By specifying either the caCertData or certManager.clusterIssuer at installation time, you can easily configure the scg-operator and gateway with the right client TLS configuration for your needs.

Adding your self-signed cert with caCertData

This approach is typically used to allow the gateway and scg-operator to communicate with servers outside the cluster that present a self-signed certificate signed by a common root certificate. Create a values file with your pem-encoded root certificate:

caCertData: |
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----

And then use the new values file when installing Spring Cloud Gateway for Kubernetes:

tanzu package install spring-cloud-gateway \
    --namespace ${package_namespace} \
    --package spring-cloud-gateway.tanzu.vmware.com \
    --values-file values.yaml \
    --version ${version}

The scg-operator and all gateways will use the provided certificate. A copy of the secret will be made in the namespace of the gateway. When the secret for the scg-operator is updated, the secrets in the gateway namespaces will be updated and the gateway will update its truststore using hot-reload.

Important It can take up to a minute for the gateway to update its certificate.

Caution Specifying the certificate will replace the default truststore on the gateway.

Using the cert-manager ClusterIssuer

This approach is typically used to allow the gateway and scg-operator to communicate with servers within the cluster who present certificates signed by the cert-manager ClusterIssuer. This requires cert-manager to be installed on the cluster. When you install Tanzu Application Platform (TAP) using profiles, a self-signed ClusterIssuer is included by default.

Create a values file with the ClusterIssuer:

certManager:
  clusterIssuer: tap-ingress-selfsigned

And then use the new values file when installing Spring Cloud Gateway for Kubernetes:

tanzu package install spring-cloud-gateway \
    --namespace ${package_namespace} \
    --package spring-cloud-gateway.tanzu.vmware.com \
    --values-file values.yaml \
    --version ${version}

A cert-manager certificate will be created during the installation, and a TLS secret will be populated with the CA cert.

Important No ingress will be created.

The scg-operator and all gateways will use the provided certificate. A copy of the secret containing the CA Cert will be made in the namespace of the gateway. When the TLS secret for the scg-operator is updated, the secrets in the gateway namespaces are updated and the gateway updates its truststore using hot-reload.

Important It can take up to a minute for the gateway to update its certificate.

Caution Specifying the cert will replace the default truststore on the gateway.

check-circle-line exclamation-circle-line close-line
Scroll to top icon