Using Mutual TLS for Extensions
For stronger security, the communication between the agent and extensions can be secured using mutual TLS.
You need to configure a client certificate at the agent that will be used to communicate with the extensions. And also a server certificate and client CAs at the extension to verify the client certificate.
Configuring a Client Certificate for Agent
Using a Secret
In case the client certificate is stored in a secret, you can directly reference it:
agent.extensions.tls.clientCertificate.fromSecret=some-client-secret
Using a Container path
If you put the client certificate into the container some other way, use this option to tell the agent where to find it:
agent.extensions.clientCertificate.path=/some/client.crt
agent.extensions.clientCertificate.key.path=/some/client.key
Password Protected Private Keys
In case the private key is password protected, you can specify it as well:
Using a Value
agent.extensions.tls.clientCertificate.key.password.value=password123
Using a Secret
agent.extensions.tls.clientCertificate.key.password.valueFrom.secretKeyRef.name=some-secret
agent.extensions.tls.clientCertificate.key.password.valueFrom.secretKeyRef.key=some-key
Additional Certificate Authorities
In case the extension uses custom CAs that are not known to the agent, you can add them as well:
Using a Volume Mount
The volume in this sample refers to a config map, but any other volume config would work as well.
agent.extraCertificates.fromVolume=extra-certs
agent.extraVolumes[0].name=extra-certs
agent.extraVolumes[0].configMap.name=self-signed-ca
Using Container Path
If you put the extra CAs into the container another way, you can specify the path to it:
agent.extraCertificates.fromVolume=extra-certs
If you have successfully configured the client certificate for the agent, the log should contain similar output to this:
Requiring Client Certificates in Extensions
The steadybit-agent helm charts include all extensions provided by Steadybit using a extension-* prefix. This sample is for extension-container, the options shown here apply to the other extensions as well. And in case you use the extensions helm chart directly, you need to strip the prefix from the examples.
For the extension to require client certificates, you need to configure both the server certificate and allowed client certificates. If you only specify a server certificate, TLS is used, but client certificates are not mandatory.
Server Certificate
Using a Secret
In case the server certificate is stored in a secret, you can directly reference it:
extension-container.tls.server.certificate.fromSecret=some-server-secret
Using a Container Path
If you put the server certificate into the container some other way, use this option to tell the agent where to find it:
extension-container.tls.server.certificate.path=/some/server.crt
extension-container.tls.server.certificate.key.path=/some/server.key
Client Certificates
Using Secrets
In case the client certificates are stored in secrets, you can directly reference them:
extension-container.tls.client.certificates.fromSecrets[0]=some-secret-1
extension-container.tls.client.certificates.fromSecrets[1]=some-secret-2
using Container Path
If you put the client certificates into the container some other way, use this option to tell the agent where to find them:
extension-container.tls.client.certificates.paths[0]=/some/client.crt
extension-container.tls.client.certificates.paths[1]=/some/clients/
If you have successfully configured the server certificate and the allowed client certificates for an extension, the log should contain similar output to this:
Last updated