Skip to main contentIBM Cloud Patterns

Deploying certificates to IBM Kubernetes Clusters

Deploying certificates to IBM Kubernetes Clusters

The Certificate Manager service provides support for deploying certificates to multiple IBM Cloud services. This section reviews how to deploy certificates as secrets to Kubernetes and OpenShift clusters and use them with Kubernetes ingress resources.

The example will use the certificate imported in the service setup section. Modified terraform code from IaC containers will be used to create the kubernetes cluster. The modification reduces the cluster to a single zone with two workers as this is sufficient for demonstrating the custom TLS ingress use case.

The code to manage the creation of the example can be found in the GitHub repository in the directory 14-certificate-management/iks-ingress-certificate.

Create Kubernetes Cluster

In order to demostrate the use of certificates from the Certificate Manager service in the IBM Kubernetes Service (IKS), a kubernetes cluster with an example application is required. For this guide, the example terraform code to create the cluster and the application deployment resources will be reused from the IaC containers pattern.

Before you run through this example, make sure your Terraform environment is setup correctly as documented in the environment setup.

Change into the 14-certificate-management/iks-ingress-certificate directory and run the following commands to create an IKS cluster.

terraform init
terraform plan
terraform apply

A single-zone cluster will be created with two worker nodes. This will take some time as the cluster deploys. When finished the cluster name will be displayed. Set this to an envrionment variable for later use from the command line:

IKS_CLUSTER=$(terraform output cluster_name)

Import certificate from Certificate Manager

Deploying certificates from the Certificate Manager service to a kubernetes cluster can be performed from the IBM Cloud CLI using the container service plugin command ibmcloud ks alb cert deploy.

Alternatively, the certificate may also be added using a resource and terraform code. To do this, the CRN of the desired certificate in Certificate Manager is needed. This example will use the certificate that was imported in the Certificate Manager service setup.

Change to the 14-certificate-management/import-certificate directory and obtain the CRN of the ordered certificate:

cd ../import-certificate
CERT_CRN=$(terraform output imported-certificate-id)

Return to the 14-certificate-management/iks-ingress-certificate directory and create a terraform resource file for the tls certificate (the secret in this example is named after the wildcard domain from the imported certificate, it can be changed as desired):

cat > <<EOF
resource ibm_container_alb_cert cert {
cert_crn = "$CERT_CRN"
secret_name = "tls-cm-timro-us"
cluster_id =

Verify and apply the code to add the certificate information as a secret in the IKS cluster:

terraform plan
terraform apply

Verify the secret in the cluster. Configure the kubectl context with access to the IKS cluster using the ibmcloud ks cluster config command. Then verify the secret in the default namespace.

ibmcloud ks cluster config --cluster $IKS_CLUSTER
kubectl get secrets -n default

The secret as named in the file will be shown along with other secrets in the default namespace. The secret created in the default namespace is a reference to the actual secret which is maintained in the ibm-cert-store namespace. This secret can be read by ingress resources created in any namespace of the cluster.

Deploy example application with custom TLS in ingress

Update the kubernetes/deployment.yaml resource file to point to the container image that you created in the IaC container pattern. The actual application used is not important, so if you prefer to use another container image, it is ok to substitute.

Next, update the kubernetes/ingress-tls.yaml file with the domain name and tls secret used. Continuing with the example domain used for the Certificate Manager import and the secret as named above, the ingress file would have the following content:

kind: Ingress
name: movies-ingress
- hosts:
secretName: tls-cm-timro-us

For this example scenario, the imported certificate is a wildcard for * allowing any host name to be added to the subdomain.

Create the application deployment, create the service and the ingress with the TLS certificate. The resource files are located in the 14-certificate-management/iks-ingress-certificate/kubernetes directory.

cd kubernetes
kubectl create -f deployment.yaml
kubectl create -f service.yaml
kubectl create -f ingress-tls.yaml

The final step is to configure a CNAME in the DNS for the hostname specified in the ingress that directs the connection to the VPC load balancer for the IKS cluster. Obtain the hostname with:

kubectl get ingress movies-ingress -o json | jq .status.loadBalancer.ingress[0].hostname

After the CNAME is added, you will be able to reach the application.

"id": "675",
"title": "Kagemusha",

Clean up

To cleanup all the resources created by the script, run the following:

terraform destroy

This will not remove the Certificate Manager instance and certificates that have been imported or ordered. If the service is no longer needed, it may be deleted using the IBM Cloud web UI or from the command line:

ibmcloud resource service-instance-delete "iac-certificate-manager"