This article refers to the Tanzu Application Platform ( TAP)

Checklist:

Tanzu Application Platform (TAP) - Certificates FAQ
To help make TAP installation and configuration experience as simple as possible, R&D team compiled a list of most frequently asked questions.

1. How do I set up auto TLS for my workload?

• Follow the instructions outlined in the Enabling Automatic TLS Certificate Provisioning for Cloud Native Runtimes for Tanzu document.
• Because Cloud Native Runtimes is one of the packages installed with TAP, an overlay is needed in order for changes made to the config-network configmap in the knative-serving namespace to persist. The config map changes are outlined in the document linked above. Below are a series of commands to set a cnr overlay. 

Create a cnrs overlay yaml, with autoTLS set to Enabled

cat <<EOF > cnrs-overlay-auto-tls.yaml
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"kind":"ConfigMap", "metadata":{"name":"config-network","namespace":"knative-serving"}})
---
data:
  #@overlay/match missing_ok=True
  autoTLS: Enabled
EOF

Create a generic secret using the yaml produced above

kubectl -n tap-install create secret generic cnrs-overlay-auto-tls \
  -o yaml \
  --dry-run=client \
  --from-file=cnrs-overlay-auto-tls.yaml \
  | kubectl apply -f-

Append a package_overlays section to tap-values.yaml, referencing the secret created above

cat <<EOF >> tap-values.yaml

package_overlays:
- name: cnrs
  secrets:
  - name: cnrs-overlay-auto-tls
EOF

Update tap packages

tanzu package installed update tap -n tap-install -v [x.x.x] -f tap-values.yaml

  where x.x.x is the TAP version 
 

2. How do I introduce an additional trusted registry CA for TAP components.