Configure TLS Secrets on K8s

TLS secrets

Axual services often require TLS to provide secure network connections. This methodology relies on certificate files being present in the client and server services on startup time to safely guarantee the identity of the corresponding parties.

When on kubernetes, the existence of secrets in a specific format is sufficient to install our services, since Axual Keystore Provider is part of the deployment of our services. Keystore Provider is an initContainer tasked with the creation of the files given that the TLS secrets are in a specific expected format, this format will be clarified in this segment.

Certificate files

Client or Server certificate secrets must consist of two data entries. An example of a valid certificate secret follows:

apiVersion: v1
kind: Secret
metadata:
  name: example-secret
type: Opaque
data:
  tls.crt: ... (1)
  tls.key: ... (2)

1	Base64 encoded certificate string
2	Base64 encoded private key string

Truststore (CA) files

Truststore (CA) certificate secrets consist of an arbitrary number of key, value pairs, each of which is appended to the resulting truststore that gets mounted onto the service using it.

All CA certificate files must have a .crt extension.

An example of a valid CA secret follows:

apiVersion: v1
kind: Secret
metadata:
  name: example-ca-certificates
type: Opaque
data:
  axual_root_ca.crt: ...
  axual_intermediate_1_ca.crt: ...
  axual_intermediate_2_ca.crt: ...

In the above example, all the abbreviated string values are Base64 encoded strings.