Deploy custom domain TLS Certificates

We are excited to announce that IBM Cloud Container Service is now integrated with IBM Cloud Certificate Manager! This means that you can easily and securely deploy custom domain TLS certificates from Certificate Manager to your Kubernetes Cluster.

Developers deploy their apps on IBM Cloud Container Service and make them securely accessible through the Ingress Controller. The Ingress Controller uses a pre-installed certificate that protects the default IBM provided domain assigned to your app. However, if you would like to use a custom domain for your app, such as, you will need to obtain your own custom domain TLS certificate for that domain, install it in your cluster, and configure your Ingress Controller to use it.

When you have your own TLS certificate, you need to manage it so that your apps will continuously be secured with HTTPS. Certificates are only valid for a period of time, so you need to remember to renew them on time to avoid service disruptions. Private keys associated with certificates need to be protected because stolen keys can mean compromised customer and business data. So you’ll need a secure place to store your certificates, with proper access controls and an audit trail, and a way to monitor their expiration. IBM Cloud Certificate Manager provides these capabilities.

The IBM Cloud Container Services is now integrated with IBM Cloud Certificate Manager so that you can securely deploy a TLS certificate that you manage in Certificate Manager to your cluster. Cluster admins can use the Container Service CLI to import and update TLS certificates as Kubernetes Secrets, specifying the id of the certificate they want to use (CRN). Container Service also reports back to Certificate Manager the id of the Kubernetes cluster where the certificate was installed. Developers can then configure the ingress controller to use these secrets to secure apps with TLS. The update command also allows them to update an existing Kubernetes secret with a renewed certificate without causing downtime.

bx cs alb-cert-deploy [--update] --cluster CLUSTER --secret-name SECRET_NAME --cert-crn CERTIFICATE_CRN

We also designed the integrated experience to help you minimize the exposure of your private keys to users. When developers deploy applications, they can create ingress resources that use the secrets containing the certificates and their associated private keys without being able to read the content of the secrets (the private keys) themselves. This works by letting developers use reference secrets that do not contain the private keys. At runtime, the ingress controller can securely access the secrets and keys to do SSL termination.

To learn more, check out the documentation of Container Service here. Read more about IBM Cloud Certificate Manager here.


More from compute

Mainframe Application Modernization Beyond Banking

4 min read - Looking at mainframe modernization in industries like insurance, automotive and retail. This is part one in a five-part series on mainframe modernization. When you think of the world’s biggest modernization challenges, you immediately think of banking, and for good reason. Banks were among the first to roll out advanced mobile apps some 15 years ago, and they had already started offering online services in the mid-1990s. Well before that, banks were interacting through massive electronic payment gateways and operating mainframe…

IBM Tech Now: April 17, 2023

< 1 min read - Envizi + Turbonomic, IBM Power Updates and the IBM CIS Standard Next Plan  Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 74 Watch the video This week, we're focusing on the following topics: IBM Envizi + IBM Turbonomic IBM Power Updates IBM…

Focusing on Increasing Our Clients’ Profitability and Performance When They Need It Most

4 min read - Exciting updates from IBM Power. As we noted last quarter when we announced this year’s strategic direction for IBM Power, one of the most common questions we hear from our clients is how they can trim their IT spending without compromising performance and data protection. A short time later, these concerns are even more prevalent as the global economic market continues to fluctuate and perpetuate uncertainty amidst rising interest rates and inflation. As the demand on IT services continues to…

Securing the Boot Process for IBM Cloud Bare Metal Servers for VPC

4 min read - IBM Cloud Bare Metal Servers for VPC have been available for almost a year, and we continue the steady rollout of additional features to ensure bare metal servers meet our customers’ requirements. The latest IBM Cloud Bare Metal Servers for VPC features are focused squarely on security by providing customers with the ability to enable Secure Boot and to use a Trusted Platform Module (TPM 2.0). Secure Boot and TPM are software- and hardware-based mechanisms used to validate and enforce…