Skip to content

Commit a0adb7f

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #41786 from 123MwanjeMike/patch-1
Expound on when to use 'data' and 'stringData' fields in 'kubernetes.io/tls' type secrets
2 parents 04b135a + 8e5e4bc commit a0adb7f

File tree

1 file changed

+7
-16
lines changed
  • content/en/docs/concepts/configuration

1 file changed

+7
-16
lines changed

content/en/docs/concepts/configuration/secret.md

Lines changed: 7 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -441,6 +441,8 @@ When using this type of Secret, the `tls.key` and the `tls.crt` key must be prov
441441
in the `data` (or `stringData`) field of the Secret configuration, although the API
442442
server doesn't actually validate the values for each key.
443443

444+
As an alternative to using `stringData`, you can use the `data` field to provide the base64 encoded certificate and private key. Refer to [Constraints on Secret names and data](#restriction-names-data) for more on this.
445+
444446
The following YAML contains an example config for a TLS Secret:
445447

446448
```yaml
@@ -449,11 +451,13 @@ kind: Secret
449451
metadata:
450452
name: secret-tls
451453
type: kubernetes.io/tls
452-
data:
454+
stringData:
453455
# the data is abbreviated in this example
454456
tls.crt: |
457+
--------BEGIN CERTIFICATE-----
455458
MIIC2DCCAcCgAwIBAgIBATANBgkqh ...
456459
tls.key: |
460+
-----BEGIN RSA PRIVATE KEY-----
457461
MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ...
458462
```
459463

@@ -471,21 +475,8 @@ kubectl create secret tls my-tls-secret \
471475
--key=path/to/key/file
472476
```
473477

474-
The public/private key pair must exist before hand. The public key certificate
475-
for `--cert` must be DER format as per
476-
[Section 5.1 of RFC 7468](https://datatracker.ietf.org/doc/html/rfc7468#section-5.1),
477-
and must match the given private key for `--key` (PKCS #8 in DER format;
478-
[Section 11 of RFC 7468](https://datatracker.ietf.org/doc/html/rfc7468#section-11)).
479-
480-
{{< note >}}
481-
A kubernetes.io/tls Secret stores the Base64-encoded DER data for keys and
482-
certificates. If you're familiar with PEM format for private keys and for certificates,
483-
the base64 data are the same as that format except that you omit
484-
the initial and the last lines that are used in PEM.
485-
486-
For example, for a certificate, you do **not** include `--------BEGIN CERTIFICATE-----`
487-
and `-------END CERTIFICATE----`.
488-
{{< /note >}}
478+
The public/private key pair must exist before hand. The public key certificate for `--cert` must be .PEM encoded
479+
and must match the given private key for `--key`.
489480

490481
### Bootstrap token Secrets
491482

0 commit comments

Comments
 (0)