Uploading Custom CA Certificates

As of serverless agent version 4.0.0, the orchestrator agent supports the uploading of CA certificates.

CA Certificate uploading through CloudFormation

The CloudFormation template orchestrator-agent.yaml >= 4.0.0 contains a Mappings section that can be configured to provide the orchestrator agent with up two CA certificates for the OnPrem Collector and HTTP Proxy.

Note that the orchestrator agent can use both CA Certificates at the same time.

Mappings:
  # Upload custom CA certificates
  CACertificate:
    Collector:
      Type: "base64"
      Value: ""
      Path: "/ssl/collector_cert.pem"
    HttpProxy:
      Type: "base64"
      Value: ""
      Path: "/ssl/proxy_cert.pem"

  # Advanced configuration options
  Configuration:
    Collector:
      CACertificate: ""  # /ssl/collector_cert.pem
    HttpProxy:
      ...
      CACertificate: ""  # /ssl/proxy_cert.pem

OnPrem Collector

The table below describes the fields to be used to configure the orchestrator for using a CA certificate intended for the OnPrem Collector.

FieldDefaultDescription
CACertificate.Collector.Typebase64The type of the certificate. Currently it supports base64 only.
CACertificate.Collector.Value``The certificate. Currently it supports base64 encoded certificate only.
CACertificate.Collector.Path/ssl/collector_cert.pemThe path (absolute, or relative to /opt/draios) to the CA Certificate in the orchestrator agent.
Configuration.Collector.CACertificate``The path to the CA certificate the orchestrator agent must use when connecting to the OnPrem Collector. It must be set to the same value as CACertificate.Collector.Path.

HTTP Proxy

Instead, the table below describes the fields to be used to configure the orchestrator for using a custom CA certificate intended for the HTTP Proxy.

FieldDefaultDescription
CACertificate.HttpProxy.Typebase64The type of the certificate. Currently it supports `base64 only.
CACertificate.HttpProxy.Value``The certificate. Currently it supports base64 encoded certificate only.
CACertificate.HttpProxy.Path/ssl/proxy_cert.pemThe path (absolute, or relative to `/opt/draios) to the CA Certificate in the orchestrator agent.
Configuration.HttpProxy.CACertificate``The path to the CA certificate the orchestrator agent must use when connecting to the HTTP Proxy. It must be set to the same value as CACertificate.HttpProxy.Path.

Uploading a CA Certificate for a OnPrem Collector

The example below describes how to configure the orchestrator agent to use a custom CA Certificate intended for a OnPrem Collector.

Step 1 - Encode your certificate to base64

Encode the CA Certificate to base64.

There are several ways for doing so. For example, to encode the certificate custom_ca.crt in a Linux shell run:

base64 custom_ca.crt

The result is a base64 encoded string.

Step 2 - Configure the template orchestrator-agent.yaml

Assuming the base64 encoded CA Certificate for the OnPrem Collector is myBase64EncodedCACertificate, edit the orchestrator-agent.yaml template as follows:

  • set CACertificate.Collector.Value to myBase64EncodedCACertificate, this provides the orchestrator agent with the CA Certificate.
  • set Configuration.Collector.CACertificate to the same value as CACertificate.Collector.Path, this configures the orchestrator agent to use the uploaded certificate when connecting to the OnPrem Collector.
Mappings:
  # Upload custom CA certificates
  CACertificate:
    Collector:
      Type: "base64"
      Value: "myBase64EncodedCACertificate"
      Path: "/ssl/collector_cert.pem"
    ...

  # Advanced configuration options
  Configuration:
    Collector:
      CACertificate: "/ssl/collector_cert.pem"
    ...

Step 3 - Deploy the template orchestrator-agent.yaml

You can now deploy the template you just configured.

The orchestrator agent will:

  1. decode the base64 encoded CA Certificate;
  2. store the decoded CA Certificate to the path defined in CACertificate.Collector.Path;
  3. use the CA Certificate defined in Configuration.Collector.CACertificate when connecting to the OnPrem Collector.

Uploading a CA Certificate for an HTTP Proxy

The example below describes how to configure the orchestrator agent to use a custom CA Certificate intended for an HTTP Proxy.

