November 3, 2023 By Brad Manning
Shenzhe Duan
Lucas Copi
Theodora Cheng
5 min read

When scaling up the number of applications you manage, it can feel like there are a lot of moving parts to ensure that your APIs are going through to the right applications in a secure manner.

To make this easier, IBM Cloud® Kubernetes exposes various API integrations, which are already available through the command line interface (CLI) and Terraform.

We are excited to announce that these features are now accessible through the user interface (UI).

An overview of Ingress

First, let’s review the relevant Ingress components.

When clients send requests to an endpoint, the traffic is directed from the domain to the respective load balancer. The load balancer forwards these requests to the Ingress controller, where they undergo request termination using a transport layer security (TLS) secret. A “secret” stores sensitive data, such as a password, authentication token, key or certificate. These requests are then distributed across the available service pods.

Our suite of managed integrations offers APIs to automate cluster setup and management:

  1. Domains: Link a custom domain to your cluster’s load balancer by using (CIS). This integration ensures automatic renewal of corresponding TLS certificates.
  2. Ingress Controller Application Load Balancers (ALB): Manage your ALBs with features such as version control, custom configurations, and both horizontal and vertical scaling capabilities.
  3. Secrets: Securely store managed TLS certificates and secrets in your instance, with automatic synchronization to your Kubernetes secrets.

The table outlines the actions available for each API. Use these actions to streamline your cluster management.

DefaultEstablish a default Ingress domain. The default domain is automatically updated with the load balancer addresses for your public ALBs or Red Hat® OpenShift® routers.An ALB is automatically created for each public zone in the cluster. ALBs are automatically updated to the latest versions to keep your cluster up to date and protected. The ALB update policies can be configured following this guide.Establish a default Secrets Manager instance for the storage of TLS certificates generated for managed domains.
CreateRegister a domain to a load balancer using CIS, Cloudflare or Akamai.Create an ALB. This will provision a load balancer service and an ALB instance.Register a secret that facilitates automatic synchronization between a Secrets Manager secret and a Kubernetes secret.
ReadGet a list of domains or specific information about a domain.Get a list of ALBs or specific information about an ALB.Get a list of secrets or specific details about a particular secret.
UpdateUpdate the configuration of a domain.Update an ALB version for a specific ALB. This action is only available if ALB autoupdate is disabled for the cluster.Update the Kubernetes secret definition by adding or removing fields or updating the referenced Secrets Manager CRN for a TLS secret. Sync the values in the Kubernetes secret with the values stored in the corresponding Secrets Manager secret.
DeleteDelete a domain. This will delete the corresponding domain name system (DNS) record and the TLS certificates will no longer continue to be renewed.Delete an ALB. The load balancer service and ALB instance will be removed.  Delete a secret. This will remove the corresponding Kubernetes secret from the cluster.
ReferencesUI and CLICLI and Terraform  CLI and Terraform—Instance, TLS Secret and Opaque Secret
Scroll to view full table

Configuring a multi-tenant microservices environment in IBM Cloud

Let’s dive into a practical scenario. Imagine you’re assigned the task of configuring a multi-tenant environment within IBM Cloud to support a new product built on a microservices architecture, catering to various teams. The architecture is best depicted in the following high-level diagram.

Each team operates distinct microservices that serve specific components. These services are deployed within individual team namespaces, with “echo” representing one team’s namespace and “foxtrot” dedicated to another. You’ve implemented a production cluster to make services accessible to users. After careful consideration, you’ve decided that employing an Ingress Controller — specifically an ALB — is the optimal choice to serve as the API gateway for your team’s requirements.

The “echo” team has reached out for your assistance in establishing a new microservice to be accessible in the production environment via any requests at the “echo” endpoint at*. The application is currently operational within the “echo” namespace, exposed behind the “echo” service. In this example, we’ll examine the configuration of an Ingress resource to understand how to securely expose this API endpoint within your cluster.

