Skip to main content
Calico Enterprise 3.19 (latest) documentation

Provide TLS certificates for Linseed APIs

Big picture

Provide TLS certificates to secure access to Calico Enterprise to the Linseed components.

Value

Providing TLS certificates for Calico Enterprise Linseed components is recommended as part of a zero trust network model for security.

Before you begin...

By default, Calico Enterprise uses self-signed certificates for its Linseed components. To provide TLS certificates, get the certificate and key pair for the Calico Enterprise Linseed using any X.509-compatible tool or from your organization's Certificate Authority. The certificate must have Common Name or a Subject Alternate Name of tigera-linseed.tigera-elasticsearch.svc.

How to

Add TLS certificates for PacketCapture

To provide TLS certificates for use by Calico Enterprise Linseed components during deployment, you must create a secret before applying the 'custom-resource.yaml' or before creating the LogStorage resource. Use the following command to create a secret:

kubectl create secret generic tigera-secure-linseed-cert -n tigera-operator --from-file=tls.crt=</path/to/certificate-file> --from-file=tls.key=</path/to/key-file>

To update existing certificates, run the following command:

kubectl create secret generic tigera-secure-linseed-cert -n tigera-operator --from-file=tls.crt=</path/to/certificate-file> --from-file=tls.key=</path/to/key-file> --dry-run -o yaml --save-config | kubectl replace -f -