This blog will focus on the integration of IBM Cloud Code Engine and IBM Cloud Event Notifications along with IBM Cloud Secrets Manager to build a robust use case that will automate your certificate renewal process for applications in your code engine project. We will build a simple app using IBM Cloud Code Engine to update your secrets in a Code Engine Project.
The services which we will be using are:
- IBM Cloud Code Engine
- IBM Cloud Event Notifications
- IBM Cloud Secrets Manager
It is not required to have a prerequisite knowledge on these services—although brief knowledge would be good. You can just follow the instructions and you will be able to build this sample application. All the code is provided in the Github URL. Before we continue let me give you a brief knowledge on these services.
What is IBM Cloud Code Engine?
IBM Cloud Code Engine is a fully managed, serverless platform that runs your containerized workloads, including web apps, microservices, event-driven functions, and batch jobs with run-to-completion characteristics. The Code Engine experience is designed so that you can focus on writing code and not on the infrastructure that is needed to host it.
What is IBM Cloud Event Notifications?
IBM Cloud Event Notifications is a routing service that provides you about critical events that occur in your IBM Cloud account. You can filter and route event notifications from IBM Cloud services like IBM Cloud Monitoring, Security and Compliance Center, Secrets Manager, IBM Cloud Projects, and Toolchain to communication channels like email, webhook, slack, IBM Code Engine, et al.
What is IBM Cloud Secrets Manager?
IBM Cloud Secrets Manager is a service where you can create, lease, and centrally manage secrets that are used in IBM Cloud services or your custom-built applications. Secrets are stored in a dedicated Secrets Manager instance, built on open source.
Embarking Journey with apps and certificates
Let’s say you have your Code Engine Application which has its own secret—TLS Certificate and Private Key. Generally, you would keep these secrets in something like a vault that would manage it. Assume that you store this secret in Secrets Manager. You will also store the same secret in your Code Engine Project where the App resides. So far, all good, your app will be able to use this secret and will be functional.
However, secrets can expire after a certain time period and therefore needs to be renewed. Everything was working fine until the secret expired, your app which uses this secret will be disrupted, thereby affecting your customers.
If you know about Secrets Manager, then you would be familiar that it can also rotate the secrets to new one automatically when they get expired. Let’s say you rotate the secrets in the Secrets Manager. Then what about your Code Engine Project? The secrets won’t be updated there, unless you manually do it. Let’s say you built another Code Engine Application which will retrieve the secrets from the Secrets Manager and update it in the project.
So far so good, but there is still one problem: How will your app know when to update the secret? Unless there was some way the app gets notified when the secrets were rotated in the Secrets Manager. In this scenario you can use Event Notifications to send notification to your app whenever the secret got rotated in the Secrets Manager. When the app gets notified, it can then do the update.
This is what we will do, we will use these different services and automate our secret renewal process. Therefore, you as a user do not have to manually update the secrets and preventing disruptions of your applications due to expired certificates
Let’s dive right in
Clone the repository https://github.com/IBM/CodeEngine and hop into the “app-n-event-notification” directory. You would have to create an API Key in your IBM Cloud Account. You would have to insert the API Key in the script. You must log into the IBM Cloud and select the Code Engine Project you want to work on. After that execute the run script and this is what will be happen after execution.
The run script will:
- Create an instance in the Secrets Manager and Event Notifications
- Create a secret in the Secrets Manager
- Build a Code Engine App (code is already provided)
- Create same secret in the Code Engine Project
- Create necessary sources, topics, destination etc., in Event Notifications
- Bind all these components together
- Rotate the secrets in Secrets Manager
- At last, we will check the logs of the apps to verify if secret got updated in Code Engine Project
Delving deeper: Unraveling the process
Here is an architecture which will help you visualize the components we are working with.
When you execute the run script in the samples, it creates the Event Notifications Instance and Secrets Manager Instance of lite plan in your IBM Cloud Account. We create custom certificates using openssl commands and store in a temporary directory. A secret is created in the Secret Manager and is populated with this certificate and key. Necessary components like topics, sources, destinations, and subscriptions are created in the Event Notification Instance. A Code Engine application is built using local source code and a Code Engine secret is also created containing the same secret (certificate and key). Both the app and secret will reside in the same project selected. At last, we rotate the secret in the Secrets Manager with a new certificate.
When the secret is rotated, your Secrets Manager will act as a source and it will send a notification payload of json structure to Event Notification Topic. The Topic will have a filter which is configured in such a way that it will extract the notification data and check if that particular certificate was rotated. If and only if it that particular certificate was rotated, then it can pass through to the topic. There would be a destination created with the app URL. A subscription would be made between the topic and the destination. When the notification comes to the topic, the Event Notification will invoke the Code Engine Application by sending POST request to it with data being the notification payload. The App is configured in such a way that it will retrieve the secret from Secrets Manager and after that it will update the code engine secret with the retrieved secret.