> kubectl get ingress echo-ingress -o yaml
kind: Ingress
  annotations: public-iks-k8s-nginx // 2. ALB
  generation: 1
  name: echo-ingress
  namespace: echo-namespace
  - host: // 1. Domain
      - backend:
            name: echo-service
              number: 8080
        path: /echo
        pathType: Prefix
  - hosts:
    secretName: echo-secret // 3. Secret

Begin by navigating to your IBM Cloud clusters and selecting the correct cluster to access the cluster overview page. Note the cluster-wide default Ingress configurations.

From the left-hand navigation menu, select the “Ingress” tab. Note that all your Ingress components in the overview page are currently healthy.

Now, follow these steps:

1. Set up the domain for your Ingress host. If you have already set up a CIS instance and have an active domain (for guidance on creating one, refer to this getting started guide), configure the necessary service-to-service IAM authorization and designate it as the default domain for your cluster. This ensures that all future ALB changes are automatically reflected in your domain configuration and will generate managed TLS certificates.

2. Navigate to the ALBs tab and locate an enabled public ALB. Verify that the Ingress class in the Ingress resource maps to the managed ALB. Verify that the “autoupdate” feature is enabled by default by attempting to run Update version. This will allow you to promptly address any known vulnerabilities. If this is a private application, you can enable a private ALB and link it to your domain.

3. The “echo-secret” needs to live in the “echo-namespace”. Navigate to the secrets tab and take note of the “techcorp” TLS secret. To copy the managed TLS secret into the “echo-namespace”, create a secret in the “echo-namespace”. Note: If a secret ID doesn’t exist within the secret detail, ensure that a default instance is registered.

4. Test the endpoint and confirm that the application is correctly exposed at the “echo” endpoint.

5. Configure monitoring for your ALB traffic (refer to the setup monitoring guide), which enables you to monitor the load and traffic on your ALB, facilitating informed decisions regarding scaling.

With everything configured in the cluster, you are now ready to start serving your users.

Join the conversation

This blog post serves as a primer to showcase the benefits and functionality of using these integrations in the UI. Hopefully it helped you gain an understanding around the capabilities in the UI regarding your Ingress resources. If you have questions, you can engage our team by registering here and joining the discussion in the “#general” channel on our public IBM Cloud Kubernetes Service Slack.

Run Kubernetes at enterprise scale

More from Cloud

The advantages and disadvantages of hybrid cloud

6 min read - With the rapid advancements in cloud computing, data management and artificial intelligence (AI), hybrid cloud plays an integral role in next-generation IT infrastructure. Enterprise-level businesses rely on hybrid cloud solutions to run critical workloads from anywhere by combining and unifying on-premises, private cloud and public cloud environments. Just like any other IT solution, adopting a successful hybrid cloud strategy starts with examining how this cloud computing architecture can drive overall business objectives. As an initial step, business and IT leaders…

IBM Tech Now: December 11, 2023

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 90 On this episode, we're covering the following topics: IBM Quantum Heron IBM Quantum System Two The GA of watsonx.governance Stay plugged in You can check out the IBM Blog Announcements for a full…

Get ready for change with IBM Cloud Training

2 min read - As generative AI creates new opportunities and transforms cloud operations, it is crucial to learn how to maximize the value of these tools. A recent report from the IBM Institute for Business Value found that 68% of hybrid cloud users already have a formal, organization-wide policy or approach for the use of generative AI. That same report also noted that 58% of global decision makers say that cloud skills remain a considerable challenge. Being proactive in your learning can significantly…

Data center consolidation: Strategy and best practices

7 min read - The modern pace of data creation is staggering. The average organization produces data constantly—perhaps even continuously—and soon it’s investing in servers to provide ample storage for that information. In time, and probably sooner than expected, the organization accrues more data and outgrows that server, so it invests in multiple servers. Or that company could tie into a data center, which is built to accommodate even larger warehouses of information. But the creation of new data never slows for long. And…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters