Custom Certificates

To use a custom certificate for validating the connection between the collector and the agent in on-premises environments, you must specify the location of the certificate authority (CA) that the agent should reference for validation. The agent configuration provides an option to store the CA in a designated location from which the agent will retrieve it for verification.

Some differences exist depending on the type of installation you are performing.

Host Installation

In a host installation, you can specify the location of the CA certificate in the dragent.yaml file.

ca_certificate: /path/to/ca.crt

For Windows host installations, the path should be in the format C:\path\to\ca.crt. Stop the Sysdig Agent service in Windows host installations before performing this configuration.

After you modify the dragent.yaml file, restart the services to apply the changes.

Cluster Installation

In a cluster installation, you can specify the content of the custom certificate in the values.yaml file or directly using the key-value pair.

Use the Key-Value Pair

Specify each parameter using the --set key=value[,key=value] argument to the helm install command.

helm install sysdig sysdig/sysdig-deploy \
    --set global.ssl.ca.certs[0]=<CA_CERTIFICATE>

Use values.yaml

The values.yaml file specifies the values for the configuration parameters. You can add the configuration to the values.yaml file, then use it in the helm install command.

global:
  ssl:
    ca:
      certs:
        - |
          -----BEGIN CERTIFICATE-----
          MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU
          MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1
          NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
          MMNlTAQ9fvdNOTzZntye0PQYR5SR13E=
          -----END CERTIFICATE-----           
      # Filename that is used when creating the secret.  Required if cert is provided.
      keyName: "ca.crt"

Execute the following command after modifying the values.yaml file. This will mount the certificate as a secret in the agent namespace.

helm install sysdig sysdig/sysdig-deploy -f values.yaml

There are other options to configure the CA certificate in the values.yaml file depending on the existing secret or configmap that contains the CA certificate.

# Provide the name of an existing Secret that contains the CA required
existingCaSecret: "my-certificate"
# Provide the filename that is defined inside the existing Secret
existingCaSecretKeyName: "ca.crt"
# Provide the name of an existing ConfigMap that contains the CA required
existingCaConfigMap: "my-ca-configmap"
# Provide the filename that is defined inside the existing ConfigMap
existingCaConfigMapKeyName: "ca.crt"

Learn More