STAC-20078: Document alternative certificates for the agent #1424
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
|
||
| # Certificates for request tracing sidecar injection | ||
|
|
||
| The [sidecar injection mechanism](/setup/agent/k8sTs-agent-request-tracing.md#enabling-the-trace-header-injection-sidecar), which gets enabled when using `--set httpHeaderInjectorWebhook.enabled=true` when installing the agent, creates a self-signed certificate and uses `ClusterRoles` to get itself secured. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Agent' instead of 'agent'.
|
|
||
| # Certificates for request tracing sidecar injection | ||
|
|
||
| The [sidecar injection mechanism](/setup/agent/k8sTs-agent-request-tracing.md#enabling-the-trace-header-injection-sidecar), which gets enabled when using `--set httpHeaderInjectorWebhook.enabled=true` when installing the agent, creates a self-signed certificate and uses `ClusterRoles` to get itself secured. |
There was a problem hiding this comment.
[Microsoft.Terms] Prefer 'personal digital assistant' over 'agent'.
|
|
||
| The [sidecar injection mechanism](/setup/agent/k8sTs-agent-request-tracing.md#enabling-the-trace-header-injection-sidecar), which gets enabled when using `--set httpHeaderInjectorWebhook.enabled=true` when installing the agent, creates a self-signed certificate and uses `ClusterRoles` to get itself secured. | ||
|
|
||
| If for security reasons `ClusteRoles` are disallowed, or certificate management is already in place, there are alternative ways to provide a certificate: |
There was a problem hiding this comment.
📝 [vale] reported by reviewdog 🐶
[Microsoft.ComplexWords] Consider using 'give' or 'offer' instead of 'provide'.
| If for security reasons `ClusteRoles` are disallowed, or certificate management is already in place, there are alternative ways to provide a certificate: | ||
|
|
||
| 1. Generate a self-signed certificate [locally](#generate-a-certificate-locally). | ||
| 1. Use the k8s [cert-manager](https://cert-manager.io/) (if it already on the cluster) [with a `ClusterIssuer`](#generate-a-certificate-using-the-cert-manager). |
There was a problem hiding this comment.
📝 [vale] reported by reviewdog 🐶
[StackState.AvoidThis] Use'Kubernetes' instead of 'k8s'.
| ./generate_ca_cert.sh <helm-agent-release-name> <helm-agent-namespace> | ||
| ``` | ||
| Be sure to use the release name that will be used in the helm command and the namespace, otherwise the certificate will be invalid. | ||
| 2. Install the agent adding the additional configuration by adding `--set httpHeaderInjectorWebhook.enabled=true -f tls_values.yaml` to the helm invocation command |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Agent' instead of 'agent'.
|
|
||
| ## Generate a certificate using the cert-manager | ||
|
|
||
| If your cluster has the [cert-manager](https://cert-manager.io/) installed, and a `ClusterIssuer` configured, it is possible to use the certificate issued by the `ClusterIssuer` in the agent for the sidecar injector. To do this, add the following command line arguments to install the agent: `--set httpHeaderInjectorWebhook.enabled=true --set-string httpHeaderInjectorWebhook.webhook.tls.mode="cert-manager --set-string httpHeaderInjectorWebhook.webhook.tls.certManager.issuer="<my-cluster-issuer>"`. Be sure to replace my-cluster-issuer with the name of the issuer in your cluster. |
There was a problem hiding this comment.
[Microsoft.Terms] Prefer 'personal digital assistant' over 'agent'.
|
|
||
| ## Generate a certificate using the cert-manager | ||
|
|
||
| If your cluster has the [cert-manager](https://cert-manager.io/) installed, and a `ClusterIssuer` configured, it is possible to use the certificate issued by the `ClusterIssuer` in the agent for the sidecar injector. To do this, add the following command line arguments to install the agent: `--set httpHeaderInjectorWebhook.enabled=true --set-string httpHeaderInjectorWebhook.webhook.tls.mode="cert-manager --set-string httpHeaderInjectorWebhook.webhook.tls.certManager.issuer="<my-cluster-issuer>"`. Be sure to replace my-cluster-issuer with the name of the issuer in your cluster. |
There was a problem hiding this comment.
