Skip to content

Creating TLS Secrets

This guide explains how to create and manage Kubernetes Secrets for TLS certificates to secure your Flex Gateway with HTTPS.

Understanding TLS Secrets in Kubernetes

Kubernetes Secret lets you make the CA signed certificate available to your Flex Gateway. We'll create a customized secret using the native Kubernetes TLS secret type: kubernetes.io/tls.

Built-in Type Description
kubernetes.io/tls Used to store TLS certificates and keys. The most common usage scenario is Ingress resource termination, but the tls type is also sometimes used with other resources

TLS secrets contain both the certificate (public key) and private key needed for HTTPS encryption. Kubernetes manages these sensitive credentials securely.

Creating a TLS Secret

To create a TLS secret, you must be in the folder containing your certificate files: - Your private key file (e.g., your-domain.key) - Your certificate file (e.g., your-domain.crt)

Run the following command to create the secret:

kubectl -n <your-namespace> create secret tls <your-domain-tls> --key <your-domain>.key --cert <your-domain>.crt

This command creates and applies the secret to your cluster in one step. The --key and --cert parameters specify the paths to your certificate files.

Verifying the Secret

Verify that the secret was created successfully:

kubectl -n <your-namespace> get secret <your-domain-tls> -o yaml

This command displays the YAML representation of your secret, allowing you to confirm it was created correctly with the expected content.

Secret Structure

You should see a structure file like this to manage your TLS Certificate:

1
2
3
4
5
6
7
8
9
apiVersion: v1
kind: Secret
metadata:
  name: <your-secret-name>-tls
  namespace: <your-template-namespace>
data:
  tls.crt: <base64-crt>
  tls.key: <base64-key>
type: kubernetes.io/tls

Note that the certificate and key are stored as base64-encoded strings in the data section of the secret.

Certificate Components

As a reminder:

TLS File Type Description
crt Public Key The certificate file that is shared with clients
key Private Key The private key that must be kept secure

The certificate (crt) is used to identify your service and encrypt traffic, while the private key (key) is used to decrypt incoming requests. The private key should never be shared.

Using the Secret with Flex Gateway

After creating the TLS secret, you can reference it in your Flex Gateway configuration to enable HTTPS:

1
2
3
4
5
6
7
8
apiVersion: gateway.mulesoft.com/v1alpha1
kind: ApiInstance
metadata:
  name: sample-api
spec:
  address: https://your-domain.com
  tls:
    secretName: <your-domain-tls>

This configuration tells Flex Gateway to use your TLS certificate for secure communication. The gateway will automatically load the certificate and private key from the specified secret.

Security Best Practices

  1. Rotate certificates before they expire
  2. Limit access to secrets with appropriate RBAC roles
  3. Use namespaces to isolate secrets between different environments
  4. Monitor secret usage in your cluster

Following these practices helps maintain the security of your TLS certificates and Flex Gateway deployments.