Provide TLS certificates for Calico Cloud Manager

Big picture

Provide TLS certificates that secure access to the Calico Cloud manager user interface.

Value

By default, the Calico Cloud manager UI uses self-signed TLS certificates on connections. This article describes how to provide TLS certificates that users' browsers will trust.

Before you begin...

• Get the certificate and key pair for the Calico Cloud Manager UI Generate the certificate using any X.509-compatible tool or from your organization's Certificate Authority.

How to

To provide certificates for use during deployment you must create a secret before applying the 'custom-resource.yaml' or before creating the Installation resource. To specify certificates for use in the manager, create a secret using the following command:

kubectl create secret generic manager-tls -n tigera-operator --from-file=cert=</path/to/certificate-file> --from-file=key=</path/to/key-file>

To update existing certificates, run the following command:

kubectl create secret generic manager-tls -n tigera-operator --from-file=cert=</path/to/certificate-file> --from-file=key=</path/to/key-file> --dry-run -o yaml --save-config | kubectl replace -f -

If the Calico Cloud Manager UI is already running then updating the secret should cause it to restart and pickup the new certificate and key. This will result in a short period of unavailability of the Calico Cloud Manager UI.

Additional resources

Additional documentation is available for securing Calico Cloud manager connections.