[Microsoft.FirstPerson] Use first person (such as 'my') sparingly.
| @@ -20,7 +20,7 @@ It's also possible to add the `X-Request-Id` header if your application [already | |||
|
|
|||
| Enabling trace header injection is a two-step process: | |||
|
|
|||
| 1. Install the mutating webhook into the cluster by adding `--set httpHeaderInjectorWebhook.enabled=true` to the helm upgrade invocation when installing the StackState agent | |||
| 1. Install the mutating webhook into the cluster by adding `--set httpHeaderInjectorWebhook.enabled=true` to the helm upgrade invocation when installing the StackState agent. By default the sidecar injector generates its own self-signed certificate, requiring cluster roles to install these into the cluster. It is also possible to [manage your own certificates](/setup/agent/k8sTs-agent-request-tracing-certificates.md) in a more restricted environment. | |||
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Agent' instead of 'agent'.
| @@ -20,7 +20,7 @@ It's also possible to add the `X-Request-Id` header if your application [already | |||
|
|
|||
| Enabling trace header injection is a two-step process: | |||
|
|
|||
| 1. Install the mutating webhook into the cluster by adding `--set httpHeaderInjectorWebhook.enabled=true` to the helm upgrade invocation when installing the StackState agent | |||
| 1. Install the mutating webhook into the cluster by adding `--set httpHeaderInjectorWebhook.enabled=true` to the helm upgrade invocation when installing the StackState agent. By default the sidecar injector generates its own self-signed certificate, requiring cluster roles to install these into the cluster. It is also possible to [manage your own certificates](/setup/agent/k8sTs-agent-request-tracing-certificates.md) in a more restricted environment. | |||
There was a problem hiding this comment.
[Microsoft.Terms] Prefer 'personal digital assistant' over 'agent'.
| @@ -20,7 +20,7 @@ It's also possible to add the `X-Request-Id` header if your application [already | |||
|
|
|||
| Enabling trace header injection is a two-step process: | |||
|
|
|||
| 1. Install the mutating webhook into the cluster by adding `--set httpHeaderInjectorWebhook.enabled=true` to the helm upgrade invocation when installing the StackState agent | |||
| 1. Install the mutating webhook into the cluster by adding `--set httpHeaderInjectorWebhook.enabled=true` to the helm upgrade invocation when installing the StackState agent. By default the sidecar injector generates its own self-signed certificate, requiring cluster roles to install these into the cluster. It is also possible to [manage your own certificates](/setup/agent/k8sTs-agent-request-tracing-certificates.md) in a more restricted environment. | |||
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Microsoft.Contractions] Use 'it's' instead of 'It is'.
hierynomus
requested changes
Aug 25, 2023
|
|
||
| # Certificates for request tracing sidecar injection | ||
|
|
||
| The [sidecar injection mechanism](/setup/agent/k8sTs-agent-request-tracing.md#enabling-the-trace-header-injection-sidecar), which gets enabled when using `--set httpHeaderInjectorWebhook.enabled=true` when installing the agent, creates a self-signed certificate and uses a `ClusterRole` which grants write access to `Secret` and `MutatingWebhookConfiguration` objects in the Kubernetes cluster. |
There was a problem hiding this comment.
📝 [vale] reported by reviewdog 🐶
[Microsoft.SentenceLength] Try to keep sentences short (< 30 words).
|
|
||
| # Certificates for request tracing sidecar injection | ||
|
|
||
| The [sidecar injection mechanism](/setup/agent/k8sTs-agent-request-tracing.md#enabling-the-trace-header-injection-sidecar), which gets enabled when using `--set httpHeaderInjectorWebhook.enabled=true` when installing the agent, creates a self-signed certificate and uses a `ClusterRole` which grants write access to `Secret` and `MutatingWebhookConfiguration` objects in the Kubernetes cluster. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Agent' instead of 'agent'.
|
|
||
| # Certificates for request tracing sidecar injection | ||
|
|
||
| The [sidecar injection mechanism](/setup/agent/k8sTs-agent-request-tracing.md#enabling-the-trace-header-injection-sidecar), which gets enabled when using `--set httpHeaderInjectorWebhook.enabled=true` when installing the agent, creates a self-signed certificate and uses a `ClusterRole` which grants write access to `Secret` and `MutatingWebhookConfiguration` objects in the Kubernetes cluster. |
There was a problem hiding this comment.
[Microsoft.Terms] Prefer 'personal digital assistant' over 'agent'.
|
|
||
| The [sidecar injection mechanism](/setup/agent/k8sTs-agent-request-tracing.md#enabling-the-trace-header-injection-sidecar), which gets enabled when using `--set httpHeaderInjectorWebhook.enabled=true` when installing the agent, creates a self-signed certificate and uses a `ClusterRole` which grants write access to `Secret` and `MutatingWebhookConfiguration` objects in the Kubernetes cluster. | ||
|
|
||
| If for security purposes it is undesirable to create `ClusterRoles` which grant cluster-wide write rights, or there are alternative ways to provide a certificate: |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Microsoft.Contractions] Use 'it's' instead of 'it is'.
|
|
||
| The [sidecar injection mechanism](/setup/agent/k8sTs-agent-request-tracing.md#enabling-the-trace-header-injection-sidecar), which gets enabled when using `--set httpHeaderInjectorWebhook.enabled=true` when installing the agent, creates a self-signed certificate and uses a `ClusterRole` which grants write access to `Secret` and `MutatingWebhookConfiguration` objects in the Kubernetes cluster. | ||
|
|
||
| If for security purposes it is undesirable to create `ClusterRoles` which grant cluster-wide write rights, or there are alternative ways to provide a certificate: |
There was a problem hiding this comment.
