Creating TLS Certificates in a Cluster
In this first introductory course, we will discover all the unmanaged certificates in a Kubernetes cluster. The visibility to these certificates will help us understand if they are policy compliant, where they are used and the potential for an outage if these certificates are not managed correctly
Before we start using TLS Protect for Kubernetes and understand the value it brings, we will start this first course by simply creating a couple of TLS certificates in Kubernetes.
Generate self-signed certificates using OpenSSL
In a directory of your choice, create a directory called jss-academy/course01
mkdir -p ~/jss-academy/course01cd ~/jss-academy/course01
Change to directory jss-academy/course01 and run a couple of openssl commands as outlined below.
openssl req -x509 \-nodes -days 1 \-newkey rsa:2048 \-keyout tls1.key \-out tls1.crt \-subj "/C=GB/ST=London/L=London/O=My Org/OU=App Team-RSA2048/CN=foo2048.bar.com"
openssl req -x509 \-sha1 -nodes \-days 90 \-newkey rsa:512 \-keyout tls2.key \-out tls2.crt -subj \"/C=GB/ST=London/L=London/O=My Org/OU=App Team-RSA512/CN=foo512.bar.com"
This will create two self-signed certificates in your directory.
Create a namespace
kubectl create ns jss-academy || true
Create the first TLS Secret
kubectl -n jss-academy create secret tls jss-academy-tls01 --key="tls1.key" --cert="tls1.crt"
Create the second TLS Secret
kubectl -n jss-academy create secret tls jss-academy-tls02 --key="tls2.key" --cert="tls2.crt"
Validate that the TLS secrets have been created
kubectl get secrets -n jss-academy
You will see
NAME TYPE DATA AGEdefault-token-fr79m kubernetes.io/service-account-token 3 28sjss-academy-tls01 kubernetes.io/tls 2 15sjss-academy-tls02 kubernetes.io/tls 2 7s
NOTE:
In this course we will focus on the two TLS secrets that we just created. However, it is possible that you may see many more in the TLS Protect for Kubernetes dashboard if you use a Kubernetes cluster that already has TLS secrets. A good way to discover them!