0
0
KubernetesHow-ToBeginner · 3 min read

How to Use TLS Secret in Kubernetes for Secure Communication

In Kubernetes, you create a tls secret by providing your TLS certificate and private key files, then reference this secret in your pod or ingress to enable secure HTTPS communication. Use kubectl create secret tls with your cert and key files, and configure your workload to use the secret for TLS termination.
📐

Syntax

The kubectl create secret tls command creates a TLS secret from your certificate and private key files. The syntax is:

  • kubectl create secret tls <secret-name> --cert=<path-to-cert-file> --key=<path-to-key-file>
  • <secret-name>: Name you assign to the secret.
  • --cert: Path to your TLS certificate file (usually .crt or .pem).
  • --key: Path to your private key file (usually .key).

This secret can then be referenced in your pod or ingress configuration to enable TLS.

bash
kubectl create secret tls my-tls-secret --cert=path/to/tls.crt --key=path/to/tls.key
Output
secret/my-tls-secret created
💻

Example

This example shows how to create a TLS secret and use it in an Ingress resource to enable HTTPS for a service.

bash and yaml
kubectl create secret tls example-tls --cert=./tls.crt --key=./tls.key

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  tls:
  - hosts:
    - example.com
    secretName: example-tls
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: example-service
            port:
              number: 80
Output
secret/example-tls created ingress.networking.k8s.io/example-ingress created
⚠️

Common Pitfalls

  • Using incorrect file paths or missing certificate/key files causes secret creation to fail.
  • Not matching the hosts in the Ingress TLS section with the certificate's domain causes TLS errors.
  • Forgetting to specify secretName in the Ingress TLS block means TLS won't be enabled.
  • Using a secret type other than kubernetes.io/tls will not work for TLS.
bash
kubectl create secret generic wrong-secret --from-file=tls.crt=./tls.crt --from-file=tls.key=./tls.key
# This creates a generic secret, not a TLS secret and won't work for TLS.

# Correct way:
kubectl create secret tls correct-secret --cert=./tls.crt --key=./tls.key
Output
error: secret "wrong-secret" created (but not usable as TLS secret) secret/correct-secret created
📊

Quick Reference

Remember these key points when using TLS secrets in Kubernetes:

  • Use kubectl create secret tls with cert and key files.
  • Reference the secret in your pod or ingress under tls.secretName.
  • Ensure your certificate matches the domain names used in your ingress rules.
  • Check file permissions and paths before creating the secret.

Key Takeaways

Create TLS secrets using 'kubectl create secret tls' with your certificate and key files.
Reference the TLS secret in your Ingress or pod spec to enable HTTPS.
Ensure the certificate domain matches the host names in your Ingress rules.
Avoid using generic secrets for TLS as they won't enable secure communication.
Verify file paths and permissions before creating the TLS secret.

Related by keyword

How to Use TLS with Kubernetes Ingress for Secure TrafficIngressHow to Secure Kubernetes Cluster: Best Practices and ExamplesSecurityHow to Check Cluster Info in Kubernetes QuicklyGetting StartedHow to Check Kubernetes Version Quickly and EasilyGetting StartedHow to Install Kubernetes: Step-by-Step GuideGetting Started

Up next

What is Service in Kubernetes: Definition and UsageWhen to Use Headless Service in Kubernetes: Explained SimplyHow to Create Namespace in Kubernetes: Simple StepsHow to Delete Namespace in Kubernetes: Simple Commands & Tips

More in ConfigMaps and Secrets

ConfigMap vs Secret in Kubernetes: Key Differences and UsageHow to Create ConfigMap from File in KubernetesHow to Create ConfigMap from Literal in KubernetesHow to Create ConfigMap in Kubernetes: Simple Guide