Provide TLS certificates for compliance

Big picture

Provide TLS certificates to secure access to Calico Cloud to the compliance components.

Value

Providing TLS certificates for Calico Cloud compliance components is recommended as part of a zero trust network model for security.

Before you begin...

By default, Calico Cloud uses self-signed certificates for its compliance reporting components. To provide TLS certificates, get the certificate and key pair for the Calico Cloud compliance using any X.509-compatible tool or from your organization's Certificate Authority. The certificate must have Common Name or a Subject Alternate Name of compliance.tigera-compliance.svc.

How to

Add TLS certificates for compliance

To provide TLS certificates for use by Calico Cloud compliance components during deployment, you must create a secret before applying the 'custom-resource.yaml' or before creating the Compliance resource. Use the following command to create a secret:

kubectl create secret generic tigera-compliance-server-tls -n tigera-operator --from-file=tls.crt=</path/to/certificate-file> --from-file=tls.key=</path/to/key-file>

To update existing certificates, run the following command:

kubectl create secret generic tigera-compliance-server-tls -n tigera-operator --from-file=tls.crt=</path/to/certificate-file> --from-file=tls.key=</path/to/key-file> --dry-run -o yaml --save-config | kubectl replace -f -