How-to Manage TLS/SSL Certificate Rotation for Terraform Enterprise Using Kubernetes Secrets

Avatar
Kristina Hunter
  • Updated

Introduction

This guide provides an overview of how to use Kubernetes Secrets for certificate management in Terraform Enterprise.

Expected Outcome

After following this guide, you will be able to:

  • Successfully store and manage TLS/SSL certificates in Kubernetes Secrets.
  • Implement certificate rotation for your Terraform Enterprise instance.

Prerequisites

  • A TLS certificate and corresponding private key for your Terraform Enterprise instance's fully qualified domain name (FQDN), such as my-tfe.example.com.
  • The certificate and key must be in separate PEM-formatted files (e.g., cert.pem and key.pem).
  • The private key must not be password-protected.

Procedure

Step 1: Create the Initial Certificate Secret

This method involves creating the secrets directly from the command line interface (CLI) using kubectl. Once you have the correct certificate and private key, run the following command to create the secret.

$ kubectl create secret tls tfe-certs \
--namespace=<TFE_NAMESPACE> \
--cert=path/to/tls.crt \
--key=path/to/tls.key

The command creates a Kubernetes Secret with the following structure.

apiVersion: v1
kind: Secret
metadata:
  name: tfe-certs
  namespace: <TFE_NAMESPACE>
type: kubernetes.io/tls
data:
  tls.crt: |
    <base64-encoded TFE certificate>
  tls.key: |
    <base64-encoded TFE private key>

Next, update your configuration files to reference the secret. In the Terraform Enterprise Helm Chart, reference this secret in your values.yaml file.

tls:
  certificateSecret: tfe-certs

Step 2: Update the Certificate Secret

To update the secret with a new certificate, obtain your new TFE TLS certificate and key from your Certificate Authority in the PEM format. Ensure the private key is not password protected.

Run the following command to perform an in-place update of the existing Kubernetes secret. This command uses --dry-run to generate the new secret manifest and pipes it to kubectl apply for an idempotent update.

$ kubectl create secret tls tfe-certs \
--namespace=<TFE_NAMESPACE> \
--cert=path/to/your/new/tls.crt \
--key=path/to/your/new/tls.key --dry-run=client -o yaml | kubectl apply -f -

The new TLS certificate will be active the next time your Terraform Enterprise pods are rescheduled or restarted. To apply the change immediately, perform a rolling restart of the deployment.

$ kubectl rollout restart deployment terraform-enterprise --namespace=<TFE_NAMESPACE>

Articles in this section

See more

Related articles