Skip to main content
Calico Cloud Pro documentation

Provide TLS certificates for the API server

Big picture

Provide TLS certificates to secure access to the Calico Cloud API server.

Value

Providing TLS certificates for Calico Cloud components is recommended as part of a zero trust network model for security.

Concepts

Calico Cloud API server

The Calico Cloud API server handles requests for Calico Cloud API resources. The main Kubernetes API server has an aggregation layer and will proxy requests for the Calico Cloud API resources to the Calico Cloud API server.

Before you begin...

By default, the Calico Cloud API server uses self-signed certificates on connections. To provide TLS certificates, get the certificate and key pair for the Calico Cloud API Server using any X.509-compatible tool or from your organization's Certificate Authority. The certificate must have Common Name or a Subject Alternate Name of tigera-api.tigera-system.svc.

This feature is available for Kubernetes and OpenShift.

How to

Add TLS certificates

To provide certificates for use during deployment you must create a secret before applying the 'custom-resource.yaml' or before creating the Installation resource. To specify certificates for use in the Calico Cloud web console, create a secret using the following command:

kubectl create secret generic tigera-apiserver-certs -n tigera-operator --from-file=apiserver.crt=</path/to/certificate-file> --from-file=apiserver.key=</path/to/key-file>

To update existing certificates, run the following command:

kubectl create secret generic tigera-apiserver-certs -n tigera-operator --from-file=apiserver.crt=</path/to/certificate-file> --from-file=apiserver.key=</path/to/key-file> --dry-run -o yaml --save-config | kubectl replace -f -
note

If the Calico Cloud API server is already running, updating the secret restarts the API server. While the server restarts, the Calico Cloud API server may be unavailable for a short period of time.