MQ

 View Only

Using Helm to manage TLS certificates for MQ in AWS EKS

By Nipun Goel posted Fri January 26, 2024 09:40 AM

  

In this article, we shall discuss the MQ TLS certificate management when used in a Kubernetes cluster using Helm. It is a specific case for AWS EKS, but basic principle remains the same even for Azure.

Prerequisites:

  • A ready EKS cluster
  • MQ certificate and key along with signer certificates (if using a CA signed cert)
  • Helm installed and access configured to the EKS cluster from your machine

When deploying MQs in an EKS cluster, TLS is a major consideration. IBM provides Helm charts for the deployment of a queue manager on a Kubernetes cluster

https://github.com/ibm-messaging/mq-helm/tree/main/charts/ibm-mq/templates

Here, in the values.yaml file in the pki section, we have to provide the pki information as below:

        pki:
          keys: 
          - name: ibmwebspheremqqmgr
            secret:
              secretName: ibmmqsecret
              items:
                - tls.key
                - tls.crt
                - signer1.crt
                - signer2.crt
                - signer3.crt

In order for the above deployment to be successful, we have to ensure that the secret containing this information exists beforehand. And since this is confidential information, keeping it in Git is not a good idea. 

We can make use of AWS Systems Manager Parameter Store for storing this information and then deploying it in our EKS cluster through a simple Helm chart. Just enter the certificate information (base64 encoded format) into the AWS console. We will be doing all of this in the eu-west-1 region where our EKS cluster should also exist.

Create the needed parameters as below:

Now that this is done, we are ready to create and deploy our Helm chart in our EKS cluster. 

In a new directory called mq-certificates, create the below files:

Chart.yaml

apiVersion: v1
name: root
version: 1.0.0

values.yaml

spec:
  mqTlsCrt: ref+awsssm://dev/tlscrt?region=eu-west-1
  mqTlsKey: ref+awsssm://dev/tlskey?region=eu-west-1
  signer1: ref+awsssm://dev/signer1?region=eu-west-1
  signer2: ref+awsssm://dev/signer2?region=eu-west-1
  signer3: ref+awsssm://dev/signer3?region=eu-west-1

Create a directory "templates" and inside it a file

ibmmqsecret.yaml

apiVersion: v1
data:
  tls.crt: {{ .Values.spec.mqTlsCrt }}
  tls.key: {{ .Values.spec.mqTlsKey }}
  signer1.crt: {{ .Values.spec.signer1 }}
  signer2.crt: {{ .Values.spec.signer2 }}
  signer3.crt: {{ .Values.spec.signer3 }}
kind: Secret
metadata:
  name: ibmmqsecret
  namespace: ibm-mq
type: kubernetes.io/tls

Now we can deploy our secret using this Helm chart onto our EKS cluster and then deploy the MQ using its Helm chart. 

helm install mq-secret ./mq-certificates

Your MQ secret is now deployed in the cluster, and you can proceed with the deployment of the MQ queue manager. In the future when you need to renew the certificate, just update the values in AWS Systems Manager Parameter store and deploy the Helm release once again, for the new values to take effect, followed by a rolling update of the MQ pods. This will result in the certificate being renewed.


#Featured-area-2-home
0 comments
25 views

Permalink