Skip to main content
Version: 3.18 (latest)

Provide TLS certificates for the API server

Big picture​

Provide TLS certificates to secure access to the Calico Enterprise API server.

Value​

Providing TLS certificates for Calico Enterprise components is recommended as part of a zero trust network model for security.

Concepts​

Calico Enterprise API server​

The Calico Enterprise API server handles requests for Calico Enterprise API resources. The main Kubernetes API server has an aggregation layer and will proxy requests for the Calico Enterprise API resources to the Calico Enterprise API server.

Before you begin...​

By default, the Calico Enterprise API server uses self-signed certificates on connections. To provide TLS certificates, get the certificate and key pair for the Calico Enterprise API Server using any X.509-compatible tool or from your organization's Certificate Authority. The certificate must have Common Name or a Subject Alternate Name of tigera-api.tigera-system.svc.

This feature is available for Kubernetes and OpenShift.

How to​

Add TLS certificates​

To provide certificates for use during deployment you must create a secret before applying the 'custom-resource.yaml' or before creating the Installation resource. To specify certificates for use in the Calico Enterprise Manager, create a secret using the following command:

kubectl create secret generic tigera-apiserver-certs -n tigera-operator --from-file=apiserver.crt=</path/to/certificate-file> --from-file=apiserver.key=</path/to/key-file>

To update existing certificates, run the following command:

kubectl create secret generic tigera-apiserver-certs -n tigera-operator --from-file=apiserver.crt=</path/to/certificate-file> --from-file=apiserver.key=</path/to/key-file> --dry-run -o yaml --save-config | kubectl replace -f -
note

If the Calico Enterprise API server is already running, updating the secret restarts the API server. While the server restarts, the Calico Enterprise API server may be unavailable for a short period of time.

Additional resources​

Additional documentation is available for securing Calico Enterprise manager connections.