By Carmel Schindelhaim and Vinit Jain, IBM (Original post here)
We are excited to announce that IBM Cloud Container Service is now integrated with IBM Cloud Certificate Manager! This means that you can easily and securely deploy custom domain TLS certificates from Certificate Manager to your Kubernetes Cluster.
Developers deploy their apps on IBM Cloud Container Service and make them securely accessible through the Ingress Controller. The Ingress Controller uses a pre-installed certificate that protects the default IBM provided domain assigned to your app. However, if you would like to use a custom domain for your app, such as mybank.com, you will need to obtain your own custom domain TLS certificate for that domain, install it in your cluster, and configure your Ingress Controller to use it.
When you have your own TLS certificate, you need to manage it so that your apps will continuously be secured with HTTPS. Certificates are only valid for a period of time, so you need to remember to renew them on time to avoid service disruptions. Private keys associated with certificates need to be protected because stolen keys can mean compromised customer and business data. So you’ll need a secure place to store your certificates, with proper access controls and an audit trail, and a way to monitor their expiration. IBM Cloud Certificate Manager provides these capabilities.
The IBM Cloud Container Services is now integrated with IBM Cloud Certificate Manager so that you can securely deploy a TLS certificate that you manage in Certificate Manager to your cluster. Cluster admins can use the Container Service CLI to import and update TLS certificates as Kubernetes Secrets, specifying the id of the certificate they want to use (CRN). Container Service also reports back to Certificate Manager the id of the Kubernetes cluster where the certificate was installed. Developers can then configure the ingress controller to use these secrets to secure apps with TLS. The update command also allows them to update an existing Kubernetes secret with a renewed certificate without causing downtime.
bx cs alb-cert-deploy [--update] --cluster CLUSTER --secret-name SECRET_NAME --cert-crn CERTIFICATE_CRN
We also designed the integrated experience to help you minimize the exposure of your private keys to users. When developers deploy applications, they can create ingress resources that use the secrets containing the certificates and their associated private keys without being able to read the content of the secrets (the private keys) themselves. This works by letting developers use reference secrets that do not contain the private keys. At runtime, the ingress controller can securely access the secrets and keys to do SSL termination.