Configure TLS Certificates for Kasm on Kubernetes
Kasm requires TLS for secure communication between its components. For your Kasm Kubernetes deployment to function correctly, you must create and add a certificate secret to the Kasm namespace. This guide covers the three most common methods for creating and managing your TLS secret.
Options for Creating Your Certificate Secret
- Use cert-manager (Recommended)
- Manually create a self-signed certificate
- Upload a certificate from a Certificate Authority (CA)
Before you begin:
- Ensure you know which Kubernetes namespace your Kasm deployment uses (
{NAMESPACE}is used in this document). - Decide if you'll use cert-manager or manage your own certificate files.
Using cert-manager (Recommended)
If your cluster has cert-manager installed, you can let cert-manager automatically create and manage your TLS secret. The Helm chart is already configured for this scenario. You will need to know the name and kind of your issuer, then pick a secret name.
-
Open your
values.yamlfile and locate thecertificateblock:certificate:secretName: {SECRET-NAME}certManager:enabled: trueaddWildCard: trueissuerName: {ISSUER-NAME}issuerKind: ""issuerGroup: ""annotations: {}labels: {} -
Copy and paste the block to your
my-values.yaml -
Apply any modifications you would like to make.
-
Deploy or update your Helm release as usual.
The following table describes the fields available for configuring the certificate:
| Field | Description |
|---|---|
secretName | The name of the Kubernetes secret where the certificate is stored. cert-manager will create and manage this secret automatically. |
certManager.enabled | Set to true to enable cert-manager integration. |
certManager.addWildCard | When true, adds a wildcard SAN (*.{publicAddr}) to the generated certificate. |
certManager.issuerName | The name of the cert-manager Issuer or ClusterIssuer to use for certificate issuance. |
certManager.issuerKind | The kind of the cert-manager issuer. Leave empty to default to Issuer. Set to ClusterIssuer if using a cluster-wide issuer. |
certManager.issuerGroup | The API group of the issuer. Leave empty to default to cert-manager.io. |
certManager.annotations | Additional annotations to add to the Certificate resource. |
certManager.labels | Additional labels to add to the Certificate resource. |
See the cert-manager documentation for details on configuring Issuers and ClusterIssuers.
If you have already deployed Kasm using the Helm chart, remember to update your values file according to the instructions in the installation guide.
Manually Creating a Self-Signed Certificate
If you do not use cert-manager, you can generate a self-signed certificate and create a Kubernetes secret manually. There are two options:
-
Use the example script below (copy-paste and run):
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \-keyout tls.key -out tls.crt \-subj "/CN=kasm.example.com/O=Kasm Self-Signed" -
Follow the guide in the official Kubernetes documentation
Filename requirements for this chart:
- Certificate file:
tls.crt - Key file:
tls.key - CA certificate (optional, for custom CAs):
ca.crt
Upload a Certificate from a Different Certificate Authority (CA)
If you already have a certificate from your organization's CA or a public CA:
- Obtain/export your certificate (
tls.crt), key (tls.key), and optional CA certificate (ca.crt). - Continue to the Adding the generated TLS secret to Kubernetes section below.
Adding the Generated TLS Secret to Kubernetes
Run the following commands, substituting your values:
# Set your secret and namespace names
SECRET_NAME="kasm-cert-secret"
NAMESPACE="kasm-ns"
# Create a TLS secret (cert + key only):
kubectl create secret tls $SECRET_NAME \
--cert=tls.crt \
--key=tls.key \
--namespace $NAMESPACE
# If you need to include a CA certificate as well:
kubectl create secret generic $SECRET_NAME \
--from-file=tls.crt=/path/to/tls.crt \
--from-file=tls.key=/path/to/tls.key \
--from-file=ca.crt=/path/to/ca.crt \
--namespace $NAMESPACE
The Helm chart expects the certificate.secretName in your my-values.yaml to match the secret you just created. You can also set this at install/upgrade time by adding the following in your my-values.yaml:
certificate:
secretName: {SECRET-NAME}
If you have already deployed Kasm using the Helm chart, remember to update your values file according to the instructions in the installation guide.
Cloud-Managed TLS
If you are deploying on a managed Kubernetes platform (e.g., GKE, EKS, AKS), you may prefer to terminate TLS at a cloud-managed load balancer or gateway rather than at the Kubernetes Ingress. For example, on GCP you can use a Gateway with Google-managed certificates to handle external TLS, while still using cert-manager or self-signed certificates for internal cluster traffic. This hybrid approach can simplify certificate lifecycle management and firewall configuration, as the external IP is managed by the cloud provider.