Aembit provides the ability for you to use Agent Controller Transport Layer Security (TLS) certificates for secure Agent Proxy to Agent Controller communication in Kubernetes environments, and on Virtual Machine deployments, using Aembit’s PKI.
Configure Agent Controller TLS with Aembit’s PKI in Kubernetes
Section titled “Configure Agent Controller TLS with Aembit’s PKI in Kubernetes”If you have a Kubernetes deployment and would like to use Aembit’s PKI, there are two configuration options, described below.
Automatic TLS configuration
Section titled “Automatic TLS configuration”If you aren’t already using a custom PKI, install the latest Aembit Helm Chart. By default, Agent Controllers are automatically configured to accept TLS communication from Agent Proxy.
Preserve existing custom configuration
Section titled “Preserve existing custom configuration”If you have already configured a custom PKI-based Agent Controller TLS, no additional steps are necessary, as your configuration will be preserved.
Configure Aembit’s PKI-based Agent Controller for VM deployments
Section titled “Configure Aembit’s PKI-based Agent Controller for VM deployments”If you are using a Virtual Machine, Agent Controller will not know which hostname Agent Proxy should use to communicate with Agent Controller. This requires you to manually configure Agent Controller to enable TLS communication between Agent Proxy and Agent Controller.
Aembit Tenant configuration
Section titled “Aembit Tenant configuration”-
Log into your Aembit Tenant, and go to Edge Components -> Agent Controllers.
-
Select or create a new Agent Controller.
-
In Allowed TLS Hostname (Optional), enter the FQDN (Ex:
my-subdomain.my-domain.com), subdomain, or wildcard domain (Ex:*.example.com) to use for the Aembit Managed TLS certificate. -
Click Save.
Manual configuration
Section titled “Manual configuration”If you have not already configured Aembit’s PKI, perform the steps listed below.
-
Install Agent Controller on your Virtual Machine, and set the
AEMBIT_MANAGED_TLS_HOSTNAMEenvironment variable to the hostname that Agent Proxy uses to communicate with Agent Controller. When set, Agent Controller retrieves the certificate for the hostname from Aembit Cloud, enabling TLS communication between Agent Proxy and Agent Controller. -
Configure Agent Proxy’s Virtual Machines to trust the Aembit Tenant Root Certificate Authority (CA).
Confirming TLS Status
Section titled “Confirming TLS Status”When you have configured Agent Controller TLS, you can verify the status of Agent Controller TLS by performing the following steps:
-
Log into your Aembit tenant.
-
Click on the Edge Components link in the left navigation pane. You are directed to the Edge Components dashboard.
-
By default, the Agent Controllers tab is selected. You should see a list of your configured Agent Controllers.
-
Verify TLS is active by confirming color status button in the TLS column for the Agent Controller.
Agent Controller TLS Support Matrix
Section titled “Agent Controller TLS Support Matrix”The table below lists the various Agent Controller TLS deployment models, denoting whether the configuration process is manual or automatic.
| Agent Controller Deployment Model | Customer Based PKI | Aembit Based PKI |
|---|---|---|
| Kubernetes | Manual | Automatic |
| Virtual Machine | Manual | Manual |
| ECS | Not Supported | Automatic |
Automatic TLS Certificate Rotation
Section titled “Automatic TLS Certificate Rotation”Aembit-managed certificates are automatically rotated by the Agent Controller, with no manual steps or extra configuration required.