A word of caution
As we have seen that Event Notification will invoke our application via sending POST request to it with the notification. But there is one caveat here, there is a response timeout from Event Notifications which is 60 seconds. To know more about it check the documentation of retry policy.
Simply put the app should scale up and process the response (i.e retrieve secret from Secrets Manager and update it in the project) within 60 seconds. If you consider executing a longer workload then you can use the Code Engine Job for the same. Refer to this documentation to know more about Code Engine Jobs.
Goodbye
We learned and created an automation tool for certificate renewal. If you have your certificates from third-party vendors, then you can refer this documentation on how to connect third-party certificate authorities to Secrets Manager.
Learn more about IBM Cloud Code Engine
More from Cloud
November 10, 2023
How the semiconductor industry is leveraging high-performance computing to drive innovation
3 min read – Semiconductors act as the secret powerhouse behind various industries, from healthcare to manufacturing to financial services. In the last few years alone, we’ve seen how essential semiconductors can be and why companies need to develop this technology rapidly to maximize productivity. As semiconductor manufacturers strive to keep up with customer expectations, electronic design automation (EDA) tools are the keys to unlocking the solution. However, to truly drive innovation at scale, EDA leaders need massive computing power. As the need…
November 8, 2023
Are you looking to expand your hybrid cloud journey and move your IBM Power mission-critical workloads to the cloud?
4 min read – Organizations with mission-critical workloads on IBM Power servers are increasingly looking at hybrid cloud strategies to balance flexibility, cost-effectiveness and performance for their IT infrastructure. These in-house power systems have core business applications and data that are critical to day-to-day operations. Maintaining and upgrading server hardware and software is happening less frequently than it should. Acquisition and operating costs, technical support and in-house technical skills are issues. The path to modernize them is not always clear or easy. And, simply maintaining the status quo…
November 8, 2023
17 IBM products win TrustRadius 2023 Best of Awards
2 min read – Thanks to favorable client reviews, 17 IBM offerings have secured a placement on the TrustRadius Best of Awards list. These awards help direct buyers who are doing research on new products and solutions for their business needs. According to the annual Buying Disconnect Report produced by TrustRadius—“The Self-Serve Economy is Prove It or Lose It”—the top five resources buyers use are product demos, user reviews, prior experience, free trials and vendor websites. The takeaway—buyers want to self-service their way through their…
November 8, 2023
Building on a year of focus to help IBM Power clients grow with hybrid cloud and AI
6 min read – At the beginning of the year, we laid out a new strategy for IBM Power under the leadership of Ken King, who will be retiring by the end of 2023 after forty years with IBM. It is with immense gratitude that I thank Ken for his leadership not only across IBM Power, but for his service to IBM in various roles spanning IP, strategy and software during his distinguished IBM career. I am excited to announce, therefore, that a few…
IBM Newsletters
Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters
- SEO Powered Content & PR Distribution. Get Amplified Today.
- PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
- PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
- PlatoESG. Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
- PlatoHealth. Biotech and Clinical Trials Intelligence. Access Here.
