Skip to main content

Provide TLS certificates for Calico Cloud Manager

Big picture​

Provide TLS certificates that secure access to the Calico Cloud manager user interface.

Value​

By default, the Calico Cloud manager UI uses self-signed TLS certificates on connections. This article describes how to provide TLS certificates that users' browsers will trust.

Before you begin...​

  • Get the certificate and key pair for the Calico Cloud Manager UI Generate the certificate using any X.509-compatible tool or from your organization's Certificate Authority.

How to​

To provide certificates for use during deployment you must create a secret before applying the 'custom-resource.yaml' or before creating the Installation resource. To specify certificates for use in the manager, create a secret using the following command:

kubectl create secret generic manager-tls -n tigera-operator --from-file=cert=</path/to/certificate-file> --from-file=key=</path/to/key-file>

To update existing certificates, run the following command:

kubectl create secret generic manager-tls -n tigera-operator --from-file=cert=</path/to/certificate-file> --from-file=key=</path/to/key-file> --dry-run -o yaml --save-config | kubectl replace -f -

If the Calico Cloud Manager UI is already running then updating the secret should cause it to restart and pickup the new certificate and key. This will result in a short period of unavailability of the Calico Cloud Manager UI.

Additional resources​

Additional documentation is available for securing Calico Cloud manager connections.