-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
STAC-20078: Document alternative certificates for the agent #1424
Conversation
|
||
# Certificates for request tracing sidecar injection | ||
|
||
The [sidecar injection mechanism](/setup/agent/k8sTs-agent-request-tracing.md#enabling-the-trace-header-injection-sidecar), which gets enabled when using `--set httpHeaderInjectorWebhook.enabled=true` when installing the agent, creates a self-signed certificate and uses `ClusterRoles` to get itself secured. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Agent' instead of 'agent'.
|
||
# Certificates for request tracing sidecar injection | ||
|
||
The [sidecar injection mechanism](/setup/agent/k8sTs-agent-request-tracing.md#enabling-the-trace-header-injection-sidecar), which gets enabled when using `--set httpHeaderInjectorWebhook.enabled=true` when installing the agent, creates a self-signed certificate and uses `ClusterRoles` to get itself secured. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Microsoft.Terms] Prefer 'personal digital assistant' over 'agent'.
|
||
The [sidecar injection mechanism](/setup/agent/k8sTs-agent-request-tracing.md#enabling-the-trace-header-injection-sidecar), which gets enabled when using `--set httpHeaderInjectorWebhook.enabled=true` when installing the agent, creates a self-signed certificate and uses `ClusterRoles` to get itself secured. | ||
|
||
If for security reasons `ClusteRoles` are disallowed, or certificate management is already in place, there are alternative ways to provide a certificate: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
📝 [vale] reported by reviewdog 🐶
[Microsoft.ComplexWords] Consider using 'give' or 'offer' instead of 'provide'.
If for security reasons `ClusteRoles` are disallowed, or certificate management is already in place, there are alternative ways to provide a certificate: | ||
|
||
1. Generate a self-signed certificate [locally](#generate-a-certificate-locally). | ||
1. Use the k8s [cert-manager](https://cert-manager.io/) (if it already on the cluster) [with a `ClusterIssuer`](#generate-a-certificate-using-the-cert-manager). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
📝 [vale] reported by reviewdog 🐶
[StackState.AvoidThis] Use'Kubernetes' instead of 'k8s'.
./generate_ca_cert.sh <helm-agent-release-name> <helm-agent-namespace> | ||
``` | ||
Be sure to use the release name that will be used in the helm command and the namespace, otherwise the certificate will be invalid. | ||
2. Install the agent adding the additional configuration by adding `--set httpHeaderInjectorWebhook.enabled=true -f tls_values.yaml` to the helm invocation command |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Agent' instead of 'agent'.
|
||
## Generate a certificate using the cert-manager | ||
|
||
If your cluster has the [cert-manager](https://cert-manager.io/) installed, and a `ClusterIssuer` configured, it is possible to use the certificate issued by the `ClusterIssuer` in the agent for the sidecar injector. To do this, add the following command line arguments to install the agent: `--set httpHeaderInjectorWebhook.enabled=true --set-string httpHeaderInjectorWebhook.webhook.tls.mode="cert-manager --set-string httpHeaderInjectorWebhook.webhook.tls.certManager.issuer="<my-cluster-issuer>"`. Be sure to replace my-cluster-issuer with the name of the issuer in your cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Microsoft.Terms] Prefer 'personal digital assistant' over 'agent'.
|
||
## Generate a certificate using the cert-manager | ||
|
||
If your cluster has the [cert-manager](https://cert-manager.io/) installed, and a `ClusterIssuer` configured, it is possible to use the certificate issued by the `ClusterIssuer` in the agent for the sidecar injector. To do this, add the following command line arguments to install the agent: `--set httpHeaderInjectorWebhook.enabled=true --set-string httpHeaderInjectorWebhook.webhook.tls.mode="cert-manager --set-string httpHeaderInjectorWebhook.webhook.tls.certManager.issuer="<my-cluster-issuer>"`. Be sure to replace my-cluster-issuer with the name of the issuer in your cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Microsoft.FirstPerson] Use first person (such as 'my') sparingly.
@@ -20,7 +20,7 @@ It's also possible to add the `X-Request-Id` header if your application [already | |||
|
|||
Enabling trace header injection is a two-step process: | |||
|
|||
1. Install the mutating webhook into the cluster by adding `--set httpHeaderInjectorWebhook.enabled=true` to the helm upgrade invocation when installing the StackState agent | |||
1. Install the mutating webhook into the cluster by adding `--set httpHeaderInjectorWebhook.enabled=true` to the helm upgrade invocation when installing the StackState agent. By default the sidecar injector generates its own self-signed certificate, requiring cluster roles to install these into the cluster. It is also possible to [manage your own certificates](/setup/agent/k8sTs-agent-request-tracing-certificates.md) in a more restricted environment. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Agent' instead of 'agent'.
@@ -20,7 +20,7 @@ It's also possible to add the `X-Request-Id` header if your application [already | |||
|
|||
Enabling trace header injection is a two-step process: | |||
|
|||
1. Install the mutating webhook into the cluster by adding `--set httpHeaderInjectorWebhook.enabled=true` to the helm upgrade invocation when installing the StackState agent | |||
1. Install the mutating webhook into the cluster by adding `--set httpHeaderInjectorWebhook.enabled=true` to the helm upgrade invocation when installing the StackState agent. By default the sidecar injector generates its own self-signed certificate, requiring cluster roles to install these into the cluster. It is also possible to [manage your own certificates](/setup/agent/k8sTs-agent-request-tracing-certificates.md) in a more restricted environment. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Microsoft.Terms] Prefer 'personal digital assistant' over 'agent'.
