October 1, 2020 By Lucas Copi
Theodora Cheng
3 min read

IBM Cloud Certificate Manager is now used to track and manage all certificates created for default subdomains in IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud clusters.

When you create an IBM Cloud Kubernetes Service cluster, a default Ingress application load balancer (ALB) is deployed in each zone of the cluster. The associated public IP addresses for the ALBs are registered with a DNS subdomain that is unique to the cluster. The corresponding Let’s Encrypt certificate for the subdomain is automatically created and added as a Kubernetes secret to the cluster, which the ALB can then reference for TLS termination.

With the new IBM Certificate Manager integration, this certificate is now uploaded to a default Certificate Manager instance that is created for the cluster. You can use the Certificate Manager instance to monitor your certificate expiration dates and easily import certificates from the instance into the cluster by using the new `ibmcloud ks ingress secret` commands in the IBM Cloud Kubernetes Service CLI plug-in.

How it works

IBM Cloud Kubernetes Service creates an IBM Cloud Certificate Manager instance for each cluster. To ensure that an instance is automatically created, verify that the API key for the region and resource group that the cluster is created in has the correct permissions. After the instance has been successfully created, IBM Cloud Kubernetes Service creates a notification channel that sends certificate lifecycle notifications to IBM Cloud Kubernetes Service and allows automatic updates to associated secrets (see below section).

Viewing certificates

  1. In the IBM Cloud console, navigate to the Resource list for your account.
  2. In the Name filter field, search for your cluster ID.
  3. Select the Certificate Manager instance for the cluster ID.
  4. In the Certificate Manager overview page, you can see more details for a particular certificate by clicking on the certificate to expand its details.

More documentation about using IBM Cloud Certificate Manager can be found here.

Managing secrets for certificates

The IBM Cloud Kubernetes Service CLI plug-in allows you to import certificates from an IBM Cloud Certificate Manager instance to a cluster as Kubernetes secrets. These imported secrets have two annotations, "ingress.cloud.ibm.com/cert-source" : "ibm" and "service.kubernetes.io/ibm-cert-crn", which indicate that the secret is imported from a certificate in Certificate Manager and the CRN for that certificate.

To use the new secret management functionality, update your IBM Cloud Kubernetes Service plug-in to the latest version by running ibmcloud plugin update kubernetes-service.

Viewing secrets

  • To list all secrets that are created for one cluster:
    ibmcloud ks ingress secret ls -c <cluster_name_or_id>
  • To view more details about a specific secret:
    ibmcloud ks ingress secret get -c <cluster_name_or_id> --name <name_of_secret> --namespace <namespace_of_secret>

Creating secrets

  • To create a secret for a certificate from an IBM Cloud Certificate Manager instance:
    ibmcloud ks ingress secret create -c <cluster_name_or_id> --name <name_of_secret> --namespace <kubernetes_namespace_for_secret> --cert-crn <certificate_crn>

    Note: If you do not specify a namespace for the secret, it is created in the ibm-cert-store namespace in your cluster.

Updating secrets

  • To update an existing secret with a new certificate value:
    ibmcloud ks ingress secret update -c <cluster_name_or_id> --name <name_of_secret> --namespace <kubernetes_namespace_for_secret>

    Optionally, to import a certificate with a different CRN but keep the same secret name and namespace, specify the new CRN in the --cert-crn flag on the update command.

Automatic certificate lifecycle management

When a Certificate Manager instance is created for a cluster, a notification channel for the instance is also created that forwards certificate lifecycle notifications to IBM Cloud Kubernetes Service for processing. Currently, certificate update notifications are supported. If an update notification is sent to IBM Cloud Kubernetes Service for a certificate, all secrets associated with that certificate in the cluster are automatically updated with the new certificate values. Learn more about certificate lifecycle notifications.

Have questions?

For more information, check out our documentation.

If you have questions, engage our team via Slack by registering here and join the discussion in the #general channel on our public IBM Cloud Kubernetes Service Slack.

Was this article helpful?

More from Cloud

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

Attention new clients: exciting financial incentives for VMware Cloud Foundation on IBM Cloud

4 min read - New client specials: Get up to 50% off when you commit to a 1- or 3-year term contract on new VCF-as-a-Service offerings, plus an additional value of up to USD 200K in credits through 30 June 2025 when you migrate your VMware workloads to IBM Cloud®.1 Low starting prices: On-demand VCF-as-a-Service deployments begin under USD 200 per month.2 The IBM Cloud benefit: See the potential for a 201%3 return on investment (ROI) over 3 years with reduced downtime, cost and…

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters