Skip to main content
logoTetrate Service BridgeVersion: next

XCP Managed Self-signed Webhook Certificates

Tetrate Service Bridge (TSB) now supports XCP-managed self-signed certificates for webhook servers, eliminating the dependency on cert-manager while provisioning ControlPlane clusters. This document outlines how the feature works, how to disable cert-manager, and how to revert to previous behavior if needed.

Overview

XCP-managed certificates are enabled by default and replace certificates previously generated and managed by cert-manager.

These certificates are:

  • Self-signed
  • Valid for 10 years
  • Stored in-memory (not persisted in Kubernetes Secrets)

This simplifies certificate management by reducing operational dependencies.

Certificate Rotation

To rotate XCP-managed webhook certificates, simply restart the following components:

  • XCP Operator
  • XCP Central or Edge

Because the certificates have a 10-year validity period, manual rotation due to expiration is not expected.

Disabling cert-manager Installation

With XCP managing its own certificates, cert-manager is no longer required for webhook certificates and can be disabled in ControlPlane clusters.

To disable cert-manager, set the internalCertProvider field in the Control Plane CR to tsbManaged:

spec:
  components:
    internalCertProvider:
      tsbManaged: {}
Note

TSB-installed cert-manager depends on an experimental upstream feature flag, which was required for signing webhook certificates in previous releases. Currently, there is no supported way to install cert-manager via TSB without enabling this feature flag.

Disabling XCP-Managed Certificates

If issues arise and you need to revert to cert-manager managed webhook certificates, you can disable the XCP-managed certificate feature by creating an overlay in the Control Plane CRs:

spec:
  components:
    xcp:
      kubeSpec:
        deployment:
          env:
          - name: "ENABLE_XCP_MANAGED_WEBHOOK_CERTS"
            value: "false"
Pre-requisite

Disabling XCP-managed certificates requires cert-manager to be installed. If you've already disabled cert-manager by configuring internalCertProvider to tsbManaged, you must revert that change.

To re-enable cert-manager, update your configuration as follows:

spec:
  components:
    internalCertProvider:
      certManager:
        managed: AUTO