Refer to Enable HTTP Proxy for Serverless Agent for further details on how to configure the orchestrator agent to connect to an HTTP Proxy.

Step 1 - Encode your certificate to base64

Encode the CA Certificate to base64.

There are several ways for doing so. For example, to encode the certificate custom_ca.crt in a Linux shell run:

base64 custom_ca.crt

The result is a base64 encoded string.

Step 2 - Configure the template orchestrator-agent.yaml

Assuming the base64 encoded CA Certificate for the HTTP Proxy is myBase64EncodedCACertificate, edit the orchestrator-agent.yaml template as follows:

  • set CACertificate.HttpProxy.Value to myBase64EncodedCACertificate, this provides the orchestrator agent with the CA Certificate.
  • set Configuration.HttpProxy.CACertificate to the same value as CACertificate.HttpProxy.Path, this configures the orchestrator agent to use the uploaded certificate when connecting to the HTTP Proxy.
Mappings:
  # Upload custom CA certificates
  CACertificate:
    ...
    HttpProxy:
      Type: "base64"
      Value: "myBase64EncodedCACertificate"
      Path: "/ssl/proxy_cert.pem"

  # Advanced configuration options
  Configuration:
    ...
    HttpProxy:
      ...
      CACertificate: "/ssl/proxy_cert.pem"

Step 3 - Deploy the template orchestrator-agent.yaml

You can now deploy the template you just configured.

The orchestrator agent will:

  1. decode the base64 encoded CA Certificate;
  2. store the decoded CA Certificate to the path defined in CACertificate.HttpProxy.Path;
  3. use the CA Certificate defined in Configuration.HttpProxy.CACertificate when connecting to the HTTP Proxy.

CA Certificate uploading through Terraform

The Terraform module fargate-orchestrator-agent >= 0.3.0 exposes the following variables to provide the orchestrator agent with up two custom CA certificates for the OnPrem Collector and HTTP Proxy.

Note that the orchestrator agent can use both CA Certificates at the same time.

variable "collector_ca_certificate" {
  description = "Uploads the collector custom CA certificate to the orchestrator"
  type = object({
    type  = string
    value = string
    path  = string
  })
  default = ({
    type  = "base64"
    value = ""
    path  = "/ssl/collector_cert.pem"
  })
}

variable "collector_configuration" {
  description = "Advanced configuration options for the connection to the collector"
  type = object({
    ca_certificate = string
  })
  default = ({
    ca_certificate = "" # /ssl/collector_cert.pem
  })
}

variable "http_proxy_ca_certificate" {
  description = "Uploads the HTTP proxy CA certificate to the orchestrator"
  type = object({
    type  = string
    value = string
    path  = string
  })
  default = ({
    type  = "base64"
    value = ""
    path  = "/ssl/proxy_cert.pem"
  })
}

variable "http_proxy_configuration" {
  description = "Advanced configuration options for the connection to the HTTP proxy"
  type = object({
    ...
    ca_certificate = string
  })
  default = ({
    ...
    ca_certificate  = "" # /ssl/proxy_cert.pem
  })
}

OnPrem Collector

The table below describes the fields to be used to configure the orchestrator for using a CA certificate intended for the OnPrem Collector.

FieldDefaultDescription
collector_ca_certificate.typebase64The type of the certificate. Currently it supports base64 only.
collector_ca_certificate.value``The certificate. Currently it supports base64 encoded certificate only.
collector_ca_certificate.path/ssl/collector_cert.pemThe path (absolute, or relative to /opt/draios) to the CA Certificate in the orchestrator agent.
collector_configuration.ca_certificate``The path to the CA certificate the orchestrator agent must use when connecting to the OnPrem Collector. It must be set to the same value as collector_ca_certificate.path.

HTTP Proxy

The table below describes the fields to be used to configure the orchestrator for using a custom CA certificate intended for the HTTP Proxy.

FieldDefaultDescription
http_proxy_ca_certificate.typebase64The type of the certificate. Currently it supports `base64 only.
http_proxy_ca_certificate.value``The certificate. Currently it supports base64 encoded certificate only.
http_proxy_ca_certificate.path/ssl/proxy_cert.pemThe path (absolute, or relative to /opt/draios) to the CA Certificate in the orchestrator agent.
http_proxy_configuration.ca_certificate``The path to the CA certificate the orchestrator agent must use when connecting to the HTTP Proxy. It must be set to the same value as http_proxy_ca_certificate.path.

