Deploying certificates to IBM Kubernetes Clusters
Deploying certificates to IBM Kubernetes Clusters
The Certificate Manager service provides support for deploying certificates to multiple IBM Cloud services. This section reviews how to deploy certificates as secrets to Kubernetes and OpenShift clusters and use them with Kubernetes ingress resources.
The example will use the certificate imported in the service setup section. Modified terraform code from IaC containers will be used to create the kubernetes cluster. The modification reduces the cluster to a single zone with two workers as this is sufficient for demonstrating the custom TLS ingress use case.
The code to manage the creation of the example can be found in the GitHub repository https://github.com/IBM/cloud-enterprise-examples/ in the directory 14-certificate-management/iks-ingress-certificate.
- Create Kubernetes Cluster
- Import certificate from Certificate Manager
- Deploy example application with custom TLS in ingress
- Clean up
Create Kubernetes Cluster
In order to demostrate the use of certificates from the Certificate Manager service in the IBM Kubernetes Service (IKS), a kubernetes cluster with an example application is required. For this guide, the example terraform code to create the cluster and the application deployment resources will be reused from the IaC containers pattern.
Before you run through this example, make sure your Terraform environment is setup correctly as documented in the environment setup.
Change into the 14-certificate-management/iks-ingress-certificate
directory and run the following commands to create an IKS cluster.
terraform initterraform planterraform apply
A single-zone cluster will be created with two worker nodes. This will take some time as the cluster deploys. When finished the cluster name will be displayed. Set this to an envrionment variable for later use from the command line:
IKS_CLUSTER=$(terraform output cluster_name)
Import certificate from Certificate Manager
Deploying certificates from the Certificate Manager service to a kubernetes cluster can be performed from the IBM Cloud CLI using the container service plugin command ibmcloud ks ingress secret create
.
Alternatively, the certificate may also be added using a resource and terraform code. To do this, the CRN of the desired certificate in Certificate Manager is needed. This example will use the certificate that was imported in the Certificate Manager service setup.
Change to the 14-certificate-management/import-certificate
directory and obtain the CRN of the ordered certificate:
cd ../import-certificateCERT_CRN=$(terraform output imported-certificate-id)
Return to the 14-certificate-management/iks-ingress-certificate
directory and create a terraform resource file for the tls certificate (the secret in this example is named after the wildcard domain from the imported certificate, it can be changed as desired):
cat > tls.tf <<EOFresource ibm_container_alb_cert cert {cert_crn = "$CERT_CRN"secret_name = "tls-cm-timro-us"cluster_id = ibm_container_vpc_cluster.iac_iks_cluster.id}EOF
Verify and apply the code to add the certificate information as a secret in the IKS cluster:
terraform planterraform apply
Verify the secret in the cluster.
ibmcloud ks ingress secret ls
The secret as named in the tls.tf
file will be shown along with other secrets in the default namespace. The secret created in the default
namespace is a reference to the actual secret which is maintained in the ibm-cert-store
namespace. This secret can be read by ingress resources created in any namespace of the cluster.
Deploy example application with custom TLS in ingress
Update the kubernetes/deployment.yaml
resource file to point to the container image that you created in the IaC container pattern. The actual application used is not important, so if you prefer to use another container image, it is ok to substitute.
Next, update the kubernetes/ingress-tls.yaml
file with the domain name and tls secret used. Continuing with the example domain used for the Certificate Manager import and the secret as named above, the ingress file would have the following content:
apiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata:name: movies-ingressspec:tls:- hosts:- movies.cm.timro.ussecretName: tls-cm-timro-us
For this example scenario, the imported certificate is a wildcard for *.cm.timro.us
allowing any host name to be added to the cm.timro.us
subdomain.
Create the application deployment, create the service and the ingress with the TLS certificate. The resource files are located in the 14-certificate-management/iks-ingress-certificate/kubernetes
directory.
cd kuberneteskubectl create -f deployment.yamlkubectl create -f service.yamlkubectl create -f ingress-tls.yaml
The final step is to configure a CNAME in the DNS for the hostname specified in the ingress that directs the connection to the VPC load balancer for the IKS cluster. Obtain the hostname with:
kubectl get ingress movies-ingress -o json | jq .status.loadBalancer.ingress[0].hostname
After the CNAME is added, you will be able to reach the application.
curl https://movies.cm.timro.us/movies/675{"id": "675","title": "Kagemusha",...
Clean up
To cleanup all the resources created by the script, run the following:
terraform destroy
This will not remove the Certificate Manager instance and certificates that have been imported or ordered. If the service is no longer needed, it may be deleted using the IBM Cloud web UI or from the command line:
ibmcloud resource service-instance-delete "iac-certificate-manager"