Mount SSL certificates in the Pod with Kubernetes secret
In Kubernetes multi worker node environment, it is not ideal to mount local storage as a volume as we are doing in with docker -v hostpath/containerpath
If you need to use some external files into a Kubernetes Pod, you can use Kubernetes secret
Encode your ssl certs with base64
I assume that you have two ssl certs file one is nginx.key
other is nginx.crt
Create base64 encoded version of the both file. I trimmed to output for better reading.
$ base64 nginx.key
LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ1lrL2hMaEMzalh2Y3kKUHY1VDdNcU1OMWR5STlQNVM5MlpUUllNT1VZb2JiUXREeE1KbWxMd3g4c0owQURlWjVzTWRSQkYwWjJzNVBrMApHL3V2d2c2c2JpSTFCaXVqaVBzdnRwWVpIaC9nZVdJUG5zSlk5dWpJenFyZ3Q0UUoxNzkvRjhncjliVUpJdlNQCnZ2YTQycjRFMEdoUzFnaVNUWENSbk…$ base64 nginx.crt
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHRENDQWdBQ0NRRHJDajdxWHFhR1VqQU5CZ2txaGtpRzl3MEJBUXN…
Create a ssl secret file
$ cat sslsecret.yml
apiVersion: v1
data:
nginx.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ1lrL2hMaEMzalh2Y3kKUHY1VDdNcU1OMWR5STlQNVM5MlpUUllNT1VZb2JiUXREeE1KbWxMd3g4c0owQURlWjVzTWRSQkYwWjJzNVBrMApHL3V2d2c2c2JpSTFCaXVqaVBzdnRwWVpIaC9nZVdJUG5zS....
nginx.crt: S0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHRENDQWdBQ0NRRHJDajdxWHFhR1VqQU5CZ2txaGtpRzl3MEJBUXN….
kind: Secret
metadata:
name: nginx-ssl
type: Opaque
Create the secret
$ kubectl apply -f sslsecret.yml
Mount nginx-ssl secret in the nginx deployment
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
strategy:
type: Recreate
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: "/etc/nginx/ssl"
name: nginx-ssl
readOnly: true
ports:
- containerPort: 80
volumes:
- name: nginx-ssl
secret:
secretName: nginx-ssl
restartPolicy: Always
This mount point will create two files nginx.key
and nginx.crt
under /etc/nginx/ssl directory in the pod. If you used different key name instead of nginx.crt and nginx.key you will see files with the name of your keys.
Ismail YENIGUL
Follow us on Twitter 🐦 and Facebook 👥 and join our Facebook Group 💬.
To join our community Slack 🗣️ and read our weekly Faun topics 🗞️, click here⬇