Skip to main content
Calico Enterprise 3.20 (latest) documentation

Provide TLS certificates for Linseed APIs

Big picture​

Provide TLS certificates to secure access to Calico Enterprise to the Linseed components.

Value​

Providing TLS certificates for Calico Enterprise Linseed components is recommended as part of a zero trust network model for security.

Before you begin...​

By default, Calico Enterprise uses self-signed certificates for its Linseed components. To provide TLS certificates, get the certificate and key pair for the Calico Enterprise Linseed using any X.509-compatible tool or from your organization's Certificate Authority. The certificate must have Common Name or a Subject Alternate Name of tigera-linseed.tigera-elasticsearch.svc.

How to​

Add TLS certificates for PacketCapture​

To provide TLS certificates for use by Calico Enterprise Linseed components during deployment, you must create a secret before applying the 'custom-resource.yaml' or before creating the LogStorage resource. Use the following command to create a secret:

kubectl create secret generic tigera-secure-linseed-cert -n tigera-operator --from-file=tls.crt=</path/to/certificate-file> --from-file=tls.key=</path/to/key-file>

To update existing certificates, run the following command:

kubectl create secret generic tigera-secure-linseed-cert -n tigera-operator --from-file=tls.crt=</path/to/certificate-file> --from-file=tls.key=</path/to/key-file> --dry-run -o yaml --save-config | kubectl replace -f -