Reputation: 594
Kubernetes env referencing a tls crt and key
I have been trying to port over some infrastructure to K8S from a VM docker setup. But I cannot seem to reference the tls certificate and key properly within the K8S env.yaml such that the container using the env can use them correctly.
In a traditional VM docker setup the .env file looks like this for referencing the tls cert+key:
TLS_CERT_PATH=/tls/server.crt
TLS_KEY_PATH=/tls/server.key
In my K8S I create the tls cert+key via:
kubectl create secret tls cl-tls --key "server.key" --cert "server.crt"
And I reference the tls cert+key via within the env-configmap.yaml via:
apiVersion: v1
kind: ConfigMap
metadata:
name: env-config
data:
TLS_CERT_PATH: "cl-tls"
TLS_KEY_PATH: "cl-tls"
I have additionally tried with no luck either:
kubectl create secret generic tls-cert --from-file="server.crt"
kubectl create secret generic tls-key --from-file="server.key"
With a env-configmap.yaml:
TLS_CERT_PATH: "tls-cert"
TLS_KEY_PATH: "tls-key"
Upvotes: 0
Views: 2199
Answers (1)
Reputation: 2919
You are mixing two different concepts.
- You want to make the
server.keyandserver.certfiles available to your pods, and want to reference them in your pod specification in the form ofPATHvariables. This is a separate implementation. LEGACY APPROACH - You want to convert the
server.keyandserver.certto asecretobject. And you want to use thesecretin your pods to inject theserver.keyandserver.certinformation directly in the pod. KUBERNETES NATIVE APPROACH
Note: You do not need a
ConfigMapin any case. (You should never useConfigMaptype for sensitive data anyway).
Procedure for Approach 1
- Put the
server.certandserver.keyin a directory on the worker node where your pod will run. Let's call it~/certs/. - Mount this directory as a volume to your pods, with type
hostPath. You can read more about them here. - Add
TLS_CERT_PATH: "~/.certs/server.cert"andTLS_KEY_PATH: "~/.certs/server.key"as environment variable to your pod. This will work as expected.
This is it. You do not need config maps or secrets and this approach will work. This is not a recommended approach since if you want to rotate the certificates when they are about to expire, you'll have to manually update the server.key and server.cert files on your node for the pod authentication to work. But this is how it will be done.
Procedure for Approach 2
- Create a
tlstype secret with yourserver.certandserver.keyfiles. (You're already doing this correctly). You can use this doc for more details. - Use that secret to inject the
server.certandserver.keyinto your pods. You will mount this secret as a volume to your pod. And then you can reference the secret parameters as "files" in your pod specification. When secrets are used in this way the parameter name becomes a file at the mount point, and the parameter value becomes the contents of that file. You'll configure your pod specification with environment asTLS_CERT_PATH: "secret/mount/path/server.cert"andTLS_KEY_PATH:"secret/mount/path/server.key". You can find the recipe to do that in the docs here.
Both approaches will work. Except this time, you can very easily rotate your TLS certificates by simply updating the Secret object and the volume mount sync will automatically update it in all the pods that have it mounted. Understand that secrets are functionally equivalent to ConfigMaps. Both are key/value pairs. It is just that Secrets have special attributes and features that make them more suitable to be used for sensitive data.
Hope this helps!
Upvotes: 2
Related Questions
- SSL/TLS certificates management in Kubernetes
- How to use Kubernetes SSL certificates
- How do I add an intermediate SSL certificate to Kubernetes ingress TLS configuration?
- Kubernetes - Create custom secret holding SSL certificates
- How to access TLS Secret via env variables in Kubernetes?
- No tls.crt on certificate secret
- How to setup TLS correctly in Kubernetes via cert-manager?
- How to create tls certs which I can use in kubernetes?
- Kubernetes: Open /certs/tls.crt: no such file or directory
- Kubernetes TLS issue