TKG Extensions require TLS certificates. You can install cert-manager to satisfy this prerequisite, or you can use your own self-signed certificates. Certificates from a CA are also supported.

About Using Your Own TLS Certificates with TKG Extensions

Installing cert-manager is documented as part of the deployment process for each TKG Extension. Alternatively, you can use your own TLS certificates.
Note: This task assumes you are using a Linux host with OpenSSL installed.

Generate a Certificate Authority Certificate

In a production environment, you should obtain a certificate from a CA. In a dev or test environment, you can generate your own self signed certificate. To generate a CA certificate, complete the following instructions.
  1. Generate a CA certificate private key.
    openssl genrsa -out ca.key 4096
  2. Generate the CA certificate.
    Use the following command as a template. Update the values in the -subj option based on your environment. If you use an FQDN to connect your TKG Extensions host, you must specify this FQDN as the common name (CN) attribute.
    openssl req -x509 -new -nodes -sha512 -days 3650 \
     -subj "/C=US/ST=PA/L=PA/O=example/OU=Personal/CN=tkg-extensions.system.tanzu" \
     -key ca.key \
     -out ca.crt
    

Generate a Server Certificate

The certificate usually contains a .crt file and a .key file, for example, tls.crt and tls.key.
  1. Generate a private key.
    openssl genrsa -out tls.key 4096
  2. Generate a certificate signing request (CSR).
    Use the following command as a template. Update the values in the -subj option based on your environment. If you use an FQDN to connect your TKG Extensions host, you must specify this FQDN as the common name (CN) attribute, and use the FQDN in the key and CSR file names.
    openssl req -sha512 -new \
        -subj "/C=US/ST=PA/L=PA/O=example/OU=Personal/CN=tkg-extensions.system.tanzu" \
        -key tls.key \
        -out tls.csr
    
  3. Generate a x509 v3 extension file.

    Use the following command as a template. Create this file so that you can generate a certificate for your TKG Extensions host that complies with the Subject Alternative Name (SAN) and x509 v3 extension requirements.

    cat > v3.ext <<-EOF
    authorityKeyIdentifier=keyid,issuer
    basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1=tkg-extensions.system.tanzu
    EOF
    
  4. Use the x509 v3 extension file to generate a certificate for your TKG Extensions host
    openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in tls.csr \
    -out tls.crt
    
  5. Copy the content of the files ca.crt, tls.crt and tls.key into the TKG-EXTENSION-data-values.yaml file using the following format.
    ingress:
      tlsCertificate:
        tls.crt: |
            -----BEGIN ...
    
  6. Proceed with deploying a supported TKG Extension as documented.