Skip to main content
logoTetrate Service BridgeVersion: 1.9.x

Certificates Requirements

Before you continue, make sure you:
✓ Understand types of certificates in TSB.

tip

Since 1.7, TSB supports automated certificate management for internal certificates, TSB front-envoy TLS certificates, and intermediate Istio CA certificates. Go to Automated Certificate Management for more details.

Internal Certificate

To use JWT authentication with TLS for communication between XCP central, MPC and XCP edge, the XCP central certificate must include its address in its subject alternate names (SANs). This will either be a DNS name or an IP address.

XCP central in the management plane uses the certificate stored in a secret named xcp-central-cert in the management plane namespace (which defaults to tsb). The secret must contain data for the standard tls.crt, tls.key, and ca.crt fields.

Below is an example of XCP central certificate as cert-manager resource if you are using IP address.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: xcp-central-cert
namespace: tsb
spec:
secretName: xcp-central-cert
ipAddresses:
- a.b.c.d ## <--- IP Address here
issuerRef:
name: tsb-cert-issuer
kind: Issuer
duration: 2160h
renewBefore: 720h

Or, if you are using domain names, edit the field spec.dnsNames

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: xcp-central-cert
namespace: tsb
spec:
secretName: xcp-central-cert
dnsNames:
- example-tsb.tetrate.io ## <-- DNS name here
issuerRef:
name: tsb-cert-issuer
kind: Issuer
duration: 2160h
renewBefore: 720h
DNS name when creating certificate with tctl

If you use tctl to automatically install required issuer and certificate, XCP central cert will have central.xcp.tetrate.io as the DNS name.

Front-envoy Certificate

Front envoy is the ingress gateway for the TSB management plane. It is responsible for routing traffic to TSB API and UI.

Front envoy in the management plane uses the certificate stored in a secret named tsb-certs in the management plane namespace (which defaults to tsb). The secret must contain data for the standard tls.crt, tls.key, and ca.crt fields.

Below is an example of front-envoy certificate as cert-manager resource using domain names.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tsb-certs
namespace: tsb
spec:
secretName: tsb-certs
dnsNames:
- example-tsb.tetrate.io
issuerRef:
name: tsb-cert-issuer
kind: Issuer
isCA: false
duration: 2160h
renewBefore: 720h

Istio Intermediate CA Certificate

Istio Intermediate CA certificates is used by istiod to issue workloads leaf certificates.

Istiod in the control plane uses the certificate stored in a secret named cacerts in the control plane namespace (which defaults to istio-system). The secret must contain data for ca-cert.pem, ca-key.pem, cert-chain.pem and root-cert.pem.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cacerts
namespace: istio-system
spec:
secretName: cacerts
duration: 8760h
renewBefore: 4320h
commonName: istiod.istio-system.svc
isCA: true
usages:
- digital signature
- key encipherment
- cert sign
dnsNames:
- istiod.istio-system.svc
issuerRef:
name: tsb-cert-issuer
kind: Issuer