How-to Manage TLS/SSL Certificate Rotation for Terraform Enterprise Using Kubernetes Secrets

Avatar
Kristina Hunter
  • Updated

Introduction

This guide provides an overview of how to use Kubernetes Secrets for certificate management in Terraform Enterprise.

Expected Outcome

After following this guide, you will be able to:

  • Successfully store and manage TLS/SSL certificates in Kubernetes Secrets
  • Implement certificate rotation

Prerequisites (if applicable)

  • The TLS certificate and private key must correspond with the chosen fully qualified domain name (FQDN) of your TFE instance (e.g. my-tfe.example.com). You should have two separate files; one for the certificate (e.g. cert.pem) and one for the private key (e.g. key.pem). They must be in PEM format, and the private key must not be password protected.

Procedure

Creating the Certificate Secret

This method involves creating the secrets directly from the CLI via kubectl.

 

Once you have the correct certificate and private key in PEM format, use the following command to create the secret:

 

kubectl create secret tls tfe-certs \
  --namespace=<TFE_NAMESPACE> \
  --cert=path/to/tls.crt \
  --key=path/to/tls.key

 

For visual representation, here is what the created Secret's manifest looks like:

apiVersion: v1
kind: Secret
metadata:
  name: tfe-certs
  namespace: <TFE_NAMESPACE>
type: kubernetes.io/tls
data:
  tls.crt: |
    <base64-encoded TFE certificate>
  tls.key: |
    <base64-encoded TFE private key>

Update your configuration files to reference the secret. In the Terraform Enterprise Helm Chart, this can be referenced in your values YAML file with:

tls:
  certificateSecret: tfe-certs

Updating the Certificate Secret

To later update this secret, obtain your new TFE TLS certificates from your Certificate Authority in the PEM format, ensuring that the private key is not password protected.

Run the following command to update your existing Kubernetes secret for your TFE TLS certificates:

kubectl create secret tls tfe-certs \
--namespace=<TFE_NAMESPACE> \
--cert=path/to/your/new/tls.crt \
--key=path/to/your/new/tls.key --dry-run=client -o yaml | kubectl apply -f -

 

The next time your TFE pod(s) are rescheduled or restarted, they should come up with the new TLS certificates. To cleanly restart Terraform Enterprise, you can use kubectl rollout restart deployment terraform-enterprise.

 

 

Articles in this section

See more