Using Aembit’s PKI for Agent Controller TLS certificates enables you to have secure Agent-Proxy-to-Agent-Controller communication in Kubernetes environments and on Virtual Machine deployments.
Configure Agent Controller TLS with Aembit’s PKI in Kubernetes
Section titled “Configure Agent Controller TLS with Aembit’s PKI in Kubernetes”If you have a Kubernetes deployment and would like to use Aembit’s PKI, there are two configuration options.
Automatic TLS configuration
Section titled “Automatic TLS configuration”If you aren’t already using a custom PKI, install the latest Aembit Helm Chart. By default, Agent Controllers are automatically configured to accept TLS communication from Agent Proxy.
Preserve existing custom configuration
Section titled “Preserve existing custom configuration”If you have already configured custom PKI-based Agent Controller TLS, no additional steps are necessary, as Aembit preserves your configuration.
Configure Aembit’s PKI-based Agent Controller for VM deployments
Section titled “Configure Aembit’s PKI-based Agent Controller for VM deployments”If you are using a Virtual Machine, Agent Controller won’t know which hostname Agent Proxy should use to communicate with Agent Controller. This requires you to manually configure Agent Controller to enable TLS communication between Agent Proxy and Agent Controller.
Aembit Tenant configuration
Section titled “Aembit Tenant configuration”-
Log into your Aembit Tenant, and go to Edge Components -> Agent Controllers.
-
Select or create a new Agent Controller.
-
In Allowed TLS Hostname (Optional), enter the FQDN (Ex:
my-subdomain.my-domain.com), subdomain, or wildcard domain (Ex:*.example.com) to use for the Aembit Managed TLS certificate. -
Click Save.
Manual configuration
Section titled “Manual configuration”If you haven’t already configured Aembit’s PKI, perform the these steps:
-
Install Agent Controller on your Virtual Machine, and set the
AEMBIT_MANAGED_TLS_HOSTNAMEenvironment variable to the hostname that Agent Proxy uses to communicate with Agent Controller. When set, Agent Controller retrieves the certificate for the hostname from Aembit Cloud, enabling TLS communication between Agent Proxy and Agent Controller. -
Configure Agent Proxy’s Virtual Machines to trust the Aembit Tenant Root Certificate Authority (CA).
Confirming TLS status
Section titled “Confirming TLS status”When you have configured Agent Controller TLS, you can verify the status of Agent Controller TLS by performing the following steps:
-
Log into your Aembit Tenant.
-
Click on the Edge Components link in the left sidebar. Aembit displays the Edge Components dashboard.
-
Aembit displays the Agent Controllers tab. You should see a list of your configured Agent Controllers.
-
Verify TLS is active by confirming color status button in the TLS column for the Agent Controller.
Agent Controller TLS support matrix
Section titled “Agent Controller TLS support matrix”The following table lists the different Agent Controller TLS deployment models, denoting whether the configuration process is manual or automatic.
| Agent Controller Deployment Model | Customer Based PKI | Aembit Based PKI |
|---|---|---|
| Kubernetes | Manual | Automatic |
| Virtual Machine | Manual | Manual |
| ECS | Not Supported | Automatic |
Automatic TLS certificate rotation
Section titled “Automatic TLS certificate rotation”Aembit-managed certificates are automatically rotated by the Agent Controller, with no manual steps or extra configuration required.