There are several TLS certificates used to deliver VMware Cloud Director Extension for VMware Tanzu Mission Control. These include VMware Cloud Director, VMware Tanzu Mission Control, and the container registry that hosts VMware Tanzu Mission Control images. These protect the communication between the services and VMware Cloud Director Container Service Extension clusters.

  • The service provider and tenant user VMware Cloud Director Container Service Extension clusters pull container images and Carvel PackageRepositories from the container registry.

  • VMware Tanzu Mission Control services on the service provider VMware Cloud Director Container Service Extension cluster connect to VMware Cloud Director as part of an OAuth handshake.
  • Tenant users connect to VMware Tanzu Mission Control services through the UI or CLI.
  • VMware Tanzu Mission Control components on tenant VMware Cloud Director Container Service Extension clusters connect to VMware Tanzu Mission Control services as part of the management communication.

Choosing a Certificate Authority

Each of these certificates may be signed by an external certificate authority or by an internal self-signed certificate authority. There are some implications to consider when deciding a certificate type for installation.
  • Using externally-signed certificates for all services results in the easiest experience for users.
  • It is recommended to use the same certificate authority for VMware Cloud Director and VMware Tanzu Mission Control.
    Note: If you use different certificate authorities, it is necessary to provide the certificate authority for VMware Tanzu Mission Control to the TLS CA Bundle parameter during installation.
  • If the container registry uses a self-signed certificate, it is necessary to submit it to the Harbor CA Bundle parameter during installation.
    Note:

    It is necessary to update any existing clusters to include this certificate authority in their CAPI and kapp-controller configuration before you attach them to VMware Tanzu Mission Control. For more information, see Configure VMware Cloud Director Extension for VMware Tanzu Mission Control with self-signed certificates (94799).

    Note: If you use self-signed certficates for the container registry, it is necessary to enter the certificates as part of the VMware Cloud Director Container Service Extension service provider workflow. For more information, see Create an Airgapped Environment.

Configuring the VMware Tanzu Mission Control certificates

Once you choose a certificate authority, the following two configuration options are available.

  • If supported by your certificate authority, you may be able to configure a cert-manager.ioClusterIssuer on the VMware Cloud Director Container Service Extension cluster to provision certificates during installation. This means you do not need to manually configure the certificates for each DNS name, and that cert-manager handles certificate rotation when applicable.
    Note: If self-signed certificates are used for VMware Tanzu Mission Control, it is possible to configure a ClusterIssuer that grants certificates from a self-signed certificate authority. For more information, see Configure VMware Cloud Director Extension for VMware Tanzu Mission Control with self-signed certificates (94799).

  • If you do not want to use cert-manager, you can generate the certificates independantly. The certificates can be configured during the VMware Cloud Director Extension for VMware Tanzu Mission Control installation process, or directly on the cluster that hosts VMware Tanzu Mission Control.

    Configuring the certificates during installation only works if you have a single certificate with Subject Alternative Names (SANs) for all DNS entries. Provide the certificate and key during the installation process using the TLS Certificate and TLS Private Key parameters. Set the Certificate Provider parameter to import.

    You can also load the certificates directly onto the cluster if you have individual certificates for each DNS entry, or would prefer to manage them. For more information, see the Importing Certificates section of Preparing your cluster to host Tanzu Mission Control Self-Managed, and set the Certificate Provider parameter to pre-installed.

Note: If you use a different certificate authority than the one you use for VMware Cloud Director, it is necessary to provide the certificate authority for VMware Tanzu Mission Control to the TLS CA Bundle parameter during installation.

Rotating a Self-Signed Certificate Authority

If you use self-signed certificates for the container registry, VMware Cloud Director or VMware Tanzu Mission Control services, it is recommended to use a self-signed certificate authority (CA). A CA is generally created with a longer validity than is used for service certificates. You can use the CA when you configure the connection between services so that individual certificates can be rotated without having to reconfigure all components with a new certificate.

Perform the following additional processing when the CA expires:

  • Update all clusters to include the new CA in their CAPI definition so container images can be pulled from the container registry.
  • Update the kapp-controller configuration on all clusters so PackageRepository and Package definitions may be pulled from the container registry.
  • Update VMware Tanzu Mission Control to allow the services to connect to VMware Cloud Director during the authentication process.
  • Re-attach all attached clusters to VMware Tanzu Mission Control after the new certificates are deployed. This will re-establish trust with the new CA. For more information, see Re-establish cluster connection after certificate rotation.