Kubernetes TLS certificates
A how-to guide on renewing and adding TLS certificates in a Kubernetes deployment
Adding and renewing TLS certificates in Kubernetes
These instructions present how to add a TLS certificate for SentiOne Automate for haproxy-ingress. More information about TLS type secrets is available in Kubernetes documentation - TLS secrets.
Prerequisites
- A valid wildcard certificate signed by a trusted CA.
If the certificate has an extension of .pfx
, you must first convert it to separate files .crt
(certificate fragment) and .key
(private key). Example of conversion:
openssl pkcs12 -in wildcard.pfx -out wildcard_example-com.crt -nodes -nokeys
openssl pkcs12 -in wildcard.pfx -out wildcard_example-com.key -nodes -nocerts
Preparing the Ingress object
In the following sample Ingress manifests, gateway is secured by a BasicAuth authentication scheme.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: envname-automate-ingress
spec:
tls: # add spec.tls section
- hosts: # include URIs to be secured by the certificate
- admin.automate.example.com
- new-web.automate.example.com
- web-chat.automate.example.com
secretName: tls-wildcard-example-com-secret # TLS certificate secret name that will be added in the next step
rules:
- host: admin.automate.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: admin
port:
number: 5750
- host: new-web.automate.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: new-web
port:
number: 9000
- host: web-chat.automate.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-chat
port:
number: 5760
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: haproxy
ingress.kubernetes.io/auth-type: basic
ingress.kubernetes.io/auth-realm: "Gateway Basic Auth"
ingress.kubernetes.io/auth-secret: basic-auth-gateway
name: envname-gateway-ingress
spec:
tls:
- hosts:
- gateway-envname.example.com
secretName: tls-wildcard-example-com-secret
rules:
- host: gateway-envname.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gateway
port:
number: 5000
Adding a certificate to Kubernetes
To add or replace the current certificate object, run the following command on each cluster:
kubectl create secret tls tls-wildcard-example-com-secret --key wildcard_example-com.key --cert wildcard_example-com.crt -n sentione
Then the updated Ingress object should be applied:
kubectl apply -f envname-automate-ingress -n sentione
kubectl apply -f envname-gateway-ingress -n sentione
Updated about 2 years ago