Add Custom CA Certificates

Starting from version 5.4.0, the Workload Agent supports uploading custom files, such as CA certificates.

Upload Custom CA Certificates at Deployment Time

You can upload custom CA certificates to the Workload Agent during deployment by using the SYSDIG_EXTRA_FILES environment variable.

SYSDIG_EXTRA_FILES accepts JSON values in the following structure:

{
  "files": [
    {
      "path": "path/to/file",
      "encoding": "base64",
      "data": "base64-encoded-data"
    }
  ]
}

The JSON file contains an array of files that need to be uploaded to the Workload Agent.

Each file contains the following fields:

path: the path where the file will be stored in the Workload Agent container.
encoding: the encoding of the file. Currently, only base64 is supported.
data: the base64-encoded data of the file.

Example: Upload a CA Certificate

The following example shows how to upload a custom CA Certificate custom_ca.crt to the Workload Agent. The file you are uploading will be base64 encoded and stored in the /etc/ssl directory.

Encode Your Custom File

Use any methods to encode the files in base64. For example, in a Linux shell, run:

$ base64 custom_ca.crt
TXkgY3VzdG9tIENBIENlcnRpZmljYXRlCg==

The base64 output value shown here is an example. The actual value will be longer.

Set the `SYSDIG_EXTRA_FILES` Environment Variable

Now that you have the base64-encoded value, add the SYSDIG_EXTRA_FILES environment variable to the container running the agent, which gets the following JSON:

SYSDIG_EXTRA_FILES='{"files": [{"path": "/etc/ssl/custom_ca.crt", "encoding": "base64", "data": "TXkgY3VzdG9tIENBIENlcnRpZmljYXRlCg=="}]}'

Configure the Connection to the HTTP Proxy

set the SYSDIG_EXTRA_CONF environment variable to configure the agent to use the custom CA certificates for HTTP Proxy connections.