Some more details here for TLS secrets. But the answer I think you’re looking for from that is this assuming you create the key using
kubectl create secret tls my-tls-secret \
The public/private key pair must exist beforehand. The public key certificate for
--cert must be .PEM encoded (Base64-encoded DER format), and match the given private key for
--key . The private key must be in what is commonly called PEM private key format, unencrypted. In both cases, the initial and the last lines from PEM (for example,
--------BEGIN CERTIFICATE----- and
-------END CERTIFICATE---- for a certificate) are not included.