Kubernetes

Add an SSL/TLS Certificate to Kubernetes Cluster

SSL certificates are used to secure the application that is made on Kubernetes for future safety.  Let us take another secure certificate, TLS, that contains a very secure private key. Certificates are created with certificates:  K8r.io API. We will teach about SSL certificate configuration with the help of detailed examples. Let us start with the SSL certificate in Kubernetes. SSL certificates are very important for browsers. The browser, with the help of SSL and TLS certificates, creates a secure connection with Kubernetes services.

Pre-requisites:

Every user must have Ubuntu’s latest version of their system. The user of the Windows operating system installs a virtual box and adds Ubuntu or Linux virtually to the system. Users must be familiar with Kubernetes, the kubectl command line, pods, and clusters, and know cluster DNS to understand this topic better.

Let us have a brief look at SSL certificate configuration in Kubernetes by breaking the whole procedure into different steps.

Step 1: Start Kubernetes Control Panel

We want an environment in our application where we can run Kubernetes commands to perform Kubernetes tasks. As a result, Kubernetes provides us with a local-based container called “minikube.” At every Kubernetes application start, we will start a minikube in Kubernetes, which is basically a terminal, which is required for running Kubernetes commands. In this step, we run the command to initialize Minikube, which is:

 >   minikube start

When we run this command on our system terminal, the execution of the command starts by pressing the enter button. The command shows us a below-attached screenshot result in return.

Step 2: Generate Certificate Signing Request

After creating a cluster by using Minikube, we now want to create a certificate signing request. In exchange for this action, we run the command for signing the certificate request and generating a private key.

> cat <<EOF | cfssl genkey - | cfssljson   -bare server

After query execution, the request is successfully generated with the private key. The result is attached above as a screenshot.

Step 3: Create a Certificate Signing Request Manifest in the YAML File

In this step, we will create a YAML file manifest for creating a CSR in Kubernetes. We run the command below:

> cat <<EOF | kubectl apply -f

Following the execution of this command, a YAML file is successfully created. And we send it to the API server, as shown in the attached screenshot.

Step 4:  Get Certificate Signing Request Status

In this step, we will look at the CSR status as seen through the API. We can run the given command to retrieve the status of the certificate request.

> kubectl describe csv my-svc.my-namespace

When the command is run, the CSR status is displayed in the output, as shown in the attached screenshot. The status of CSR is “pending,” and this status is coming from API. The name of the file is my-svc. my-namespace and annotations, requesting user and subject, subject alternative names having DNS names and IP addresses, events, etc. are included in the CSR description. The status is “pending,” which means the CSR certificate has not been approved yet.

Step 5:  CSR Certificates Approvement

The CSR certificate’s status is still pending. So, in this case, we will send a query to Kubernetes’ API to approve the CSR certificate. We run this command for approval:

> kubectl certificate approve my-svc .my-namespace

The command shows the output after execution. An authorized person, such as the Kubernetes administration, approves the CSR certificate. As we are authorized users, we create YAML files. As a result, the CSR certificate is easily approved using the command, as shown in the screenshot below for clarification.

my-svc.my-namespace is approved successfully through the certificates.k8s.io API.

Step 6: Fetch the CSR Certificate in Kubernetes

We are now waiting to see if the CSR certificate has been approved. So, we will run the command to get a list of all CSR certificates that are currently active in the system. Run the command:

> kubectl get csr

The name of the approved CSR certificate in Kubernetes is shown in the attached screenshot. This command returns the name, age, signer name, requestor, requested duration, and condition of the CSR certificate.

Step 7: Sign the Certificate by Creating Authority

In this step, we will see how certificates are signed in Kubernetes. The SSL certificate is approved but not signed yet. The name of the signer appears on the certificate in Kubernetes. We run the command through which the requested signer signs the certificate. The command is:

>cat <<EOF | cfssl gencert  -initca - | cfssljson – bare ca

{

  "CN": "My Example Signer",
  "key": {
    "algo": "rsa",
    "size": 2048
  }


}

EOF

The command is run to sign the certificate digitally. Signer signs the requested certificates and updates the API status with the command, “SSL certificate.” We created a signing certificate by running the above command and the result is shown in the attached screenshot. A unique serial number has successfully been used to sign the certificate.

Step 8:  Create a JSON File to Issue a Certificate

After the certificate signing, we create a JSON file from which we issue a certificate. We will create a JSON file by running the following command with the attached screenshot:

> nano signingfile.json

After the command is executed, the JSON file is created as can be viewed in the screenshot below.

Step 9:  Use Server-Signing-config.json

In this step, we use the server-signing-config file that is in JSON to sign and issue the certificates. We run the command for certificate signing with a private key file.

> kubectl get csr my-svc.my-namespace -o jsonpath=’{.spec.request}| \ base64  --decode | \ cfssl sign  -ca ca.pem  -ca  ca-key ca-key.pem  -config server-signing-config.json | \ cfssljson -bare ca-signed-server

After this command, the certificate that is already defined in the json file is signed. This CSR’s serial number is generated. Here, we generate a signed serving certificate file named “ca-signed-server.pem.”

Step 10: Signed Certificate Upload in API Object

In this step, we upload the signed certificate to the pending API status that we saw above. The command for uploading is:

> kubectl get csr my-svc.my-namespace -o json | \  jq '.status.certificate = "

'
$(base64 ca-signed-server.pem | tr -d '\n')' " ' | \

> kubectl replace --raw /apis/certificates.k8s.io/v1/certificatesigningrequests/my-svc.my-   namespace/status -f -

When this command is executed, the signed certificate is successfully uploaded whenever the CSR is approved. The screenshot attached aboved shows us a JSON format that uploads the signed certificate as API objects.

Step 11: Enlist Approved Certificates in Kubernetes

We again run the command to show the approved certificates in Kubernetes.

> kubectl get csr

The certificate was approved and successfully issued, as shown in the screenshot above.

Step 12: Save the Certificate in the System

In this step, we will learn how to download the signed certificate and use it successfully in our system. We easily deploy the certificate on the server. The command is:

> kubectl get csr my-svc.my-namespace -o jsonpath='{.status.certificate}' \

| base64 --decode > server.crt

Step 13:  Populate the Certificate

In this step, we will learn how to populate the certificate on the server so that we can easily use the certificate for web security. We run the command:

kalsoom@kalsoom>kubectl create secret tls server --cert server.crt --key server-key.pem

The above-attached screenshot shows us that TLS secure or secret server is created successfully with name cert server.cr and having private key server-key.pem.

Step 14: Config Map the Certificate

In this step, we will configure the certificate to ensure that it is a secure serving certificate by running the command below:

>kubectl create configmap example-serving-ca --from-file ca.crt=ca.pem

As shown in the attached screenshot, the config map/example-serving-ca is successfully created in Kubernetes for a secure connection on the web server.

Conclusion

SSL certificates are used for providing security to Kubernetes applications on the web server. We explained every step-in detail for your understanding. You can also run the same commands on your Kubernetes application to install the SSL certificate.

About the author

Kalsoom Bibi

Hello, I am a freelance writer and usually write for Linux and other technology related content