kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #41786 from 123MwanjeMike/patch-1 

Expound on when to use 'data' and 'stringData' fields in 'kubernetes.io/tls' type secrets
pull/42114/head
Kubernetes Prow Robot 2023-08-24 09:26:21 -07:00 committed by GitHub
parent 04b135af90 8e5e4bc8e6
commit a0adb7f127
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
content/en/docs/concepts/configuration/secret.md
View File

@ -441,6 +441,8 @@ When using this type of Secret, the `tls.key` and the `tls.crt` key must be prov
in the `data` (or `stringData`) field of the Secret configuration, although the API in the `data` (or `stringData`) field of the Secret configuration, although the API
server doesn't actually validate the values for each key. server doesn't actually validate the values for each key.
As an alternative to using `stringData`, you can use the `data` field to provide the base64 encoded certificate and private key. Refer to [Constraints on Secret names and data](#restriction-names-data) for more on this.
The following YAML contains an example config for a TLS Secret: The following YAML contains an example config for a TLS Secret:
```yaml ```yaml
@ -449,11 +451,13 @@ kind: Secret
metadata: metadata:
name: secret-tls name: secret-tls
type: kubernetes.io/tls type: kubernetes.io/tls
data: stringData:
# the data is abbreviated in this example # the data is abbreviated in this example
tls.crt: | tls.crt: |
--------BEGIN CERTIFICATE-----
MIIC2DCCAcCgAwIBAgIBATANBgkqh ... MIIC2DCCAcCgAwIBAgIBATANBgkqh ...
tls.key: | tls.key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ... MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ...
``` ```
@ -471,21 +475,8 @@ kubectl create secret tls my-tls-secret \
--key=path/to/key/file --key=path/to/key/file
``` ```
The public/private key pair must exist before hand. The public key certificate The public/private key pair must exist before hand. The public key certificate for `--cert` must be .PEM encoded
for `--cert` must be DER format as per and must match the given private key for `--key`.
[Section 5.1 of RFC 7468](https://datatracker.ietf.org/doc/html/rfc7468#section-5.1),
and must match the given private key for `--key` (PKCS #8 in DER format;
[Section 11 of RFC 7468](https://datatracker.ietf.org/doc/html/rfc7468#section-11)).
{{< note >}}
A kubernetes.io/tls Secret stores the Base64-encoded DER data for keys and
certificates. If you're familiar with PEM format for private keys and for certificates,
the base64 data are the same as that format except that you omit
the initial and the last lines that are used in PEM.
For example, for a certificate, you do **not** include `--------BEGIN CERTIFICATE-----`
and `-------END CERTIFICATE----`.
{{< /note >}}
### Bootstrap token Secrets ### Bootstrap token Secrets