Certificate Requirements
The management plane communicates with a cluster control planes over mutual TLS (mTLS). You will need to set up a TLS certificate so that the management plane and control plane can communicate with each other.
note
Please note that the certificates described here are solely used for the communication between TSB components, and thus are not part of your applications' certificates that are typically managed by Istio.
All certificates involved in mTLS communication between management plane and control plane should be created from the same chain of trust, i.e. have the same CA. For the CA, we recommend plugging into your existing PKI infrastructure.
warning
In case you have installed cert-manager in the management plane cluster, you can use tctl
to automatically install required issuer and certificate in the management plane and create control
plane certificate. Please see the documentations for Management Plane Installation and
Onboarding Clusters for more details.
Management Plane
XCP central
XCP central in the management plane uses the certificate stored in a secret named xcp-central-cert
in the management plane namespace (which defaults to tsb). The secret must contain data for the
standard tls.crt, tls.key, and ca.crt fields.
The certificate must:
- Have the following URI SAN
spiffe://xcp.tetrate.io/central - Have Extended Key Usage extension
server authandclient auth. If you are using OpenSSL, you will need to set the value ofextendedKeyUsagetoserverAuth,clientAuth. More details can be found in the external project documentation
Below is an example of XCP central certificate as cert-manager resource.
Note that following assumes the existence of cert-manager identity issuer named xcp-identity-issuer.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: xcp-central-cert
namespace: tsb
spec:
secretName: xcp-central-cert
issuerRef:
name: xcp-identity-issuer
kind: Issuer
duration: 30000h0m0s
uris:
- spiffe://xcp.tetrate.io/central
usages:
- server auth
- client auth
MPC
If you are upgrading to TSB 1.2.4 or 1.4.0, the MPC component needs a certificate to authenticate with XCP Central using mTLS.
MPC component in the management plane uses the certificate stored in a secret named mpc-certs
in the management plane namespace (which defaults to tsb).
The secret must contain data for the standard tls.crt, tls.key, and ca.crt fields.
The certificate must
- Have following URI SAN
spiffe://xcp.tetrate.io/mpc - Have Extended Key Usage extension
server authandclient auth. If you are using OpenSSL, you will need to set the value ofextendedKeyUsagetoserverAuth,clientAuth. More details can be found in the external project documentation
Below is an example of MPC certificate as cert-manager resource.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mpc-certs
namespace: tsb
spec:
secretName: mpc-certs
issuerRef:
name: xcp-identity-issuer
kind: Issuer
duration: 30000h
uris:
- spiffe://xcp.tetrate.io/mpc
usages:
- client auth
- server auth
Control Plane
XCP edge in the control plane uses the certificate stored in a secret named xcp-edge-cert
in the control plane namespace (default to istio-system).
The secret must contain data for the standard tls.crt, tls.key, and ca.crt fields.
The certificate must
- Have following URI SAN
spiffe://xcp.tetrate.io/<cluster-name-in-tsb> - Have Extended Key Usage extension
server authandclient auth. If you are using OpenSSL, you will need to set the value ofextendedKeyUsagetoserverAuth,clientAuth. More details can be found in the external project documentation
Below is an example of XCP edge certificate as cert-manager resource.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: xcp-edge-cert
namespace: istio-system
spec:
secretName: xcp-edge-cert
issuerRef:
name: xcp-identity-issuer
kind: Issuer
duration: 30000h
uris:
- spiffe://xcp.tetrate.io/<cluster-name-in-tsb>
usages:
- server auth
- client auth