Enable TLS Ingress to a Space

This topic tells you how to enable TLS Ingress to a Space on Tanzu Platform for Kubernetes.

Tanzu Application Engine enables platform teams to ensure that all Ingress traffic to a Space is TLS-encrypted by using a third-party certificate authority (CA) or a self-signed certificate. You can use Vault to provide and integrate third-party CAs.

Install the Gateway API

The Gateway API is a prerequisite for configuring TLS communications in a Space. To install the Gateway API:

  1. In Tanzu Platform hub, scroll down to Application Platform.
  2. Click Application Spaces > Capabilities.
  3. Click the Gateway API Capability.
  4. Select the cluster group to install the Capability in.
  5. Click Install Package.

Install the certificate manager

The certificate manager is a prerequisite for configuring TLS communications in a Space. To install the certificate manager:

  1. In Tanzu Platform hub, scroll down to Application Platform.
  2. Click Application Spaces > Capabilities.
  3. Click the Certificate Manager Capability.
  4. Select the cluster group to install the Capability in.
  5. Click Install Package.

Integrate the Vault CA for Ingress

Ensure that the packages that provide networking Capabilities are configured with the necessary CA information.

Note

If you use multiple cluster groups, either enable Vault for all of them or enable Vault for none of them. Do not enable Vault for only one group or only some groups.

To configure the prerequisites for Ingress to use TLS encryption:

  1. In Tanzu Platform hub, scroll down to Application Platform.
  2. Click Application Spaces > Capabilities.
  3. Click the Ingress Capability.
  4. Select the cluster group to install the Capability in.
  5. Click Advanced Configuration > YAML.

  6. Enter Vault endpoint details by pasting the following YAML snippet into the text field:

    clusterIngressCa:
  vault:
    path: <ingress-policy>/sign/<ingress-role>
    server: <vault_url>
    caBundle: <server_ca_bundle>
    auth:
      token: <base64_api_token>

    The flags in this snippet are described in the following table:

    Flag Description
    path This is the signing endpoint path for the Vault server, and is created by Vault’s ingress-role role.
    server This is the URL where the Vault server is hosted. For example, https://vault.example.com:8200.
    caBundle This is only required if using HTTPS to access the Vault server, and it must be a base64-encoded CA bundle.
    token This is a base64-encoded API access token for accessing the Vault server.

  7. Click Install Package.

Update the networking Profile to use TLS or create a new Profile

Update the networking Profile that you created when setting up the infrastructure to create an application environment or create a new Profile with this configuration.

  1. In Tanzu Platform hub, scroll down to Application Platform.
  2. Click Application Spaces > Profiles.
  3. Click View Details on the networking Profile that you created when setting up the infrastructure to create an application environment.
  4. Click Actions > Edit Configuration.
  5. Click Next in the Basic Information step.
  6. In the Traits section of the form, expand the Configure multicloud-ingress.tanzu.vmware.com area.
  7. Set the useClusterIssuer field as true.
  8. Click Update.
check-circle-line exclamation-circle-line close-line
Scroll to top icon