Tetrate Istio SubscriptionVersion: Next

Enable TLS

This page describes how to secure the TIS Dashboard with TLS. By default, TIS Dashboard is deployed without TLS enabled. To secure the TIS Dashboard with TLS, you need to provide a valid TLS certificate and key.

TIS Dashboard provide two options to secure the TIS Dashboard with TLS:

Using generated certificate. TIS Helm installation can generate TLS certificate automatically
- If you don't provide CA certificate and CA key, TIS Dashboard Helm will generate a self-signed certificate and key.
- If you provide CA certificate and CA key, TIS Dashboard Helm will generate a certificate and key signed by the provided CA certificate and CA key.
Using existing certificate. You can use an existing TLS certificate to secure the TIS Dashboard. You need to create a TLS certificate as a secret in the same namespace where TIS Dashboard is deployed then provide the secret name to TIS Dashboard Helm values when installing or upgrading TIS Dashboard.

Using generated certificate

cert-manager

TIS Dashboard generated certificate require cert-manager to be installed in the cluster. If you don't have cert-manager installed, you can follow the cert-manager installation guide.

Install TIS Dashboard with generated certificate

To install TIS Dashboard with a generated certificate, you need to provide the CA certificate and CA key when installing TIS Dashboard. You can use the following command to install TIS Dashboard with a generated certificate.

TIS Dashboard domain name

You can add TIS Dashboard domain name to the generated certificate by providing the domain name in service.tls.generated.extraDnsNames value. If you don't provide the domain name, the generated certificate will only contain the TIS Central Load Balancer IP address.

Following is simple example to install TIS Dashboard with self-signed certificate using only Load Balancer IP address:

helm upgrade --install central tis/central \
  --namespace tis --create-namespace \
  --set service.tls.enabled=true \
  --set service.tls.useGeneratedCerts=true

Following is an example to install TIS Dashboard with existing CA certificate using both Load Balancer IP address and custom domain name tis.example.com:

helm upgrade --install central tis/central \
  --namespace tis --create-namespace \
  --set service.tls.enabled=true \
  --set service.tls.useGeneratedCerts=true \
  --set service.tls.generated.cert="$(cat ca.crt)" \
  --set service.tls.generated.key="$(cat ca.key)" \
  --set 'service.tls.generated.extraDnsNames[0]=tis.example.com'

Using cert-manager to create certificate

To use an existing TLS certificate for TIS Dashboard, you need to create a TLS certificate as a secret in the same namespace you TIS Dashboard is deployed. The secret should contain the TLS certificate and key. In the following example, you will use cert-manager to create a certificate for TIS Dashboard. If you don't have cert-manager installed, you can follow the cert-manager installation guide.

You also can create a TLS certificate using other methods and tools, such as openssl or cfssl.

Create a certificate issuer

cert-manager requires a ClusterIssuer or Issuer resource to issue certificates. Following is an example of a ClusterIssuer resource that issues self-signed certificates:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-cluster-issuer
  namespace: cert-manager
spec:
  selfSigned: {}

For more information on creating a ClusterIssuer or Issuer resource and available integrations, refer to the cert-manager documentation.

Create a certificate

To create a certificate, you need to create a Certificate resource. Following is an example of a Certificate resource that issues a certificate for tis-dashboard.example.com:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: tis-dashboard-certificate
  namespace: tis
spec:
  secretName: tis-dashboard-tls
  issuerRef:
    name: selfsigned-cluster-issuer
    kind: ClusterIssuer
  dnsNames:
    - tis-dashboard.example.com

Install TIS Dashboard with existing certificate

To install TIS Dashboard with an existing certificate, you need to provide the secret name that contains the TLS certificate and key when installing TIS Dashboard. You can use the following command to install TIS Dashboard with an existing certificate:

helm upgrade --install central tis/central \
  --namespace tis --create-namespace \
  --set service.tls.enabled=true \
  --set service.tls.useGeneratedCerts=false \
  --set service.tls.secretName=tis-dashboard-tls

Using generated certificate​

Install TIS Dashboard with generated certificate​

Using cert-manager to create certificate​

Create a certificate issuer​

Create a certificate​

Install TIS Dashboard with existing certificate​