IBM Cloud Certificate Manager is now used to track and manage all certificates created for default subdomains in IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud clusters.
When you create an IBM Cloud Kubernetes Service cluster, a default Ingress application load balancer (ALB) is deployed in each zone of the cluster. The associated public IP addresses for the ALBs are registered with a DNS subdomain that is unique to the cluster. The corresponding Let's Encrypt certificate for the subdomain is automatically created and added as a Kubernetes secret to the cluster, which the ALB can then reference for TLS termination.
With the new IBM Certificate Manager integration, this certificate is now uploaded to a default Certificate Manager instance that is created for the cluster. You can use the Certificate Manager instance to monitor your certificate expiration dates and easily import certificates from the instance into the cluster by using the new `ibmcloud ks ingress secret` commands in the IBM Cloud Kubernetes Service CLI plug-in.
How it works
IBM Cloud Kubernetes Service creates an IBM Cloud Certificate Manager instance for each cluster. To ensure that an instance is automatically created, verify that the API key for the region and resource group that the cluster is created in has the correct permissions. After the instance has been successfully created, IBM Cloud Kubernetes Service creates a notification channel that sends certificate lifecycle notifications to IBM Cloud Kubernetes Service and allows automatic updates to associated secrets (see below section).
- In the IBM Cloud console, navigate to the Resource list for your account.
- In the Name filter field, search for your cluster ID.
- Select the Certificate Manager instance for the cluster ID.
- In the Certificate Manager overview page, you can see more details for a particular certificate by clicking on the certificate to expand its details.
More documentation about using IBM Cloud Certificate Manager can be found here.
Managing secrets for certificates
The IBM Cloud Kubernetes Service CLI plug-in allows you to import certificates from an IBM Cloud Certificate Manager instance to a cluster as Kubernetes secrets. These imported secrets have two annotations,
"ingress.cloud.ibm.com/cert-source" : "ibm" and
"service.kubernetes.io/ibm-cert-crn", which indicate that the secret is imported from a certificate in Certificate Manager and the CRN for that certificate.
To use the new secret management functionality, update your IBM Cloud Kubernetes Service plug-in to the latest version by running
ibmcloud plugin update kubernetes-service.
- To list all secrets that are created for one cluster:
- To view more details about a specific secret:
- To create a secret for a certificate from an IBM Cloud Certificate Manager instance:
ibm-cert-storenamespace in your cluster.
Note: If you do not specify a namespace for the secret, it is created in the
- To update an existing secret with a new certificate value:
--cert-crnflag on the update command.
Optionally, to import a certificate with a different CRN but keep the same secret name and namespace, specify the new CRN in the
Automatic certificate lifecycle management
When a Certificate Manager instance is created for a cluster, a notification channel for the instance is also created that forwards certificate lifecycle notifications to IBM Cloud Kubernetes Service for processing. Currently, certificate update notifications are supported. If an update notification is sent to IBM Cloud Kubernetes Service for a certificate, all secrets associated with that certificate in the cluster are automatically updated with the new certificate values. Learn more about certificate lifecycle notifications.
For more information, check out our documentation.
If you have questions, engage our team via Slack by registering here and join the discussion in the #general channel on our public IBM Cloud Kubernetes Service Slack.