Uploading a CA Certificate for a OnPrem Collector

The example below describes how to configure the orchestrator agent to use a custom CA Certificate intended for a OnPrem Collector.

Step 1 - Encode your certificate to base64

Encode the CA Certificate to base64.

There are several ways for doing so. For example, to encode the certificate custom_ca.crt in a Linux shell run:

base64 custom_ca.crt

The result is a base64 encoded string.

Step 2 - Configure the module fargate-orchestrator-agent

Assuming the base64 encoded CA Certificate for the OnPrem Collector is myBase64EncodedCACertificate, provides the module fargate-orchestrator-agent >= 0.3.0 with the variables that follow:

  • set collector_ca_certificate.value to myBase64EncodedCACertificate, this provides the orchestrator agent with the CA Certificate.
  • set collector_configuration.ca_certificate to the same value as collector_ca_certificate.path, this configures the orchestrator agent to use the uploaded certificate when connecting to the OnPrem Collector.
module "fargate-orchestrator-agent" {
  source                    = "sysdiglabs/fargate-orchestrator-agent/aws"
  version                   = "0.3.1"

  vpc_id                    = "my_vpc_id"
  subnets                   = ["my_subnet_a", "my_subnet_b"]
  access_key                = "my-access-key"

  collector_host            = var.collector_host
  collector_port            = var.collector_port

  ...

  collector_ca_certificate = {
    type  = "base64"
    value = "myBase64EncodedCACertificate"
    path  = "/ssl/collector_cert.pem"
  }

  collector_ca_configuration  = {
    ca_certificate          = "/ssl/collector_cert.pem"
  }
}

Step 3 - Deploy the module fargate-orchestrator-agent

You can now deploy the Terraform module.

The orchestrator agent will:

  1. decode the base64 encoded CA Certificate;
  2. store the decoded CA Certificate to the path defined in collector_ca_certificate.path;
  3. use the CA Certificate defined in collector_configuration.ca_certificate when connecting to the OnPrem Collector.

Uploading a CA Certificate for an HTTP Proxy

The example below describes how to configure the orchestrator agent to use a custom CA Certificate intended for an HTTP Proxy.

Refer to Enable HTTP Proxy for Serverless Agent for further details on how to configure the orchestrator agent to connect to an HTTP Proxy.

Step 1 - Encode your certificate to base64

Encode the CA Certificate to base64.

There are several ways for doing so. For example, to encode the certificate custom_ca.crt in a Linux shell run:

base64 custom_ca.crt

The result is a base64 encoded string.

Step 2 - Configure the module fargate-orchestrator-agent

Assuming the base64 encoded CA Certificate for the HTTP Proxy is myBase64EncodedCACertificate, provides the module fargate-orchestrator-agent >= 0.3.0 with the variables that follow:

  • set http_proxy_ca_certificate.value to myBase64EncodedCACertificate, this provides the orchestrator agent with the CA Certificate.
  • set http_proxy_configuration.ca_certificate to the same value as http_proxy_ca_certificate.path, this configures the orchestrator agent to use the uploaded certificate when connecting to the HTTP Proxy.
module "fargate-orchestrator-agent" {
  source           = "sysdiglabs/fargate-orchestrator-agent/aws"
  version          = "0.3.1"

  vpc_id           = "my_vpc_id"
  subnets          = ["my_subnet_a", "my_subnet_b"]

  access_key       = "my-access-key"

  ...

  http_proxy_ca_certificate = {
    type  = "base64"
    value = "myBase64EncodedCACertificate"
    path  = "/ssl/proxy_cert.pem"
  }

  http_proxy_configuration  = {
    ...
    ca_certificate          = "/ssl/proxy_cert.pem"
  }
}

Step 3 - Deploy the module fargate-orchestrator-agent

You can now deploy the Terraform module.

The orchestrator agent will:

  1. decode the base64 encoded CA Certificate;
  2. store the decoded CA Certificate to the path defined in http_proxy_ca_certificate.path;
  3. use the CA Certificate defined in http_proxy_configuration.ca_certificate when connecting to the HTTP Proxy.