- Source: https://www.ibm.com/blog/how-to-automate-certificate-renewal-in-ibm-cloud-code-engine/
- :has
- :is
- :not
- :where
- $UP
- 1
- 10
- 17
- 2023
- 29
- 30
- 300
- 36
- 39
- 40
- 400
- 41
- 60
- 8
- 9
- a
- Able
- About
- about IT
- According
- Account
- acquisition
- across
- Act
- Advertising
- affecting
- After
- AI
- AL
- All
- alone
- along
- already
- also
- always
- am
- amp
- an
- analytics
- and
- Announce
- annual
- Another
- api
- app
- Application
- applications
- apps
- architecture
- ARE
- article
- AS
- assume
- At
- author
- Authorities
- automate
- automatically
- Automation
- awards
- back
- Balance
- BE
- before
- Beginning
- behind
- being
- BEST
- between
- Blog
- Blue
- both
- build
- Building
- built
- business
- Business Applications
- but
- button
- buyers
- Buying
- by
- CAN
- carbon
- card
- Cards
- Career
- case
- CAT
- Category
- Center
- certain
- certificate
- certificates
- channels
- characteristics
- check
- circles
- class
- clear
- client
- clients
- Cloud
- cloud services
- code
- color
- comes
- Communication
- Companies
- compliance
- components
- computing
- computing power
- configured
- Connect
- Connecting
- Consider
- Container
- continue
- Core
- Costs
- create
- created
- creates
- critical
- CSS
- custom
- Custom-built
- customer
- customer expectations
- Customers
- data
- Date
- day-to-day
- dedicated
- deeper
- Default
- definitions
- deliver
- Demos
- description
- Design
- designed
- destination
- destinations
- develop
- Developer
- different
- direct
- disruptions
- Distinguished
- dive
- do
- documentation
- doing
- drive
- due
- during
- e
- E&T
- easy
- economy
- Electronic
- emerging
- end
- Engine
- engineer
- Enter
- essential
- etc
- Ether (ETH)
- Event
- events
- everything
- excited
- execute
- executing
- execution
- Exit
- Expand
- expectations
- experience
- extract
- false
- familiar
- far
- favorable
- few
- filter
- financial
- financial services
- fine
- five
- Flexibility
- Focus
- follow
- fonts
- For
- Free
- frequently
- from
- fully
- functional
- functions
- generally
- generator
- get
- Give
- good
- got
- gratitude
- Grid
- Grow
- happen
- Happening
- Hardware
- Have
- Heading
- healthcare
- height
- help
- here
- high-performance
- his
- host
- How
- How To
- However
- HTTPS
- Hybrid
- hybrid cloud
- i
- IBM
- IBM Cloud
- ICO
- ICON
- if
- image
- immense
- in
- Including
- increasingly
- index
- industries
- industry
- Infrastructure
- Innovation
- insights
- instance
- instructions
- integration
- into
- intrinsic
- IP
- issues
- IT
- ITS
- Job
- Jobs
- journey
- jpg
- json
- just
- Keep
- Key
- keys
- King
- Know
- knowledge
- kumar
- large
- Last
- latest
- leaders
- Leadership
- learned
- less
- let
- leveraging
- like
- List
- local
- locale
- log
- longer
- looking
- lose
- made
- maintaining
- Making
- manage
- managed
- manager
- manually
- Manufacturers
- manufacturing
- massive
- max-width
- Maximize
- me
- microservices
- min
- minutes
- Mobile
- modernize
- monitoring
- more
- move
- must
- Navigation
- necessary
- Need
- needed
- needs
- New
- new products
- Newsletters
- nothing
- notification
- notifications
- November
- now
- occur
- of
- off
- Offerings
- on
- ONE
- only
- open
- open source
- openssl
- operating
- Operations
- optimized
- or
- our
- out
- own
- page
- particular
- pass
- path
- performance
- period
- PHP
- placement
- plan
- platform
- plato
- Plato Data Intelligence
- PlatoData
- plugin
- policy
- populated
- position
- Post
- power
- powerhouse
- preventing
- primary
- Prior
- private
- Private Key
- Problem
- process
- Produced
- Product
- productivity
- Products
- project
- projects
- prototype
- Prove
- provided
- provides
- put
- rapidly
- Reading
- refer
- renewed
- report
- repository
- request
- required
- research
- researcher
- Resources
- response
- responsive
- Reviews
- right
- robots
- robust
- roles
- Route
- routing
- Run
- runs
- same
- say
- Scale
- scenario
- Screen
- script
- scripts
- seconds
- Secret
- secrets
- Secured
- security
- seen
- selected
- Self-service
- semiconductor
- Semiconductors
- send
- sending
- seo
- server
- Serverless
- servers
- service
- Services
- should
- Simple
- simply
- site
- skills
- slack
- small
- So
- so Far
- Software
- solution
- Solutions
- some
- something
- Source
- source code
- Sources
- spanning
- Sponsored
- squares
- start
- Status
- Still
- store
- stored
- strategies
- Strategy
- street
- strive
- structure
- subscribe
- subscription
- subscriptions
- such
- support
- SVG
- Systems
- Technical
- technical skills
- technical support
- Technology
- temporary
- tertiary
- than
- thank
- that
- The
- their
- Them
- theme
- then
- There.
- thereby
- therefore
- These
- they
- third-party
- this
- thought
- thought leadership
- Through
- time
- Title
- to
- tool
- tools
- top
- topic
- Topics
- Trends
- trials
- truly
- type
- under
- unlocking
- until
- Update
- updated
- Updates
- URL
- use
- use case
- used
- User
- user reviews
- uses
- using
- various
- Vault
- vendor
- vendors
- verify
- via
- visualize
- W
- want
- was
- Way..
- we
- web
- websites
- were
- What
- when
- whenever
- which
- WHO
- why
- will
- win
- with
- within
- Word
- WordPress
- Work
- working
- would
- writing
- written
- year
- years
- you
- Your
- zephyrnet