Skip to main content
Calico Enterprise 3.19 (latest) documentation

Provide TLS certificates for Typha and Node

Big picture

Provide TLS certificates that allow mutual TLS authentication between Node and Typha.

Value

By default, Calico Enterprise Typha and Node components are configured with self-signed Certificate Authority (CA) and certificates for mutual TLS authentication. This article describes how to provide a CA and TLS certificates.

Concepts

Mutual TLS authentication means each side of a connection authenticates the other side. As such, the CA and certificates that are used must all be in sync. If one side of the connection is updated with a certificate that is not compatible with the other side, communication stops. So if certificate updates are mismatched on Typha, Node, or CA certificate, new pod networking and policy application will be interrupted until you restore compatibility. To make it easy to keep updates in sync, this article describes how to use one command to apply updates for all resources.

Before you begin...

Get the Certificate Authority certificate and signed certificate and key pairs for Calico Enterprise Typha and Node

  • Generate the certificates using any X.509-compatible tool or from your organization's CA.
  • Ensure the generated certificates meet the requirements for TLS connections between Node and Typha.

How to

Create resource file

  1. Create the CA ConfigMap with the following commands:

    kubectl create configmap typha-ca -n tigera-operator --from-file=caBundle=</path/to/CA/cert> --dry-run -o yaml --save-config > typha-node-tls.yaml
    echo '---' >> typha-node-tls.yaml
    tip

    The contents of the caBundle field should contain the CA or the certificates for both Typha and Node. It is possible to add multiple PEM blocks.

  2. Create the Typha Secret with the following command:

    kubectl create secret generic typha-certs -n tigera-operator \
      --from-file=cert.crt=</path/to/typha/cert> --from-file=key.key=</path/to/typha/key> \
      --from-literal=common-name=<typha certificate common name> --dry-run -o yaml --save-config >> typha-node-tls.yaml
    echo '---' >> typha-node-tls.yaml
    tip

    If using SPIFFE identifiers replace --from-literal=common-name=<typha certificate common name> with --from-literal=uri-san=<typha SPIFFE ID>.

  3. Create the Node Secret with the following command:

    kubectl create secret generic node-certs -n tigera-operator \
      --from-file=cert.crt=</path/to/node/cert> --from-file=key.key=</path/to/node/key> \
      --from-literal=common-name=<node certificate common name> --dry-run -o yaml --save-config >> typha-node-tls.yaml
    tip

    If using SPIFFE identifiers replace --from-literal=common-name=<node certificate common name> with --from-literal=uri-san=<node SPIFFE ID>.

Apply or update resources

  1. Apply the typha-node-tls.yaml file.
    • To create these resource for use during deployment, you must apply this file before applying custom-resource.yaml or before creating the Installation resource. To apply this file, use the following command: 
      kubectl apply -f typha-node-tls.yaml
    • To update existing resources, use the following command: 
      kubectl replace -f typha-node-tls.yaml

If Calico Enterprise Node and Typha are already running, the update causes a rolling restart of both. If the new CA and certificates are not compatible with the previous set, there may be a period where the Node pods produce errors until the old set CA and certificates are replaced with the new ones.