|
End to end security for a cloud app on IBM Cloud |
Well, that title is a little bit long and ugly, but it basically describes what I wanted to tell you about today. A while ago,
I blogged that my team published a tutorial "
Apply end to end security to a cloud application". It demonstrates how to use secure network traffic (data in transit), cloud object storage (data at rest), and the app itself by access control (authentication). The app runs on the
IBM Cloud Kubernetes Service (IKS). By default, the app is exposed on an IBM Cloud-supplied hostname and domain. I updated the tutorial to show how to use a custom domain and deploy a TLS certificate managed by the
IBM Cloud Certificate Manager.
Certificate Manager
In July, I discussed
how to secure Kubernetes apps with Let's Encrypt wildcard certificates. I generated the certificate, then created a Kubernetes secret from it. The
updated tutorial shows a better way of applying the certificate. First, the certificate is imported into the Certificate Manager. This allows to set up notifications about expiring certificates. There are also some management features available. Once in the Certificate Manager, the IBM Cloud command line interface (CLI) allows to directly deploy it to a cluster:
ibmcloud ks alb-cert-deploy --secret-name secure-file-storage-certificate
--cluster secure-file-storage-cluster --cert-crn the-certificate-crn
It creates the named secret which can then be referenced in the configuration file. From there on, everything is business as usual. Adapt the Ingress configuration to use the custom domain and expose the service:
|
Secured: Custom domain for Kubernetes app on IBM Cloud |
If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (
@data_henrik) or
LinkedIn.