Provide TLS certificates for Calico Enterprise Manager

Big picture

Provide TLS certificates that secure access to the Calico Enterprise manager user interface.

Value

By default, the Calico Enterprise manager UI uses self-signed TLS certificates on connections. This article describes how to provide TLS certificates that users' browsers will trust.

Before you begin...

• Get the certificate and key pair for the Calico Enterprise Manager UI Generate the certificate using any X.509-compatible tool or from your organization's Certificate Authority. The certificate must have Common Name or Subject Alternate Names that match the IPs or DNS names that will be used to access the manager UI.

How to

To provide certificates for use during deployment you must create a secret before applying the 'custom-resource.yaml' or before creating the Installation resource. To specify certificates for use in the manager, create a secret using the following command:

kubectl create secret generic manager-tls -n tigera-operator --from-file=tls.crt=</path/to/certificate-file> --from-file=tls.key=</path/to/key-file>

To update existing certificates, run the following command:

kubectl create secret generic manager-tls -n tigera-operator --from-file=tls.crt=</path/to/certificate-file> --from-file=tls.key=</path/to/key-file> --dry-run -o yaml --save-config | kubectl replace -f -

If the Calico Enterprise Manager UI is already running then updating the secret should cause it to restart and pickup the new certificate and key. This will result in a short period of unavailability of the Calico Enterprise Manager UI.

Additional resources

Additional documentation is available for securing Calico Enterprise manager connections.