This blog will focus on the integration of IBM Cloud Code Engine and IBM Cloud Event Notifications along with IBM Cloud Secrets Manager to build a robust use case that will automate your certificate renewal process for applications in your code engine project. We will build a simple app using IBM Cloud Code Engine to update your secrets in a Code Engine Project.
The services which we will be using are:
It is not required to have a prerequisite knowledge on these services—although brief knowledge would be good. You can just follow the instructions and you will be able to build this sample application. All the code is provided in the Github URL. Before we continue let me give you a brief knowledge on these services.
What is IBM Cloud Code Engine?
IBM Cloud Code Engine is a fully managed, serverless platform that runs your containerized workloads, including web apps, microservices, event-driven functions, and batch jobs with run-to-completion characteristics. The Code Engine experience is designed so that you can focus on writing code and not on the infrastructure that is needed to host it.
What is IBM Cloud Event Notifications?
IBM Cloud Event Notifications is a routing service that provides you about critical events that occur in your IBM Cloud account. You can filter and route event notifications from IBM Cloud services like IBM Cloud Monitoring, Security and Compliance Center, Secrets Manager, IBM Cloud Projects, and Toolchain to communication channels like email, webhook, slack, IBM Code Engine, et al.
What is IBM Cloud Secrets Manager?
IBM Cloud Secrets Manager is a service where you can create, lease, and centrally manage secrets that are used in IBM Cloud services or your custom-built applications. Secrets are stored in a dedicated Secrets Manager instance, built on open source.
Embarking Journey with apps and certificates
Let’s say you have your Code Engine Application which has its own secret—TLS Certificate and Private Key. Generally, you would keep these secrets in something like a vault that would manage it. Assume that you store this secret in Secrets Manager. You will also store the same secret in your Code Engine Project where the App resides. So far, all good, your app will be able to use this secret and will be functional.
However, secrets can expire after a certain time period and therefore needs to be renewed. Everything was working fine until the secret expired, your app which uses this secret will be disrupted, thereby affecting your customers.
If you know about Secrets Manager, then you would be familiar that it can also rotate the secrets to new one automatically when they get expired. Let’s say you rotate the secrets in the Secrets Manager. Then what about your Code Engine Project? The secrets won’t be updated there, unless you manually do it. Let’s say you built another Code Engine Application which will retrieve the secrets from the Secrets Manager and update it in the project.
So far so good, but there is still one problem: How will your app know when to update the secret? Unless there was some way the app gets notified when the secrets were rotated in the Secrets Manager. In this scenario you can use Event Notifications to send notification to your app whenever the secret got rotated in the Secrets Manager. When the app gets notified, it can then do the update.
This is what we will do, we will use these different services and automate our secret renewal process. Therefore, you as a user do not have to manually update the secrets and preventing disruptions of your applications due to expired certificates
Let’s dive right in
Clone the repository https://github.com/IBM/CodeEngine and hop into the “app-n-event-notification” directory. You would have to create an API Key in your IBM Cloud Account. You would have to insert the API Key in the script. You must log into the IBM Cloud and select the Code Engine Project you want to work on. After that execute the run script and this is what will be happen after execution.
The run script will:
Create an instance in the Secrets Manager and Event Notifications
Create a secret in the Secrets Manager
Build a Code Engine App (code is already provided)
Create same secret in the Code Engine Project
Create necessary sources, topics, destination etc., in Event Notifications
Bind all these components together
Rotate the secrets in Secrets Manager
At last, we will check the logs of the apps to verify if secret got updated in Code Engine Project
Delving deeper: Unraveling the process
Here is an architecture which will help you visualize the components we are working with.
When you execute the run script in the samples, it creates the Event Notifications Instance and Secrets Manager Instance of lite plan in your IBM Cloud Account. We create custom certificates using openssl commands and store in a temporary directory. A secret is created in the Secret Manager and is populated with this certificate and key. Necessary components like topics, sources, destinations, and subscriptions are created in the Event Notification Instance. A Code Engine application is built using local source code and a Code Engine secret is also created containing the same secret (certificate and key). Both the app and secret will reside in the same project selected. At last, we rotate the secret in the Secrets Manager with a new certificate.
When the secret is rotated, your Secrets Manager will act as a source and it will send a notification payload of json structure to Event Notification Topic. The Topic will have a filter which is configured in such a way that it will extract the notification data and check if that particular certificate was rotated. If and only if it that particular certificate was rotated, then it can pass through to the topic. There would be a destination created with the app URL. A subscription would be made between the topic and the destination. When the notification comes to the topic, the Event Notification will invoke the Code Engine Application by sending POST request to it with data being the notification payload. The App is configured in such a way that it will retrieve the secret from Secrets Manager and after that it will update the code engine secret with the retrieved secret.
A word of caution
As we have seen that Event Notification will invoke our application via sending POST request to it with the notification. But there is one caveat here, there is a response timeout from Event Notifications which is 60 seconds. To know more about it check the documentation of retry policy.
Simply put the app should scale up and process the response (i.e retrieve secret from Secrets Manager and update it in the project) within 60 seconds. If you consider executing a longer workload then you can use the Code Engine Job for the same. Refer to this documentation to know more about Code Engine Jobs.
Goodbye
We learned and created an automation tool for certificate renewal. If you have your certificates from third-party vendors, then you can refer this documentation on how to connect third-party certificate authorities to Secrets Manager.
Learn more about IBM Cloud Code Engine