By default, Tanzu Application Platform installs and uses a self-signed CA for issuing TLS certificates to components for the purpose of securing ingress communication.
The ingress issuer is a self-signed
cert-manager.io/v1/ClusterIssuer and is provided by Tanzu Application Platform’s cert-manager package. Its default name is
To understand how each component uses the ingress issuer, see Component documentation.
As of v1.4.0, not all components use the ingress issuer. For an overview of the components that participate, see the Release notes.
Tanzu Application Platform’s default ingress issuer can be replaced by any other
To replace the default ingress issuer, create a
ClusterIssuer and set
shared.ingress_issuer to the name of the issuer. After the configuration is applied, components eventually obtain certificates from the new issuer and serve them.
Tanzu Application Platform’scert-manager package must be present for the
ClusterIssuer API to be available. This means you can only provide your own
ClusterIssuer after the initial installation. You can, however, reference your issuer in the initial installation.
For example, to use Let’s Encrypts production API to issue TLS certificates:
Update and apply Tanzu Application Platform’s installation values such that
shared.ingress_issuer denotes the bespoke issuer:
#! my-tap-values.yaml #! ... shared: ingress_issuer: letsencrypt-production #! ...
ClusterIssuer for Let’s Encrypts production API:
--- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-production spec: acme: email: email@example.com privateKeySecretRef: name: letsencrypt-production server: https://acme-v02.api.letsencrypt.org/directory solvers: - http01: ingress: class: contour
Let's Encrypts production API has rate limits.
For more information about the possible configurations of
ClusterIssuer, see cert-manager documentation.
Although VMware discourages this, you can deactivate the ingress issuer by setting
shared.ingress_issuer: "". As a result, components consider TLS for ingress to be deactivated.
You can override TLS settings for each component. In your Tanzu Application Platform installation values, set the component’s values that you want, and they take precedence over
shared values. See components to understand its settings for ingress and TLS.