Skip to main content
Welcome to Virtru's support portal. As we work to make this page more accessible to screen readers, please contact us at support@virtru.com for technical support.

Kubernetes TLS Secret

  • Updated

Option 1: Run the command directly in the terminal

Use this when you only need to create the secret once.

Command

kubectl create secret tls cks-tls-secret \
  --cert=/Users/your-user/certs/fullchain.pem \
  --key=/Users/your-user/certs/privkey.pem \
  -n virtru

Notes

  • Replace /Users/your-user/certs/fullchain.pem with the actual full path to your certificate file.
  • Replace /Users/your-user/certs/privkey.pem with the actual full path to your private key file.
  • If you are already in the same directory as the files, you can use:
kubectl create secret tls cks-tls-secret \
  --cert=./fullchain.pem \
  --key=./privkey.pem \
  -n virtru

Verify the secret

kubectl get secret -n virtru

You should see cks-tls-secret listed.

Option 2: Put the command into a shell script

Use this when you want to reuse the process or recreate the secret easily later.

Step 1: Create the script file

vim create-tls-secret.sh

Step 2: Add this content

#!/bin/bash

kubectl delete secret cks-tls-secret -n virtru 2>/dev/null

kubectl create secret tls cks-tls \
  --cert=/Users/your-user/certs/fullchain.pem \
  --key=/Users/your-user/certs/privkey.pem \
  -n virtru

Step 3: Save the file

Press ESC on your keyboard, then enter

:wq!

Step 4: Make it executable

chmod +x create-tls-secret.sh

Step 5: Run it

./create-tls-secret.sh

 

Reference the secret in your Helm chart

After the secret is created, update your values.yaml:

tls:
  - secretName: cks-tls-secret
    hosts:
      - cks.yourdomain.com

Full ingress example:

ingress:
  enabled: true
  annotations:
    # kubernetes.io/ingress.class: nginx
  hosts:
    - host: cks.yourdomain.com
      paths:
        - path: /*
          pathType: ImplementationSpecific
          backend:
            serviceName: cks
            servicePort: 443
  tls:
    - secretName: cks-tls-secret
      hosts:
        - cks.yourdomain.com

Deploy the chart

helm upgrade --install cks . -n virtru -f values.yaml --create-namespace

Summary

Use the terminal command if you only need to create the secret once.

Use a script if you want something reusable for future certificate updates.

The important rule is:

  • certificate files go into the Kubernetes TLS secret
  • values.yaml only references the secret name

Related articles