Configure a TLS Secret in Kubernetes

Quite often, when you’re working with a Kubernetes cluster, you also need to handle TLS secrets. Projects like cert-manager can take much of that load off your shoulders but sometimes you still need to configure a certificate manually.

If you got the certificate from a certificate authority such as GoDaddy you’ll probably have some intermediate certificates in addition to the cert for your domain. Together they form the certificate chain that verifies the validity of your certificate.

These certificate files need to be combined to a single file so that it starts with your certificate and is followed by the intermediate certs.

You can do it manually with a text editor, or on the Linux command line like this:

$ cat c3d4scga8hdf0f74.crt gd_bundle-g2-g1.crt > cert.crt

In this example c3d4scga8hdf0f74.crt is the site certificate, gd_bundle-g2-g1.crt contains the intermediate certificates, and cert.crt is the combination of the two. I’m also assuming that the private key is in a file named cert.key.

Ingress controllers, such as the NGINX Ingress Controller, expect the secret to be of type kubernetes.io/tls. Use this command to create a TLS secret (switch the namespace to match yours):

$ kubectl create secret tls my-certificate \
    --cert=cert.crt \
    --key=cert.key \
    --namespace ingress

Upon creating the certificate kubectl checks that the certificate data is valid, i.e., that the private key matches the certificate. If cert.crt does not start with your certificate you’ll get this error

$ kubectl create secret tls my-certificate --cert=cert.crt --key=cert.key
error: tls: private key does not match public key

See also how to edit Kubernetes secrets.