Thursday, October 11, 2018

Use a custom domain, manage TLS certificates and apply e2e security to cloud app

End to end security for a cloud app on IBM Cloud
Well, that title is a little bit long and ugly, but it basically describes what I wanted to tell you about today. A while ago, I blogged that my team published a tutorial "Apply end to end security to a cloud application". It demonstrates how to use secure network traffic (data in transit), cloud object storage (data at rest), and the app itself by access control (authentication). The app runs on the IBM Cloud Kubernetes Service (IKS). By default, the app is exposed on an IBM Cloud-supplied hostname and domain. I updated the tutorial to show how to use a custom domain and deploy a TLS certificate managed by the IBM Cloud Certificate Manager.

Certificate Manager

In July, I discussed how to secure Kubernetes apps with Let's Encrypt wildcard certificates. I generated the certificate, then created a Kubernetes secret from it. The updated tutorial shows a better way of applying the certificate. First, the certificate is imported into the Certificate Manager. This allows to set up notifications about expiring certificates. There are also some management features available. Once in the Certificate Manager, the IBM Cloud command line interface (CLI) allows to directly deploy it to a cluster:

ibmcloud ks alb-cert-deploy --secret-name secure-file-storage-certificate
 --cluster secure-file-storage-cluster --cert-crn the-certificate-crn

It creates the named secret which can then be referenced in the configuration file. From there on, everything is business as usual. Adapt the Ingress configuration to use the custom domain and expose the service:

Secured: Custom domain for Kubernetes app on IBM Cloud
If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.