I am trying to connect my Kubernetes Cluster in Digital Ocean with a Managed Database.
I need to add the CA CERTIFICATE that is a file with extension cer. Is this the right way to add this file/certificate to a secret?
apiVersion: v1
kind: Secret
metadata:
name: secret-db-ca
type: kubernetes.io/tls
data:
.tls.ca: |
"<base64 encoded ~/.digitalocean-db.cer>"
How to create a secret from certificate
The easiest and fastest way is to create a secret from command line:
kubectl create secret generic secret-db-ca --from-file=.tls.ca=digitalocean-db.cer
Please note that type of this secret is generic, not kubernetes.io/tls because tls one requires both keys provided: tls.key and tls.crt
Also it's possible to create a key from manifest, however you will need to provide full base64 encoded string to the data field and again use the type Opaque in manifest (this is the same as generic from command line).
It will look like:
apiVersion: v1
kind: Secret
metadata:
name: secret-db-ca
type: Opaque
data:
.tls.ca: |
LS0tLS1CRUdJTiBDRVJ..........
Option you tried to use is used for docker config files. Please see Docker config - secrets
Note! I tested the above with cer certificate.
DER (Distinguished Encoding Rules) is a binary encoding for X.509 certificates and private keys, they do not contain plain text (extensions .cer and .der). Secret was saved in etcd (generally speaking database for kubernetes cluster), however there may be issues with workability of secrets based on this type of secrets.
There is a chance that different type/extension of certificate should be used (Digital Ocean has a lot of useful and good documentation).
Please refer to secrets in kubernetes page.