Skip to main content

How to configure a Customer's PKI-based Agent Controller TLS

Aembit provides the ability for you to use a your own PKI-based Transport Layer Security (TLS) for secure Agent Proxy to Agent Controller communication in Kubernetes environments, and on virtual machine deployments.

Prerequisites​

  • Access to a Certificate Authority such as HashiCorp Vault or Microsoft Active Directory Certification Authority.

  • A TLS PEM Certificate and Key file pair that you configure for the hostname of an Agent Controller.

    • On Kubernetes, the hostnames are in the following format: aembit-agent-controller.<namespace>.svc.cluster.local. Where <namespace> is the namespace where you installed the Aembit Helm chart.

    • On virtual machines, the hostname is going to depend on your network and DNS configuration. Use the FQDN or PQDN hostname which Agent Proxy instances use to access Agent Controller.

  • The TLS PEM Certificate file should contain both the Agent Controller certificate and chain to the Root CA.

  • Agent Proxy doesn't support self-signed certificates to communicate with Agent Controller over TLS.

Kubernetes environment configuration​

The Aembit Agent Controller requires that the TLS certificate and key be available in a Kubernetes TLS Secret. Therefore, there are 2 steps to completing this configuration.

  1. Create a Kubernetes TLS Secret using the kubectl create secret tls command or similar method. For example:

    kubectl create secret tls NAME --cert=path/to/cert/file --key=path/to/key/file

  2. In the Aembit Helm chart installation file, set the agentController.tls.secretName value equal to the name of the secret created in step #1.

note

Both prior steps assume that you previously installed the TLS Secret and Aembit Helm chart into the same namespace.

If you don't have your own CA, consider using Kubernetes cert-manager to create and maintain certificates and keys in your Kubernetes environment.

Virtual machine environment configuration​

When you install Agent Controller on a virtual machine, there are two installation environment variables you must specify:

  • TLS_PEM_PATH

  • TLS_KEY_PATH

For example, when installing Agent Controller using the command line, you could specify those environment variables like this:

sudo TLS_PEM_PATH=/path/to/tls.crt TLS_KEY_PATH=/path/to/tls.key AEMBIT_TENANT_ID=tenant AEMBIT_AGENT_CONTROLLER_ID=aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee ./install