Custom domain with IBM Kubernetes Service, IBM Cloud Internet Service and IBM Certificate Manager
In my previous story, the steps to use IBM Kubernetes Services and Cloud Internet Service to quickly to setup your custom domain name to protect your application running in IBM Kubernetes Services. Thanks for the feedback from my teammate. One of the feedback is to enable end-to-end encryption. This story will address this feedback.
You can either generate your self-sign certificate for your domain, or can manually generate a public CA certificate from Let’s Encrypt, however it expires every 90days. It brings additional efforts to manage it (well.. it is free.. I can’t ask for more..). In this post we will introduce a new service in IBM Cloud called IBM Certificate Manager. It have pre-integrated with IBM Kubernetes Service and IBM Cloud Internet Service to ease our setup.
Assuming you already have a cluster of IBM Kubernetes Service and an instance of IBM Cloud Internet Service. We can easily provision an instance of IBM Certificate Manager from IBM Cloud Catalog and it will look like below:
Before we move on, we need to authorize Certificate Manager to access the DNS information in Cloud Internet Service. The step is available at here. Once the access is authorized, then we can click “Order Certificate” > “I’m using Cloud Internet Services”.
Fill in the detail and select your IBM Cloud Internet Service instance from drop down list. Tick on the domain that you want to order the certificate and click “Order” button.
Your order will be processed (it is free.. ) immediately as per follow:
Less than 5 minutes. your certificates are generated and the status on dashboard will be changed:
Copy the value of Certificate CRN, we will need this information for subsequently steps. Now we have a public CA certificate for our domain, the next step is to deploy this certificate to Application Load Balancer(ALB) of IBM Kubernetes Services.
This is where there is an easy way to do it. Login to your Kubernetes cluster via IBM Cloud CLI. The using the command below:
> ibmcloud ks alb cert deploy [ — update] — cluster CLUSTER — secret-name SECRET_NAME — cert-crn CERTIFICATE_CRN [ — update] [-s]
CLUSTER will be your cluster ID / name; SECRET_NAME will be the secret name you want to create (as use later part), I will set it the same with my domain name (consistent to cluster token). CERTIFICATE_CRN will be the value we extracted from IBM Certificate Manager console.
Instead of deploying LoadBalancer, in this case we are using Ingress (so that we don’t need to expose public IP). The last step will be deploying Ingress.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: web-store-ingress-resource
spec:
tls:
- hosts:
- ongkw.xyz
secretName: ongkw.xyz
rules:
- host: ongkw.xyz
http:
paths:
- path: /
backend:
serviceName: web-store-service
servicePort: 80
The full yaml can be found here: https://github.com/ongkhaiwei/iks_cis_icm_custom_domain/blob/master/ongkw.xyz.yaml