Overview
This document outlines how to configure the Traceable Platform Agent (TPA) to use TLS.
Option #1: Helm
We allow you to bring your own certificates when deploying TA. You can bring them in as a secret in the same namespace as the TA deployment or as files somehow injected into the container.
Make sure that all the fields are populated so they can take effect. Otherwise we will switch to self generated certificates which is also the default.
tlsPrivateCertificatesAsFiles
has the highest priority, followed by tlsPrivateCertificatesAsSecret
.
First line to add to the values.yaml
would be:
tlsEnabled: true
This will prevent any port other than 5443 from being exposed and force TLS to be used.
Using external private certs as a secret would look like the following in the helm values file:
tlsPrivateCertificatesAsSecret:
secretName: ""
# These filenames should be the keys in the secret.
rootCAFileName: ""
certFileName: ""
keyFileName: ""
* Note the secret should be in the same namespace as the TPA
If you were to use private certs stored in a file the values.yaml
would look like the following:
tlsPrivateCertificatesAsFiles:
# These filenames should be absolute file paths
rootCAFileName: ""
certFileName: ""
keyFileName: ""
Option #2: Terraform
This is a mirror of the k8s values.yaml
and the comments for the corresponding values in values.yaml
above apply as well:
tls_enabled = true
tls_private_certificates_as_secret = {
secret_name = ""
root_ca_file_name = ""
cert_file_name = ""
key_file_name = ""
}
tls_private_certificates_as_files = {
root_ca_file_name = ""
cert_file_name = ""
key_file_name = ""
}
Option #3 Environment Variables
Most of this can also be configured with the use of environment variables as well, with the caveat of tlsEnabled: true
that config option must be set in the values.yaml
or agentconfig.yaml
as described above.
The environment variables would look like the following:
-
TA_ROOT_CA_FILE_NAME
: root CA cert file path -
TA_CERT_FILE_NAME
: cert file path -
TA_KEY_FILE_NAME
: key file path
Java/Sidecar injector config
For our auto-injector agents (java/sidecar proxy) you must also include an injector config when setting up TLS like the following:
injector:
caBundle: ""
caBundle
is a base64 encoded root cert file contents string that is used to verify the cert file that the injector presents # to the mutating webhook configuration. When bringing your own certs, then you need to pass in the base64 encoded root cert file contents.