Skip to main content
Calico Enterprise 3.19 (latest) documentation

Provide TLS certificates for PacketCapture APIs

Big picture

Provide TLS certificates to secure access to Calico Enterprise to the PacketCapture components.

Value

Providing TLS certificates for Calico Enterprise PacketCapture components is recommended as part of a zero trust network model for security.

Before you begin...

By default, Calico Enterprise uses self-signed certificates for its PacketCapture APIs components. To provide TLS certificates, get the certificate and key pair for the Calico Enterprise PacketCapture using any X.509-compatible tool or from your organization's Certificate Authority. The certificate must have Common Name or a Subject Alternate Name of tigera-packetcapture.tigera-packetcapture.svc.

How to

Add TLS certificates for PacketCapture

To provide TLS certificates for use by Calico Enterprise PacketCapture components during deployment, you must create a secret before applying the 'custom-resource.yaml' or before creating the APIServer resource. Use the following command to create a secret:

kubectl create secret generic tigera-packetcapture-server-tls -n tigera-operator --from-file=tls.crt=</path/to/certificate-file> --from-file=tls.key=</path/to/key-file>

To update existing certificates, run the following command:

kubectl create secret generic tigera-packetcapture-server-tls -n tigera-operator --from-file=tls.crt=</path/to/certificate-file> --from-file=tls.key=</path/to/key-file> --dry-run -o yaml --save-config | kubectl replace -f -