Enterprise Kubernetes, delivered

Tectonic ships with CoreOS's signature automated operations, runs multi-cloud, and is the fastest, most secure path to Kubernetes.

Deploying Secure Authentication and TLS encryption

This document explains the process of deploying the Tectonic Identity and Console services protected by TLS. After completing the steps below, you will be able to continue with the secure deployment of the Tectonic services.


A PostgreSQL database must be available for metadata storage. We currently recommend running this database server outside of the cluster to simplify persisting the data stored there.

You will need TLS certificate/key pairs for Console, Identity, and possibly for your Certificate Authority (CA). These files will be converted to the Kubernetes secret format in this guide. If you need to create these files, see this quick guide to cluster TLS from the CA up.

Create Secrets from TLS Certificates

Kubernetes Secret objects are used to configure Tectonic services with the necessary TLS components. The next steps convert the PEM-formatted TLS certificate/key pairs to be used by the Identity and Console services into the format expected by the Kubernetes API. The generate-secrets-from-file.sh script implements the secrets specification by base64-encoding data in the given source file and wrapping the result in the necessary YAML boilerplate to feed to kubectl.

Convert the certificate/key pair for Identity into a Kubernetes secret.

The generate-secrets script takes the following arguments:

generate-secrets-from-file.sh secret out key,in [ key,in [...] ]

where secret is the secret's name, out is the output file to be written, and key,in represent a pair of key and the input file containing the source data for the key.

Given TLS certificate/key pairs for the Identity service in files identity.pem and identity-key.pem, we can produce a secret-format YAML file by invoking:

$ ./generate-secrets-from-file.sh tectonic-identity-cert tectonic-identity-cert.yml cert,identity.pem key,identity-key.pem

Load the Identity TLS Secret Into Your Cluster

$ kubectl create -f tectonic-identity-cert.yml

Convert the Certificate/Key Pair for Console into a Kubernetes Secret

$ ./generate-secrets-from-file.sh tectonic-console-cert tectonic-console-cert.yml cert,console.pem key,console-key.pem

$ kubectl create -f tectonic-console-cert.yml

(Optional) Certificate Authority Secret

If deploying with a private CA, you'll need to create and load a secret for your CA certificate/key pair (and any intermediaries) so that your cluster can trust the certificate chain to the Identity and Console services.

$ ./generate-secrets-from-file.sh tectonic-ca-cert tectonic-ca-cert.yml cert,ca.pem
$ kubectl create -f tectonic-ca-cert.yml