How to create secret TLS in Kubernetes

Kubernetes is an open-source tool used to execute and manage containerized applications inside a cluster. It performs various functions to control, run and secure the credentials of the application through incognito and logging.

Ingress is also used to manage incoming traffic to the application and for SSL termination. In contrast, secrets are used to store confidential information and TLS certificates for the application.

This post will clarify:

What are the Kubernetes secrets?

Secrets is one of the Kubernetes resources used to store confidential information such as user login credentials, keys, certificates or tokens. Secrets can be created individually and associated with pods. This prevents the developer from providing confidential data in the code and also provides an additional layer of security. Various types of secrets can be created and used. The most commonly used secrets are:

Common Secrets: Common secrets are used to store basic information like passwords, tokens, API keys, OAuth keys, etc.

TLS secrets: TLS secrets are used to store private keys and certificates signed by CAs. To ensure the security of applications running inside Kubernetes and secure communications within the cluster, the user usually needs to create and embed a TLS secret in the pod.

Docker Registry: It is used to store Docker registry credentials to easily pull images from the registry.

Prerequisite: Generate private key and certificate

To generate certificates and private keys for security improvements, use OpenSSL which generates CSRs (certificate signing requests) and private keys. Then, use the CSR to generate a self-signed or CA certificate.

To use OpenSSL commands on Windows, users are required to install Git. For this purpose, follow our link “Install Git on Windows” article.

After installing Git, follow the instructions below to generate the private key and signed certificate.

Step 1: Launch Git Bash Terminal

“Do a search for”git bash“In the Start menu and launch Terminal:

Use ” to check the current directoryPublic Works Department” Permission:

Currently, we are working in the %USERPROFILE% directory:

Step 2: Create New Directory

Create a new directory to save the certificate and private key:

Navigate to the newly created directory using “CD” Permission:

Step 3: Generate Private Key

Now, generate the private key through the given command. Here, the generated private key will be saved in “mycert.key,

openssl genpeak -Algorithm RSA -Outside mycert.key

Step 4: Generate CSR

To generate CSR (Certificate Service Request) to get signed certificate, use the given command:

openssl request -New -key mycert.key -Outside mycert.csr

Step 5: Prepare the Certificate

Finally, using the generated private key and CSR, create a certificate and save it in “mycert.crt” file. For this purpose, execute the command below:

openssl x509 -Demand -In mycert.csr -sinky mycert.key -Outside mycert.crt -Day 365

After creating the TLS certificate, the user can create the secret TLS by following the section below.

How to create secret TLS in Kubernetes?

To ensure application security and secure communications within and outside the Kubernetes cluster, TLS (Transport Layer Security) certificates are required which are used in encrypting data. Kubernetes secrets allows us to embed TLS certificates with running pods via secret TLS. To create a secret TLS in Kubernetes, follow the following instructions.

Step 1: Start the Minikube Cluster

To start the Minikube cluster, first, launch Windows PowerShell as administrator. After that, create and run the cluster using “minikube start” Permission:

Step 2: Get Nodes

Access the Kubernetes node to check if the cluster is started:

Step 3: Create secret TLS

Create TLS secret using “” in Kuberneteskubectl create secret <गुप्त-प्रकार> <गुप्त-नाम> –cert= -key=<पथ-से-निजी-कुंजी>“Command. Here, the secret type can be “General,TLS“, Or “docker-registry, To create a TLS secret, we set the secret type as “TLS”:

kubectl create secret tls demo-secret –cert=C:\Users\Dell\cert\mycert.crt –key=C:\Users\Dell\cert\mycert.key

Step 4: Get the Secret

For confirmation, list the Kubernetes secret using the given command:

Here, you can see that we have effectively created a “demo-secret” that contains “2“Data Value:

Step 5: Describe the mystery

To see how data is viewed or stored in a secret, use “Describe the secret”kubectl secrets <गुप्त-नाम> describes” Permission:

kubectl describes secret demo-secret

You can see that the values ​​are stored in bytes and cannot be viewed directly, unlike Kubernetes ConfigurationMaps:

How to create a secret TLS via yaml file?

To create a secret TLS via yaml file, first, create a “secret.yml“file, add TLS Base64 Encoded Certificate In “tls.crt” key, and add base64 encoded key In “tls.key,

For demonstration, follow the steps listed.

Step 1: Create Yaml File

Create a file namedsecret.ymlAnd paste the given code:

APIVersion, v1


, “Base64 Encoded Certificate”

, “base64 encoded key”

, Secret


, mytls-secret

, default


In the above snippet, replace the “tls.crt” and “tls.key” key values ​​with your root certificate and key values:

Step 2: Create a mystery

Now, apply the secret yaml file via “kubectl apply -f ” Permission:

apply kubectl -F secret.yml

The output shows that we have successfully “created”mytls-secret“Using yaml file:

Note: See TLS certificate and private key

To view the base64 encoded certificate and use it in the yaml file, run “Cat <पथ-से-प्रमाणपत्र फ़ाइल> , base 64Command in git bash terminal:

To view the Base64 encoded key, use “Cat <पथ-से-कुंजी फ़ाइल> , base 64” Permission:

How to embed covert TLS with Kubernetes pod?

After creating the secret TSL, the user can embed it with a Kubernetes pod. To do this, use the following instructions.

Step 1: Create Yaml File

Create a file namedpod.yml” file and paste the below snippet into the file:

API version: v1

Type: Pod


Name: demo-pod



– Name: html-cont

Image: raffia098,html-img:1.0

from env:

– Secret Reference:

Name: demo-secret

In the above snippet:

  • ,KindThe key specifies the Kubernetes resource the user is creating.
  • ,NameThe key will set the pod name.
  • ,containersThe key will store container information.
  • ,NameThe key under the “Containers” key will set the container name.
  • ,imageThe key will provide the application or container image to create and start the application inside the container.
  • ,envFromThe key will set environment variables from other Kubernetes resources. Here, to embed covert TLS into a pod, “secret reference” is used to provide secret context. To embed the TLS secret above, specify the name of the secret in the “Name” key.

Step 2: Create or upgrade a pod

Next, open the folder where “pod.yml“File has been created:

CD C:\Users\Dell\Documents\Kubernetes\Secret

“Apply yaml file to create or reconfigure a pod using”apply kubectl” Permission:

Step 3: Access Kubernetes Pods

To verify, list the Kubernetes pods:

Here, you can see that we have “made”demo-pod“Successfully:

Step 4: Describe the Pod

To check if a pod has embedded secret TLS, describe the pod using the command below:

Kubectl describes pod demo-pod

The output below shows that we have successfully embedded the TLS secret with the pod:

We've covered how to create secret TLS and embed it with a Kubernetes application running in a pod.


To create secret TLS in Kubernetes, first, create a TLS signing certificate and private key. After that, start the Kubernetes cluster and run “kubectl create secret <गुप्त-प्रकार> <गुप्त-नाम> –cert= -key=<पथ-से-निजी-कुंजी>” command. Users can also create secret TLS using yaml manifest. This post explains how to create a secret TLS and how to embed the secret with a running application or pod.

Add comment

By Ranjan