Thumbnail image

Auto Generating TLS Certificates for Tanzu Application Platform (TAP) Workloads

Table of Contents


As part of learning and using Tanzu Application Platform (TAP), I looked into auto generating TLS certificates, for the Workloads I provision.

The full documentation for what I describe in this blog post, can be found here. This blog post, describes how I did it, with with the set of components, that I use.

TAP installs Cert-Manager as part of the installation. Other than being a really cool solution, it also made sense to use that, to generate the certificates I needed.


To be able to create new certificates, I created a Clusterissuer, that could generate certificates from Let’s Encyrpt, by using DNS validation, via CloudFlares API.

This requires having your domains hosted by Cloudflare, and to generate a API key. It’s easy, and very well decribed in Cert-Managers documentation here.

The first thing I needed to do, was to create a secret, with the API key, to communicate, with Cloudflare.


apiVersion: v1
kind: Secret
  name: cloudflare-api-token
  namespace: cert-manager
type: Opaque
  api-token: YOURAPITOKEN

Replace “YOURAPITOKEN” with your own token and run

kubectl apply -f secret.yaml

Then I created the ClusterIssuer, that was going to use that secret


kind: ClusterIssuer
  name: letsencrypt
  namespace: cert-manager
    email: YOUREMAIL
      name: letsencrypt-account-key
    - dns01:
          email: YOUREMAIL
            name: cloudflare-api-token
            key: api-token

Replace “YOUREMAIL” with your own email and run

kubectl apply -f clusterissuer.yaml

You should now have the ability to create valid certificates.

The next part, was configuring TAP to do this automaticly.

For this, I needed to update 2 configmaps. I did this by creating the following file


  issuerRef: |
    kind: ClusterIssuer
    name: letsencrypt

Witch I used to update the config-certmanager configmap, by running the following

kubectl patch configmap config-certmanager -n knative-serving --patch-file patch-certmanager-tls.yaml

Then I created


  auto-tls: Enabled
  http-protocol: Redirected

To set TLS to be autogenerated, and to redirect to HTTPS. And used that to patch onfig-network configmap, by running

kubectl patch configmap config-network -n knative-serving --patch-file patch-network-tls.yaml

And that was it. All workloads, is now deployed with a valid certificate :-) Certificate

Note if you wan’t Tap-Gui to also use a HTTPS certificate, from cert-manager (You should) then the documentation, on how to do that is found here.

Photo by Bank Phrom on Unsplash

Related Posts