Provide TLS certificates for PacketCapture APIs
Big picture​
Provide TLS certificates to secure access to Calico Enterprise to the PacketCapture components.
Value​
Providing TLS certificates for Calico Enterprise PacketCapture components is recommended as part of a zero trust network model for security.
Before you begin...​
By default, Calico Enterprise uses self-signed certificates for its PacketCapture APIs components. To provide TLS certificates,
get the certificate and key pair for the Calico Enterprise PacketCapture using any X.509-compatible tool or from your organization's
Certificate Authority. The certificate must have Common Name or a Subject Alternate Name of tigera-packetcapture.tigera-packetcapture.svc
.
How to​
Add TLS certificates for PacketCapture​
To provide TLS certificates for use by Calico Enterprise PacketCapture components during deployment, you must create a secret before applying the 'custom-resource.yaml' or before creating the APIServer resource. Use the following command to create a secret:
kubectl create secret generic tigera-packetcapture-server-tls -n tigera-operator --from-file=tls.crt=</path/to/certificate-file> --from-file=tls.key=</path/to/key-file>
To update existing certificates, run the following command:
kubectl create secret generic tigera-packetcapture-server-tls -n tigera-operator --from-file=tls.crt=</path/to/certificate-file> --from-file=tls.key=</path/to/key-file> --dry-run -o yaml --save-config | kubectl replace -f -