Provide TLS certificates for the API server
Big picture
Provide TLS certificates to secure access to the Calico Cloud API server.
Value
Providing TLS certificates for Calico Cloud components is recommended as part of a zero trust network model for security.
Concepts
Calico Cloud API server
The Calico Cloud API server handles requests for Calico Cloud API resources. The main Kubernetes API server has an aggregation layer and will proxy requests for the Calico Cloud API resources to the Calico Cloud API server.
Before you begin...
By default, the Calico Cloud API server uses self-signed certificates on connections. To provide TLS certificates,
get the certificate and key pair for the Calico Cloud API Server using any X.509-compatible tool or from your organization's Certificate Authority. The certificate must have Common Name or a Subject Alternate Name of tigera-api.tigera-system.svc
.
This feature is available for Kubernetes and OpenShift.
How to
Add TLS certificates
To provide certificates for use during deployment you must create a secret before applying the 'custom-resource.yaml' or before creating the Installation resource. To specify certificates for use in the Calico Cloud web console, create a secret using the following command:
kubectl create secret generic tigera-apiserver-certs -n tigera-operator --from-file=apiserver.crt=</path/to/certificate-file> --from-file=apiserver.key=</path/to/key-file>
To update existing certificates, run the following command:
kubectl create secret generic tigera-apiserver-certs -n tigera-operator --from-file=apiserver.crt=</path/to/certificate-file> --from-file=apiserver.key=</path/to/key-file> --dry-run -o yaml --save-config | kubectl replace -f -
If the Calico Cloud API server is already running, updating the secret restarts the API server. While the server restarts, the Calico Cloud API server may be unavailable for a short period of time.