This topic tells you how to configure workloads to trust a custom Certificate Authority (commonly called CA) for Application Single Sign-On (commonly called AppSSO).
ClientRegistration selects an
AuthServer that serves a certificate from a custom CA, your
Workload does not trust it by default. This is because the certificate is not issued by a trusted certificate authority from the
To establish trust between a
Workload and an
|1.||Service Operator exports the custom CA certificate
||Exporting custom CA certificate Secret|
|2.||Service Operator imports the custom CA certificate
||Importing custom CA certificate Secret|
|3.||Append the deployed
||Appending custom CA certificate Secret reference to Workload|
These steps are mandatory if Tanzu Application Platform is installed with the default self-signed
ClusterIssuerresource, in which the CA is custom.
ca-certificates service binding
Secret allows to configure trust for custom CAs.
For more information about exporting CA certificate Secrets, see Allow Workloads to trust a custom CA AuthServer.
Example: Create a
ca-certificates-type ServiceBinding Secret from template and offer Tanzu Application Platform’s default self-signed CA certificate Secret to workloads namespace.
--- apiVersion: secretgen.carvel.dev/v1alpha1 kind: SecretTemplate metadata: name: tap-ca-cert namespace: cert-manager # The namespace in which your custom CA Secret resides. spec: inputResources: - name: tap-ingress-selfsigned-root-ca ref: apiVersion: v1 # The custom CA certificate Secret. kind: Secret # ^^ name: tap-ingress-selfsigned-root-ca # ^^ template: data: ca.crt: $(.tap-ingress-selfsigned-root-ca.data.tls\.crt) stringData: type: ca-certificates --- apiVersion: secretgen.carvel.dev/v1alpha1 kind: SecretExport metadata: name: tap-ca-cert # The name of the SecretTemplate that created the "ca-certificates" Secret. namespace: cert-manager # The namespace in which Tanzu Application Platform's self-signed ClusterIssuer stores its CA cert Secret. spec: toNamespace: my-apps # The namespace in which Workloads are deployed.
After the custom CA certificate Secret is exported from its original namespace, you can import it into the workloads’ namespace.
Example: Accept Tanzu Application Platform’s default self-signed CA certificate Secret offer.
--- apiVersion: secretgen.carvel.dev/v1alpha1 kind: SecretImport metadata: name: tap-ca-cert namespace: my-apps # The namespace in which Workloads are deployed. spec: fromNamespace: cert-manager # The namespace in which your custom CA certificate Secret resides.
With custom CA certificate available in the workloads’ namespace, you can append it to the
Workload as a service resource claim:
Example: Appending custom CA certificate Secret as a resource claim.
--- apiVersion: carto.run/v1alpha1 kind: Workload # ... spec: serviceClaims: - name: ca-cert ref: apiVersion: v1 # The custom CA Secret template that is imported into the workloads' namespace. kind: Secret # ^^ name: tap-ca-cert # ^^ # ...
Alternatively, you can provide the workload with a
--service-ref parameter for the same effect:
For more information about secretgen-controller and its APIs, see secretgen-controller documentation in GitHub.