Overview

Skill Level: Intermediate

This recipe will provide steps to change the TLS certificate that is used with the Ingress deployment in Kubernetes in Information Server. These steps were verified on versions 11.7.0.1, 11.7.0.2, and 11.7.1.x

Step-by-step

  1. Obtain the new TLS certificate

    The certificate and server key need to be available as two files in PEM format.  These two files are usually provided by a certificate authority if the certificate is to display as trusted in a web browser or truststore.

    If you wish to create your own self-signed certificate, you can execute the following command:

    openssl req -new -x509 -nodes -out ingress.crt -keyout ingress.key -days 9999 -subj /CN=hostname.fqdn.com

    Note: Self-Signed Certificates will not be automatically trusted by most browsers or truststores.

     

    To create a CSR (Certificate Signing Request) to send to your certificate authority, you can run a command such as:

    openssl req -new -newkey rsa:2048 -nodes -keyout ingress.key -out ingress.csr

    Fill out the prompts and you will be generated a CSR file that you can provide to your certificate authority
     

     

    If you receive a certificate in p7b (PCKS #7) format, you’ll need to convert it to a x.509 certificate.  You can do this by executing the following command:

    openssl pkcs7 -print_certs -in certificate.p7b -out ingress.pem  

     

    If you receive a certificate in p12 (PCKS #12) format, you’ll need to convert it to a x.509 certificate and exclude the inclusion of the private key.  You can do this by executing the following command:

    openssl pkcs12 -nokeys -in certificate.p12 -out ingress.pem

     

    In either case, verify you can view/load the certificate by running:

    openssl x509 -in ingress.pem -text -noout

    If the command correctly displays the details of the certificate, you may continue, otherwise, if you see a message such as “unable to load certificate” you may have a different formatted certifcate that needs to be converted.  Work with your certificate authority for assistance.

  2. Create a TLS Secret in Kubernetes

    Using the certificate and key file obtained from the prior step, create a Kubernetes Secret object.  The secret will be referenced within the declarative deployment manifest file for the Ingress Controller.

    11.7.0.1 and 11.7.0.2:

    To create the secret object, run the following command:

    kubectl -n kube-system create secret tls --cert ingress.pem --key ingress.key ingress-nginx-tls

    11.7.1.x:

    The ingress-ngnix-tls secret will already exist, so use the following command to update it with your new certificate:

    kubectl -n kube-system create secret tls --cert ingress.pem --key ingress.key ingress-nginx-tls --dry-run -o yaml | kubectl apply -f -

    At this point, if you’re running 11.7.1.x you are done and can skip the rest of the steps below!  Refresh the web application such as a the launchpad and you should see the new certificate being used.

  3. Modify the Ingress Controller (11.7.0.1 and 11.7.0.2 only)

    There are several ways to update the manifest file, but it is advised to directly modify the ingress-nginx-controller.yaml in your respective deployment.

    For hybrid Information Server environments where there is a seperate Unified Governance or Enterprise Search tier, this file is usually located in:

    /opt/IBM/UGinstall/manifests/ingress-nginx-controller.yaml

    For InfoSphere Information Server Enterprise Edition with Docker containers offering (i.e. the entire suite of products in containers managed by Kubernetes), the file is usually located in:

    SingleInstaller/manifests/ingress-nginx-controller.yaml

    or

    /home/mykubeadm1/manifests/ingress-nginx-controller.yaml

    A find command can be leveraged if you are unable to find the file:

    find / -name ingress-nginx-controller.yaml -print

     

    In the manifest file, locate the args section, matching the highlighted content:

     manifest-1

    Add an additional line to include the secret created from step 2:

    - --default-ssl-certificate=kube-system/ingress-nginx-tls

    It is incredibly important to ensure spaces are used for indentation and that the indentation level is in line with the other args.  Your updated file should now match this example:

     manifest_original-1

     Save the file.

  4. Apply the changes to the Kubernetes Cluster (11.7.0.1 and 11.7.0.2 only)

    Finally, apply the modified manfiest file to the Kubnetes Cluster by executing the following command:

    kubectl apply -f ingress-nginx-controller.yaml

    You will see the Ingress pod be removed and a new one launched.

    kubectl get pods -n kube-system -l app=ingress-nginx

    Once the new pod is marked ready, the TLS certificate change should be complete.  Re-Launch the Information Server Launchpad and verify the certificate details.

5 comments on"Changing the TLS certificate in Ingress in Information Server Kubernetes Deployments"

  1. PavanSNadgoudar June 27, 2019

    Hi Scott,

    Thanks for sharing these details. We were able to install certificates on ES server.

    But when we wanted to renew/upgrade certificate we created new certificate and just modified below step to create different secret TLS but now the POD is not coming up and it shows “ImagePullBackOff”.

    kubectl -n kube-system create secret tls –cert ingress.crt –key ingress.key ingress-nginx117-tls

    Output of below command shows STATUS as ImagePullBackOff

    kubectl get pods -n kube-system -l app=ingress-nginx

  2. PavanSNadgoudar June 27, 2019

    @Scott Brokaw Please can you help in above query

  3. Scott Brokaw June 28, 2019

    I’ve updated this recipe to reflect instructions for 11.7.1 and replied to your thread in DWAnswers:
    https://developer.ibm.com/answers/questions/492550/how-to-install-ssl-certificate-for-ibm-enterprise.html

  4. It’s not clear how to convert the self-signed ingress.crt and ingress.key files into pem format so that step 2 can happen.

    • Scott Brokaw November 04, 2019

      I’m not sure I understand your question/issue. First, realize that the most common use case would not be substituting a self-signed certificate (as shipped with GA) with another self-signed certificate. Second, the command specified already will create a certificate using the -x509 option, so it should be in a format that is “ready” for step 2.

      Please feel free to open a ticket with support or ask a question on DWAnswers if you need further assistance.

Join The Discussion