Skip to main content
logoTetrate Service BridgeVersion: 1.4.x

Certificate Requirements

The management plane communicates with a cluster control planes over mutual TLS (mTLS). You will need to set up a TLS certificate so that the management plane and control plane can communicate with each other.

note

Please note that the certificates described here are solely used for the communication between TSB components, and thus are not part of your applications' certificates that are typically managed by Istio.

All certificates involved in mTLS communication between management plane and control plane should be created from the same chain of trust, i.e. have the same CA. For the CA, we recommend plugging into your existing PKI infrastructure.

warning

In case you have installed cert-manager in the management plane cluster, you can use tctl to automatically install required issuer and certificate in the management plane and create control plane certificate. Please see the documentations for Management Plane Installation and Onboarding Clusters for more details.

Management Plane

XCP central

XCP central in the management plane uses the certificate stored in a secret named xcp-central-cert in the management plane namespace (which defaults to tsb). The secret must contain data for the standard tls.crt, tls.key, and ca.crt fields.

The certificate must:

  1. Have the following URI SAN spiffe://xcp.tetrate.io/central
  2. Have Extended Key Usage extension server auth and client auth. If you are using OpenSSL, you will need to set the value of extendedKeyUsage to serverAuth,clientAuth. More details can be found in the external project documentation

Below is an example of XCP central certificate as cert-manager resource. Note that following assumes the existence of cert-manager identity issuer named xcp-identity-issuer.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: xcp-central-cert
namespace: tsb
spec:
secretName: xcp-central-cert
issuerRef:
name: xcp-identity-issuer
kind: Issuer
duration: 30000h0m0s
uris:
- spiffe://xcp.tetrate.io/central
usages:
- server auth
- client auth

MPC

If you are upgrading to TSB 1.2.4 or 1.4.0, the MPC component needs a certificate to authenticate with XCP Central using mTLS.

MPC component in the management plane uses the certificate stored in a secret named mpc-certs in the management plane namespace (which defaults to tsb). The secret must contain data for the standard tls.crt, tls.key, and ca.crt fields.

The certificate must

  1. Have following URI SAN spiffe://xcp.tetrate.io/mpc
  2. Have Extended Key Usage extension server auth and client auth. If you are using OpenSSL, you will need to set the value of extendedKeyUsage to serverAuth,clientAuth. More details can be found in the external project documentation

Below is an example of MPC certificate as cert-manager resource.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mpc-certs
namespace: tsb
spec:
secretName: mpc-certs
issuerRef:
name: xcp-identity-issuer
kind: Issuer
duration: 30000h
uris:
- spiffe://xcp.tetrate.io/mpc
usages:
- client auth
- server auth

Control Plane

XCP edge in the control plane uses the certificate stored in a secret named xcp-edge-cert in the control plane namespace (default to istio-system). The secret must contain data for the standard tls.crt, tls.key, and ca.crt fields.

The certificate must

  1. Have following URI SAN spiffe://xcp.tetrate.io/<cluster-name-in-tsb>
  2. Have Extended Key Usage extension server auth and client auth. If you are using OpenSSL, you will need to set the value of extendedKeyUsage to serverAuth,clientAuth. More details can be found in the external project documentation

Below is an example of XCP edge certificate as cert-manager resource.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: xcp-edge-cert
namespace: istio-system
spec:
secretName: xcp-edge-cert
issuerRef:
name: xcp-identity-issuer
kind: Issuer
duration: 30000h
uris:
- spiffe://xcp.tetrate.io/<cluster-name-in-tsb>
usages:
- server auth
- client auth