📝 [vale] reported by reviewdog 🐶
[Microsoft.ComplexWords] Consider using 'give' or 'offer' instead of 'provide'.
|
|
||
| ## Generate a certificate using the cert-manager | ||
|
|
||
| If your cluster has the [cert-manager](https://cert-manager.io/) installed, and a `ClusterIssuer` configured, it is possible to use the certificate issued by the `ClusterIssuer` in the agent for the sidecar injector. To do this, add the following command line arguments to install the agent: `--set httpHeaderInjectorWebhook.enabled=true --set-string httpHeaderInjectorWebhook.webhook.tls.mode="cert-manager" --set-string httpHeaderInjectorWebhook.webhook.tls.certManager.issuer="<my-cluster-issuer>"`. Be sure to replace my-cluster-issuer with the name of the issuer in your cluster. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Agent' instead of 'agent'.
|
|
||
| ## Generate a certificate using the cert-manager | ||
|
|
||
| If your cluster has the [cert-manager](https://cert-manager.io/) installed, and a `ClusterIssuer` configured, it is possible to use the certificate issued by the `ClusterIssuer` in the agent for the sidecar injector. To do this, add the following command line arguments to install the agent: `--set httpHeaderInjectorWebhook.enabled=true --set-string httpHeaderInjectorWebhook.webhook.tls.mode="cert-manager" --set-string httpHeaderInjectorWebhook.webhook.tls.certManager.issuer="<my-cluster-issuer>"`. Be sure to replace my-cluster-issuer with the name of the issuer in your cluster. |
There was a problem hiding this comment.
[Microsoft.Terms] Prefer 'personal digital assistant' over 'agent'.
|
|
||
| ## Generate a certificate using the cert-manager | ||
|
|
||
| If your cluster has the [cert-manager](https://cert-manager.io/) installed, and a `ClusterIssuer` configured, it is possible to use the certificate issued by the `ClusterIssuer` in the agent for the sidecar injector. To do this, add the following command line arguments to install the agent: `--set httpHeaderInjectorWebhook.enabled=true --set-string httpHeaderInjectorWebhook.webhook.tls.mode="cert-manager" --set-string httpHeaderInjectorWebhook.webhook.tls.certManager.issuer="<my-cluster-issuer>"`. Be sure to replace my-cluster-issuer with the name of the issuer in your cluster. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Agent' instead of 'agent'.
|
|
||
| ## Generate a certificate using the cert-manager | ||
|
|
||
| If your cluster has the [cert-manager](https://cert-manager.io/) installed, and a `ClusterIssuer` configured, it is possible to use the certificate issued by the `ClusterIssuer` in the agent for the sidecar injector. To do this, add the following command line arguments to install the agent: `--set httpHeaderInjectorWebhook.enabled=true --set-string httpHeaderInjectorWebhook.webhook.tls.mode="cert-manager" --set-string httpHeaderInjectorWebhook.webhook.tls.certManager.issuer="<my-cluster-issuer>"`. Be sure to replace my-cluster-issuer with the name of the issuer in your cluster. |
There was a problem hiding this comment.
[Microsoft.Terms] Prefer 'personal digital assistant' over 'agent'.
|
|
||
| ## Generate a certificate using the cert-manager | ||
|
|
||
| If your cluster has the [cert-manager](https://cert-manager.io/) installed, and a `ClusterIssuer` configured, it is possible to use the certificate issued by the `ClusterIssuer` in the agent for the sidecar injector. To do this, add the following command line arguments to install the agent: `--set httpHeaderInjectorWebhook.enabled=true --set-string httpHeaderInjectorWebhook.webhook.tls.mode="cert-manager" --set-string httpHeaderInjectorWebhook.webhook.tls.certManager.issuer="<my-cluster-issuer>"`. Be sure to replace my-cluster-issuer with the name of the issuer in your cluster. |
There was a problem hiding this comment.
[Microsoft.FirstPerson] Use first person (such as 'my') sparingly.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.