Kubernetes ingress tls

4/12/2018

I used the below command to generate a key locally.

openssl genrsa -out testsvc.testns.ing.lb.xyz.io.key.pem 2048

And the used the below command to generate the CSR(certificate signing request).

openssl req -new -sha256 -key testsvc.testns.ing.lb.xyz.io.key.pem -subj "/CN=testsvc.testns.ing.lb.xyz.io"

I generated the certificate chain file using the above CSR file and finally got the below file.

testsvc.testns.ing.lb.xyz.io.chain.pem

I am trying to use them for ingress tls and below is the command for ingress tls.

kubectl create secret tls custom-tls-cert --key /path/to/tls.key --cert /path/to/tls.crt

Not sure, How can i use the chain.pem file and key.pem file with the above command. Tried generating crt from the chain.pem and getting error on kubectl create secret.

"error: failed to load key pair tls: failed to find any PEM data in certificate input"

I would like to create the below secret.

apiVersion: v1
data:
  tls.crt: base64 encoded cert
  tls.key: base64 encoded key
kind: Secret
metadata:
  name: testsecret
  namespace: default
type: Opaque

Not sure how to generate .crt and .key file with the chain.pem file.

Thanks

-- user1578872
kubernetes
ssl

1 Answer

4/13/2018

First, let's clarify what the key, CSR, and certificate are.

key - locally generated secret file shown/sent to noone (key.pem)
csr - file (request.pem) generated by key.pem, need to be sent to CA (certificate authority). (You can have your own CA, but usually, it is managed by someone else).
cert - file (cert.pem) created by CA based on request.pem and its own CA private key

Now you can use these two files - key.pem and cert.pem - to create a secure connection between your service and a client.

I suppose you have only created a key and a request. So, you need to go one step further and get a certificate from CA.

For testing purpose, you can create a new key and a self-signed certificate with one command:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/C=US/ST=Florida/L=Miami/O=SomeCompany/OU=ITdepartment/CN=www.mydomain.com"

(adjust subject to your needs)

There are different types of keys and certificates, and it's easy to find the way to convert one format into another.

Using certificate and key in PEM format when creating a Secret should work fine.

Just insert the key and the certificate into that command as follows:

kubectl create secret tls testsecret --key key.pem --cert cert.pem  

This command creates a Secret object and encodes key.pem and cert.pem content with base64.

You can check the content of the created object with the commands:

kubectl get secret testsecret -o yaml

echo "tls.crt: content" | base64 --decode

for example:

echo "LS0t...tLS0tLQo=" | base64 --decode

Read more about using and generating certificates here:
https://www.sslshopper.com/article-most-common-openssl-commands.html

How to create a self-signed certificate with openssl?

https://docs.bitnami.com/kubernetes/how-to/secure-kubernetes-services-with-ingress-tls-letsencrypt/

https://kubernetes.io/docs/concepts/configuration/secret/

-- VAS
Source: StackOverflow