Provide TLS certificates for Typha and Node
Big picture
Provide TLS certificates that allow mutual TLS authentication between Node and Typha.
Value
By default, Calico Cloud Typha and Node components are configured with self-signed Certificate Authority (CA) and certificates for mutual TLS authentication. This article describes how to provide a CA and TLS certificates.
Concepts
Mutual TLS authentication means each side of a connection authenticates the other side. As such, the CA and certificates that are used must all be in sync. If one side of the connection is updated with a certificate that is not compatible with the other side, communication stops. So if certificate updates are mismatched on Typha, Node, or CA certificate, new pod networking and policy application will be interrupted until you restore compatibility. To make it easy to keep updates in sync, this article describes how to use one command to apply updates for all resources.
Before you begin...
Get the Certificate Authority certificate and signed certificate and key pairs for Calico Cloud Typha and Node
- Generate the certificates using any X.509-compatible tool or from your organization's CA.
- Ensure the generated certificates meet the requirements for TLS connections between Node and Typha.
How to
Create resource file
-
Create the CA ConfigMap with the following commands:
kubectl create configmap typha-ca -n tigera-operator --from-file=caBundle=</path/to/CA/cert> --dry-run -o yaml --save-config > typha-node-tls.yaml
echo '---' >> typha-node-tls.yamltipThe contents of the caBundle field should contain the CA or the certificates for both Typha and Node. It is possible to add multiple PEM blocks.
-
Create the Typha Secret with the following command:
kubectl create secret generic typha-certs -n tigera-operator \
--from-file=cert.crt=</path/to/typha/cert> --from-file=key.key=</path/to/typha/key> \
--from-literal=common-name=<typha certificate common name> --dry-run -o yaml --save-config >> typha-node-tls.yaml
echo '---' >> typha-node-tls.yamltipIf using SPIFFE identifiers replace
--from-literal=common-name=<typha certificate common name>
with--from-literal=uri-san=<typha SPIFFE ID>
. -
Create the Node Secret with the following command:
kubectl create secret generic node-certs -n tigera-operator \
--from-file=cert.crt=</path/to/node/cert> --from-file=key.key=</path/to/node/key> \
--from-literal=common-name=<node certificate common name> --dry-run -o yaml --save-config >> typha-node-tls.yamltipIf using SPIFFE identifiers replace
--from-literal=common-name=<node certificate common name>
with--from-literal=uri-san=<node SPIFFE ID>
.
Apply or update resources
- Apply the
typha-node-tls.yaml
file.- To create these resource for use during deployment, you must apply this file before applying
custom-resource.yaml
or before creating the Installation resource. To apply this file, use the following command:kubectl apply -f typha-node-tls.yaml
- To update existing resources, use the following command:
kubectl replace -f typha-node-tls.yaml
- To create these resource for use during deployment, you must apply this file before applying
If Calico Cloud Node and Typha are already running, the update causes a rolling restart of both. If the new CA and certificates are not compatible with the previous set, there may be a period where the Node pods produce errors until the old set CA and certificates are replaced with the new ones.