In this blog post, we will explore how to leverage Terraform on IBM Cloud to create and manage secrets by integrating IBM Cloud Kubernetes Service with IBM Cloud Secrets Manager.
Previously, users could manage TLS and non-TLS certificates and secrets through the CLI using the namespace “ibmcloud ks ingress secret.” By utilizing the Secrets Manager secret CRNs, users can now create an “Ingress secret” resource in their Kubernetes cluster, which automatically synchronizes any updates made to the secrets within the Secrets Manager instance.
Architecture and Behavior
The IBM Cloud Kubernetes Service handles the creation of Ingress secrets as follows:
- Users need an existing IBM Cloud Secrets Manager instance and IBM Cloud Kubernetes Service instance.
- Users register the Secrets Manager instance to synchronize the secret CRNs between the Secrets Manager secret and Ingress secret(s).
- Users create an IBM Cloud Kubernetes Ingress secret, which can be an Opaque or TLS secret, along with a Secrets Manager CRN. This establishes a correlation between the secret CRN and ClusterID/SecretName/SecretNamespace in the cloud.
- IBM Cloud Kubernetes Service fetches the Secrets Manager secret via the CRN.
- IBM Cloud Kubernetes Service creates a corresponding Kubernetes secret in the cluster using the values from the CRN(s).
- IBM Cloud Kubernetes Service ensures that the secrets remain in sync with the Secrets Manager secret CRN.
Benefits
The integration of IBM Cloud Kubernetes Service and IBM Cloud Secrets Manager offers several benefits:
- Seamless creation and management of Secrets Manager secrets with built-in autorotation for enhanced security.
- Effortless provision of Kubernetes secrets using the secret CRN of any Secrets Manager instance, ensuring consistent and reliable secret management.
- Automatic synchronization and persistence of secrets within the Kubernetes cluster, eliminating the need for manual updates and reducing the risk of outdated secrets.
- Easy tracking and monitoring of expiration dates for timely rotation and prevention of security vulnerabilities.
- Control over access to secrets through the creation of secret groups, enhancing application security.
Hands-on Example
The blog post provides a detailed example of integrating IBM Cloud Kubernetes and IBM Cloud Secrets Manager using a Terraform script. The sample allows users to provision a Secrets Manager instance, register it to an IBM Cloud Kubernetes Service, and create managed IBM Cloud Kubernetes Ingress secrets backed by Secrets Manager secrets. The full sample code can be found on the example’s GitHub repository.
Prerequisites
To follow the example, users will need the following prerequisites:
– IBM Cloud Secrets Manager instance
– IBM Cloud Kubernetes Service instance
Implementing the Terraform Script
The blog post outlines the steps involved in implementing the Terraform script:
- Create an IBM Cloud Secrets Manager instance
- Set up service-to-service authorization through IAM
- Register the Secrets Manager instance to the IBM Cloud Kubernetes Service cluster
- Create secrets in Secrets Manager and enable automatic rotation
- Create a persistent Opaque secret in the cluster using the CRNs of the secrets in Secrets Manager
Creating the Infrastructure
The blog post provides step-by-step instructions on creating the necessary infrastructure using the Terraform script:
- Run “terraform init”
- Copy the “main.tf” and “output.tf” files from the example repository
- Create a “.tfvars” file and fill in the required variables
- Run “terraform plan -var-file=<file_name>”
- Create the resources with “terraform apply -var-file=<file_name>”
Verifying Created Resources
Once the resources are created, users can verify them in the IBM Cloud Dashboard. They can navigate to the created Secrets Manager instance to view the created secrets and to the IBM Cloud Kubernetes Service to view the Opaque secret.
Contact Us
The blog post concludes by encouraging users to expand and tailor the approach to fit their use case. Users can engage the IBM team via Slack for further support and join the discussion in the #general channel on the public IBM Cloud Kubernetes Service Slack.
FAQs
1. Can Terraform be used with any version of IBM Cloud Kubernetes Service?
Terraform can be used with any version of IBM Cloud Kubernetes Service.
2. Are there any additional costs associated with utilizing Terraform for Kubernetes secret management with IBM Cloud?
There are no additional costs for utilizing Terraform with IBM Cloud Kubernetes Service and Secrets Manager. However, users should refer to IBM Cloud pricing for any costs associated with using the services.
3. Can the Terraform script be customized to fit specific requirements?
Yes, the Terraform script provided in the example can be customized to fit specific requirements by modifying the variables and resources.