Mount SSL certificates in the Pod with Kubernetes secret

In Kubernetes multi worker node environment, it is not ideal to mount local storage as a volume as we are doing in with docker -v hostpath/containerpath

If you need to use some external files into a Kubernetes Pod, you can use Kubernetes secret

Encode your ssl certs with base64

I assume that you have two ssl certs file one is nginx.key other is nginx.crt Create base64 encoded version of the both file. I trimmed to output for better reading.

$ base64 nginx.key 
LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ1lrL2hMaEMzalh2Y3kKUHY1VDdNcU1OMWR5STlQNVM5MlpUUllNT1VZb2JiUXREeE1KbWxMd3g4c0owQURlWjVzTWRSQkYwWjJzNVBrMApHL3V2d2c2c2JpSTFCaXVqaVBzdnRwWVpIaC9nZVdJUG5zSlk5dWpJenFyZ3Q0UUoxNzkvRjhncjliVUpJdlNQCnZ2YTQycjRFMEdoUzFnaVNUWENSbk…
$ base64 nginx.crt 
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHRENDQWdBQ0NRRHJDajdxWHFhR1VqQU5CZ2txaGtpRzl3MEJBUXN…

Create a ssl secret file

$ cat ssl.secret
apiVersion: v1
data:
nginx.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ1lrL2hMaEMzalh2Y3kKUHY1VDdNcU1OMWR5STlQNVM5MlpUUllNT1VZb2JiUXREeE1KbWxMd3g4c0owQURlWjVzTWRSQkYwWjJzNVBrMApHL3V2d2c2c2JpSTFCaXVqaVBzdnRwWVpIaC9nZVdJUG5zS....
nginx.crt: S0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHRENDQWdBQ0NRRHJDajdxWHFhR1VqQU5CZ2txaGtpRzl3MEJBUXN….
kind: Secret
metadata:
name: nginx-ssl
type: Opaque

Mount nginx-ssl secret in the nginx deployment

apiVersion:  apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
strategy:
type: Recreate
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: "/etc/nginx/ssl"
name: nginx-ssl
readOnly: true

ports:
- containerPort: 80
volumes:
- name: nginx-ssl
secret:
secretName: nginx-ssl

restartPolicy: Always

This mount point will create two files nginx.key and nginx.crt under /etc/nginx/ssl directory in the pod. If you used different key name instead of nginx.crt and nginx.key you will see files with the name of your keys.

Ismail YENIGUL
Devops Engineer at Feedstock Inc.