Using Kubernetes Installer TLS Certificates
Kubernetes installer clusters create a kotsadm-tls
secret which can reused by other Kubernetes resources.
Verify TLS Secret
Output the kotsadm-tls
secret
kubectl get secret kotsadm-tls -o yaml
In the output the tls.crt
and tls.key
hold the certificate and key, respectively, which can be referenced in either a Deployment or Ingress resource.
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: kotsadm-tls
data:
tls.crt: <base64_encoded>
tls.key: <base64_encoded>
Deployment
Below is an example of how to use kotsadm-tls
in a Deployment resource.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
template:
spec:
containers:
volumeMounts:
- mountPath: "/etc/nginx/ssl"
name: nginx-ssl
readOnly: true
volumes:
- name: nginx-ssl
secret:
secretName: kotsadm-tls
Deploy the release and exec
into the pod to verify
$ export POD_NAME=nginx-<hash>
$ kubectl exec -it ${POD_NAME} bash
Run ls
and cat
to verify
$ ls /etc/nginx/ssl
tls.crt tls.key
$ cat /etc/nginx/ssl/tls.crt
-----BEGIN CERTIFICATE-----
MIID8zCCAtugAwIBAgIUZF+NWHnpJCt2R1rDUhYjwgVv72UwDQYJKoZIhvcNAQEL
$ cat /etc/nginx/ssl/tls.key
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyiGNuHw2LY3Rv
Ingress
Another way kotsadm-tls
secret can be used is by passing it directly to the Ingress resource so TLS can be terminated at the contour layer.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx
spec:
rules:
tls:
- hosts:
- 'tls.foo.com'
secretName: kotsadm-tls
- host: tls.foo.com
http:
paths:
- path: /
backend:
serviceName: nginx
servicePort: 80
Note: tls.foo.com
must resolve to a valid IP and must also match the CN or Subjective Alternative Name (SAN) of the TLS cert.
Updating Certificates
When certificates expire, they can be re-uploaded. For more information, see Uploading new TLS Certificates.
Existing Cluster
The expectation when using an existing cluster is for the end customer to bring their own Ingress Controller such as Contour or Istio and upload their own kubernetes.io/tls
secret. For an example, see Ingress with TLS.