Provide TLS certificates for compliance
Big picture​
Provide TLS certificates to secure access to Calico Enterprise to the compliance components.
Value​
Providing TLS certificates for Calico Enterprise compliance components is recommended as part of a zero trust network model for security.
Before you begin...​
By default, Calico Enterprise uses self-signed certificates for its compliance reporting components. To provide TLS certificates,
get the certificate and key pair for the Calico Enterprise compliance using any X.509-compatible tool or from your organization's
Certificate Authority. The certificate must have Common Name or a Subject Alternate Name of compliance.tigera-compliance.svc
.
How to​
Add TLS certificates for compliance​
To provide TLS certificates for use by Calico Enterprise compliance components during deployment, you must create a secret before applying the 'custom-resource.yaml' or before creating the Compliance resource. Use the following command to create a secret:
kubectl create secret generic tigera-compliance-server-tls -n tigera-operator --from-file=tls.crt=</path/to/certificate-file> --from-file=tls.key=</path/to/key-file>
To update existing certificates, run the following command:
kubectl create secret generic tigera-compliance-server-tls -n tigera-operator --from-file=tls.crt=</path/to/certificate-file> --from-file=tls.key=</path/to/key-file> --dry-run -o yaml --save-config | kubectl replace -f -