IBM Cloud Kubernetes Service Integration with IBM Cloud Certificate Manager

3 min read

IBM Cloud Certificate Manager is now used to track and manage all certificates created for default subdomains in IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud clusters.

When you create an IBM Cloud Kubernetes Service cluster, a default Ingress application load balancer (ALB) is deployed in each zone of the cluster. The associated public IP addresses for the ALBs are registered with a DNS subdomain that is unique to the cluster. The corresponding Let's Encrypt certificate for the subdomain is automatically created and added as a Kubernetes secret to the cluster, which the ALB can then reference for TLS termination.

With the new IBM Certificate Manager integration, this certificate is now uploaded to a default Certificate Manager instance that is created for the cluster. You can use the Certificate Manager instance to monitor your certificate expiration dates and easily import certificates from the instance into the cluster by using the new `ibmcloud ks ingress secret` commands in the IBM Cloud Kubernetes Service CLI plug-in.

How it works

IBM Cloud Kubernetes Service creates an IBM Cloud Certificate Manager instance for each cluster. To ensure that an instance is automatically created, verify that the API key for the region and resource group that the cluster is created in has the correct permissions. After the instance has been successfully created, IBM Cloud Kubernetes Service creates a notification channel that sends certificate lifecycle notifications to IBM Cloud Kubernetes Service and allows automatic updates to associated secrets (see below section).

Viewing certificates

  1. In the IBM Cloud console, navigate to the Resource list for your account.
    In the IBM Cloud console, navigate to the Resource list for your account.
  2. In the Name filter field, search for your cluster ID.
    In the Name filter field, search for your cluster ID.
  3. Select the Certificate Manager instance for the cluster ID.
    Select the Certificate Manager instance for the cluster ID.
  4. In the Certificate Manager overview page, you can see more details for a particular certificate by clicking on the certificate to expand its details.
    In the Certificate Manager overview page, you can see more details for a particular certificate by clicking on the certificate to expand its details.

More documentation about using IBM Cloud Certificate Manager can be found here.

Managing secrets for certificates

The IBM Cloud Kubernetes Service CLI plug-in allows you to import certificates from an IBM Cloud Certificate Manager instance to a cluster as Kubernetes secrets. These imported secrets have two annotations, "ingress.cloud.ibm.com/cert-source" : "ibm" and "service.kubernetes.io/ibm-cert-crn", which indicate that the secret is imported from a certificate in Certificate Manager and the CRN for that certificate.

To use the new secret management functionality, update your IBM Cloud Kubernetes Service plug-in to the latest version by running ibmcloud plugin update kubernetes-service.

Viewing secrets

  • To list all secrets that are created for one cluster:
    ibmcloud ks ingress secret ls -c <cluster_name_or_id>
  • To view more details about a specific secret:
    ibmcloud ks ingress secret get -c <cluster_name_or_id> --name <name_of_secret> --namespace <namespace_of_secret>

Creating secrets

  • To create a secret for a certificate from an IBM Cloud Certificate Manager instance:
    ibmcloud ks ingress secret create -c <cluster_name_or_id> --name <name_of_secret> --namespace <kubernetes_namespace_for_secret> --cert-crn <certificate_crn>
    Note: If you do not specify a namespace for the secret, it is created in the ibm-cert-store namespace in your cluster.

Updating secrets

  • To update an existing secret with a new certificate value:
    ibmcloud ks ingress secret update -c <cluster_name_or_id> --name <name_of_secret> --namespace <kubernetes_namespace_for_secret>
    Optionally, to import a certificate with a different CRN but keep the same secret name and namespace, specify the new CRN in the --cert-crn flag on the update command.

Automatic certificate lifecycle management

When a Certificate Manager instance is created for a cluster, a notification channel for the instance is also created that forwards certificate lifecycle notifications to IBM Cloud Kubernetes Service for processing. Currently, certificate update notifications are supported. If an update notification is sent to IBM Cloud Kubernetes Service for a certificate, all secrets associated with that certificate in the cluster are automatically updated with the new certificate values. Learn more about certificate lifecycle notifications.

Have questions?

For more information, check out our documentation.

If you have questions, engage our team via Slack by registering here and join the discussion in the #general channel on our public IBM Cloud Kubernetes Service Slack.

Be the first to hear about news, product updates, and innovation from IBM Cloud