Provide TLS certificates for Calico Enterprise Manager
Big picture
Provide TLS certificates that secure access to the Calico Enterprise manager user interface.
Value
By default, the Calico Enterprise manager UI uses self-signed TLS certificates on connections. This article describes how to provide TLS certificates that users' browsers will trust.
Before you begin...
- Get the certificate and key pair for the Calico Enterprise Manager UI Generate the certificate using any X.509-compatible tool or from your organization's Certificate Authority. The certificate must have Common Name or Subject Alternate Names that match the IPs or DNS names that will be used to access the manager UI.
How to
To provide certificates for use during deployment you must create a secret before applying the 'custom-resource.yaml' or before creating the Installation resource. To specify certificates for use in the manager, create a secret using the following command:
kubectl create secret generic manager-tls -n tigera-operator --from-file=tls.crt=</path/to/certificate-file> --from-file=tls.key=</path/to/key-file>
To update existing certificates, run the following command:
kubectl create secret generic manager-tls -n tigera-operator --from-file=tls.crt=</path/to/certificate-file> --from-file=tls.key=</path/to/key-file> --dry-run -o yaml --save-config | kubectl replace -f -
If the Calico Enterprise Manager UI is already running then updating the secret should cause it to restart and pickup the new certificate and key. This will result in a short period of unavailability of the Calico Enterprise Manager UI.
Additional resources
Additional documentation is available for securing Calico Enterprise manager connections.