Skip to main content
logoTetrate Service BridgeVersion: 1.8.x

Certificates Requirements

Before you continue, make sure you:
✓ Understand types of certificates in TSB.

tip

Since 1.7, TSB supports automated certificate management for internal certificates, TSB front-envoy TLS certificates, and intermediate Istio CA certificates. Go to Automated Certificate Management for more details.

Internal Certificate

To use JWT authentication with TLS for communication between XCP central, MPC and XCP edge, the XCP central certificate must include its address in its subject alternate names (SANs). This will either be a DNS name or an IP address.

XCP central in the management plane uses the certificate stored in a secret named xcp-central-cert in the management plane namespace (which defaults to tsb). The secret must contain data for the standard tls.crt, tls.key, and ca.crt fields.

Below is an example of XCP central certificate as cert-manager resource if you are using IP address.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: xcp-central-cert
  namespace: tsb
spec:
  secretName: xcp-central-cert
  ipAddresses:
  - a.b.c.d  ## <--- IP Address here
  issuerRef:
    name: tsb-cert-issuer
    kind: Issuer
  duration: 2160h
  renewBefore: 720h

Or, if you are using domain names, edit the field spec.dnsNames

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: xcp-central-cert
  namespace: tsb
spec:
  secretName: xcp-central-cert
  dnsNames:
  - example-tsb.tetrate.io ## <-- DNS name here
  issuerRef:
    name: tsb-cert-issuer
    kind: Issuer
  duration: 2160h
  renewBefore: 720h
DNS name when creating certificate with tctl

If you use tctl to automatically install required issuer and certificate, XCP central cert will have central.xcp.tetrate.io as the DNS name.

Front-envoy Certificate

Front envoy is the ingress gateway for the TSB management plane. It is responsible for routing traffic to TSB API and UI.

Front envoy in the management plane uses the certificate stored in a secret named tsb-certs in the management plane namespace (which defaults to tsb). The secret must contain data for the standard tls.crt, tls.key, and ca.crt fields.

Below is an example of front-envoy certificate as cert-manager resource using domain names.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: tsb-certs
  namespace: tsb
spec:
  secretName: tsb-certs
  dnsNames:
  - example-tsb.tetrate.io
  issuerRef:
    name: tsb-cert-issuer
    kind: Issuer
  isCA: false
  duration: 2160h
  renewBefore: 720h

Istio Intermediate CA Certificate

Istio Intermediate CA certificates is used by istiod to issue workloads leaf certificates.

Istiod in the control plane uses the certificate stored in a secret named cacerts in the control plane namespace (which defaults to istio-system). The secret must contain data for ca-cert.pem, ca-key.pem, cert-chain.pem and root-cert.pem.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cacerts
  namespace: istio-system
spec:
  secretName: cacerts
  duration: 8760h
  renewBefore: 4320h
  commonName: istiod.istio-system.svc
  isCA: true
  usages:
    - digital signature
    - key encipherment
    - cert sign
  dnsNames:
    - istiod.istio-system.svc
  issuerRef:
    name: tsb-cert-issuer
    kind: Issuer