tuned!

This blog post template covers the main points of the task you described. It provides a step-by-step guide that readers can follow to work with TLS certificates in Kubernetes. The content is structured to be informative and practical, suitable for a technical audience familiar with Kubernetes concepts.