Cloud
Open source
October 1, 2020 By Lucas Copi
Theodora Cheng
3 min read

IBM Cloud Certificate Manager is now used to track and manage all certificates created for default subdomains in IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud clusters.

When you create an IBM Cloud Kubernetes Service cluster, a default Ingress application load balancer (ALB) is deployed in each zone of the cluster. The associated public IP addresses for the ALBs are registered with a DNS subdomain that is unique to the cluster. The corresponding Let’s Encrypt certificate for the subdomain is automatically created and added as a Kubernetes secret to the cluster, which the ALB can then reference for TLS termination.

With the new IBM Certificate Manager integration, this certificate is now uploaded to a default Certificate Manager instance that is created for the cluster. You can use the Certificate Manager instance to monitor your certificate expiration dates and easily import certificates from the instance into the cluster by using the new `ibmcloud ks ingress secret` commands in the IBM Cloud Kubernetes Service CLI plug-in.

How it works

IBM Cloud Kubernetes Service creates an IBM Cloud Certificate Manager instance for each cluster. To ensure that an instance is automatically created, verify that the API key for the region and resource group that the cluster is created in has the correct permissions. After the instance has been successfully created, IBM Cloud Kubernetes Service creates a notification channel that sends certificate lifecycle notifications to IBM Cloud Kubernetes Service and allows automatic updates to associated secrets (see below section).

Viewing certificates

  1. In the IBM Cloud console, navigate to the Resource list for your account.
  2. In the Name filter field, search for your cluster ID.
  3. Select the Certificate Manager instance for the cluster ID.
  4. In the Certificate Manager overview page, you can see more details for a particular certificate by clicking on the certificate to expand its details.

More documentation about using IBM Cloud Certificate Manager can be found here.

Managing secrets for certificates

The IBM Cloud Kubernetes Service CLI plug-in allows you to import certificates from an IBM Cloud Certificate Manager instance to a cluster as Kubernetes secrets. These imported secrets have two annotations, "ingress.cloud.ibm.com/cert-source" : "ibm" and "service.kubernetes.io/ibm-cert-crn", which indicate that the secret is imported from a certificate in Certificate Manager and the CRN for that certificate.

To use the new secret management functionality, update your IBM Cloud Kubernetes Service plug-in to the latest version by running ibmcloud plugin update kubernetes-service.

Viewing secrets

  • To list all secrets that are created for one cluster: 
    ibmcloud ks ingress secret ls -c <cluster_name_or_id>
  • To view more details about a specific secret: 
    ibmcloud ks ingress secret get -c <cluster_name_or_id> --name <name_of_secret> --namespace <namespace_of_secret>

Creating secrets

  • To create a secret for a certificate from an IBM Cloud Certificate Manager instance: 
    ibmcloud ks ingress secret create -c <cluster_name_or_id> --name <name_of_secret> --namespace <kubernetes_namespace_for_secret> --cert-crn <certificate_crn>

    Note: If you do not specify a namespace for the secret, it is created in the ibm-cert-store namespace in your cluster.

Updating secrets

  • To update an existing secret with a new certificate value: 
    ibmcloud ks ingress secret update -c <cluster_name_or_id> --name <name_of_secret> --namespace <kubernetes_namespace_for_secret>

    Optionally, to import a certificate with a different CRN but keep the same secret name and namespace, specify the new CRN in the --cert-crn flag on the update command.

Automatic certificate lifecycle management

When a Certificate Manager instance is created for a cluster, a notification channel for the instance is also created that forwards certificate lifecycle notifications to IBM Cloud Kubernetes Service for processing. Currently, certificate update notifications are supported. If an update notification is sent to IBM Cloud Kubernetes Service for a certificate, all secrets associated with that certificate in the cluster are automatically updated with the new certificate values. Learn more about certificate lifecycle notifications.

Have questions?

For more information, check out our documentation.

If you have questions, engage our team via Slack by registering here and join the discussion in the #general channel on our public IBM Cloud Kubernetes Service Slack.

Was this article helpful?
YesNo
Lucas Copi
Software Engineer, IBM Cloud Kubernetes Service
Theodora Cheng
Software Developer - Armada Ingress

More from Cloud
April 8, 2024

IBM Tech Now: April 8, 2024

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 96 On this episode, we're covering the following topics: IBM Cloud Logs A collaboration with IBM watsonx.ai and Anaconda IBM offerings in the G2 Spring Reports Stay plugged in You can check out the…

April 4, 2024

The advantages and disadvantages of private cloud 

6 min read - The popularity of private cloud is growing, primarily driven by the need for greater data security. Across industries like education, retail and government, organizations are choosing private cloud settings to conduct business use cases involving workloads with sensitive information and to comply with data privacy and compliance needs. In a report from Technavio (link resides outside ibm.com), the private cloud services market size is estimated to grow at a CAGR of 26.71% between 2023 and 2028, and it is forecast to increase by…

March 29, 2024

Optimize observability with IBM Cloud Logs to help improve infrastructure and app performance

5 min read - There is a dilemma facing infrastructure and app performance—as workloads generate an expanding amount of observability data, it puts increased pressure on collection tool abilities to process it all. The resulting data stress becomes expensive to manage and makes it harder to obtain actionable insights from the data itself, making it harder to have fast, effective, and cost-efficient performance management. A recent IDC study found that 57% of large enterprises are either collecting too much or too little observability data.…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters