Controller Deployment Overview

Getting Started

These requirements apply to all controller deployments. Check out the Linux, Docker, and Kubernetes articles for more details.

Requirements

a root CA for the cluster
a signer CA certificate, identity certificates, and configuration YAML file for each node
an initialized database on the first node, replicated to subsequent nodes

The Cluster Root CA Certificate

Before provisioning your first node, you must create a new public key infrastructure (PKI) for the cluster. This includes a root CA certificate and private key.

The cluster's root CA is never required on any node. For security, secure the root CA separately from the deployment environment, not on the first node. For convenience, the root CA may be co-located with the first node in the cluster.

The Edge Enrollment Signer CA Certificate

Each node must have an edge enrollment signer CA certificate issued by the cluster's root CA. In the configuration YAML file, the property edge.enrollment.signingCert configures the edge signer CA certificate and private key. The edge signer CA issues leaf certificates during identity and router enrollment.

The Controller's Identity Certificates

These are leaf certificates from the edge enrollment signer CA. In the configuration YAML file, the property identity configures the controller's identity certificates and private keys.

The Configuration YAML File

The configuration YAML file is required for all nodes. It is used to configure the controller's signing cert, identity, database, listener addresses, and more.

A utility or template is provided for each type of deployment to assist with generating a valid configuration YAML file.

Getting Started​

Requirements​

The Cluster Root CA Certificate​

The Edge Enrollment Signer CA Certificate​

The Controller's Identity Certificates​

The Configuration YAML File​