@@ -20,7 +20,7 @@ It's also possible to add the `X-Request-Id` header if your application [already | |||
|
|||
Enabling trace header injection is a two-step process: | |||
|
|||
1. Install the mutating webhook into the cluster by adding `--set httpHeaderInjectorWebhook.enabled=true` to the helm upgrade invocation when installing the StackState agent | |||
1. Install the mutating webhook into the cluster by adding `--set httpHeaderInjectorWebhook.enabled=true` to the helm upgrade invocation when installing the StackState agent. By default the sidecar injector generates its own self-signed certificate, requiring cluster roles to install these into the cluster. It is also possible to [manage your own certificates](/setup/agent/k8sTs-agent-request-tracing-certificates.md) in a more restricted environment. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Microsoft.Contractions] Use 'it's' instead of 'It is'.
|
||
# Certificates for request tracing sidecar injection | ||
|
||
The [sidecar injection mechanism](/setup/agent/k8sTs-agent-request-tracing.md#enabling-the-trace-header-injection-sidecar), which gets enabled when using `--set httpHeaderInjectorWebhook.enabled=true` when installing the agent, creates a self-signed certificate and uses a `ClusterRole` which grants write access to `Secret` and `MutatingWebhookConfiguration` objects in the Kubernetes cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
📝 [vale] reported by reviewdog 🐶
[Microsoft.SentenceLength] Try to keep sentences short (< 30 words).
|
||
# Certificates for request tracing sidecar injection | ||
|
||
The [sidecar injection mechanism](/setup/agent/k8sTs-agent-request-tracing.md#enabling-the-trace-header-injection-sidecar), which gets enabled when using `--set httpHeaderInjectorWebhook.enabled=true` when installing the agent, creates a self-signed certificate and uses a `ClusterRole` which grants write access to `Secret` and `MutatingWebhookConfiguration` objects in the Kubernetes cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Agent' instead of 'agent'.
|
||
# Certificates for request tracing sidecar injection | ||
|
||
The [sidecar injection mechanism](/setup/agent/k8sTs-agent-request-tracing.md#enabling-the-trace-header-injection-sidecar), which gets enabled when using `--set httpHeaderInjectorWebhook.enabled=true` when installing the agent, creates a self-signed certificate and uses a `ClusterRole` which grants write access to `Secret` and `MutatingWebhookConfiguration` objects in the Kubernetes cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Microsoft.Terms] Prefer 'personal digital assistant' over 'agent'.
|
||
The [sidecar injection mechanism](/setup/agent/k8sTs-agent-request-tracing.md#enabling-the-trace-header-injection-sidecar), which gets enabled when using `--set httpHeaderInjectorWebhook.enabled=true` when installing the agent, creates a self-signed certificate and uses a `ClusterRole` which grants write access to `Secret` and `MutatingWebhookConfiguration` objects in the Kubernetes cluster. | ||
|
||
If for security purposes it is undesirable to create `ClusterRoles` which grant cluster-wide write rights, or there are alternative ways to provide a certificate: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Microsoft.Contractions] Use 'it's' instead of 'it is'.
|
||
The [sidecar injection mechanism](/setup/agent/k8sTs-agent-request-tracing.md#enabling-the-trace-header-injection-sidecar), which gets enabled when using `--set httpHeaderInjectorWebhook.enabled=true` when installing the agent, creates a self-signed certificate and uses a `ClusterRole` which grants write access to `Secret` and `MutatingWebhookConfiguration` objects in the Kubernetes cluster. | ||
|
||
If for security purposes it is undesirable to create `ClusterRoles` which grant cluster-wide write rights, or there are alternative ways to provide a certificate: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
📝 [vale] reported by reviewdog 🐶
[Microsoft.ComplexWords] Consider using 'give' or 'offer' instead of 'provide'.
|
||
## Generate a certificate using the cert-manager | ||
|
||
If your cluster has the [cert-manager](https://cert-manager.io/) installed, and a `ClusterIssuer` configured, it is possible to use the certificate issued by the `ClusterIssuer` in the agent for the sidecar injector. To do this, add the following command line arguments to install the agent: `--set httpHeaderInjectorWebhook.enabled=true --set-string httpHeaderInjectorWebhook.webhook.tls.mode="cert-manager" --set-string httpHeaderInjectorWebhook.webhook.tls.certManager.issuer="<my-cluster-issuer>"`. Be sure to replace my-cluster-issuer with the name of the issuer in your cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Agent' instead of 'agent'.
|
||
## Generate a certificate using the cert-manager | ||
|
||
If your cluster has the [cert-manager](https://cert-manager.io/) installed, and a `ClusterIssuer` configured, it is possible to use the certificate issued by the `ClusterIssuer` in the agent for the sidecar injector. To do this, add the following command line arguments to install the agent: `--set httpHeaderInjectorWebhook.enabled=true --set-string httpHeaderInjectorWebhook.webhook.tls.mode="cert-manager" --set-string httpHeaderInjectorWebhook.webhook.tls.certManager.issuer="<my-cluster-issuer>"`. Be sure to replace my-cluster-issuer with the name of the issuer in your cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Microsoft.Terms] Prefer 'personal digital assistant' over 'agent'.
|
||
## Generate a certificate using the cert-manager | ||
|
||
If your cluster has the [cert-manager](https://cert-manager.io/) installed, and a `ClusterIssuer` configured, it is possible to use the certificate issued by the `ClusterIssuer` in the agent for the sidecar injector. To do this, add the following command line arguments to install the agent: `--set httpHeaderInjectorWebhook.enabled=true --set-string httpHeaderInjectorWebhook.webhook.tls.mode="cert-manager" --set-string httpHeaderInjectorWebhook.webhook.tls.certManager.issuer="<my-cluster-issuer>"`. Be sure to replace my-cluster-issuer with the name of the issuer in your cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Agent' instead of 'agent'.
|
||
## Generate a certificate using the cert-manager | ||
|
||
If your cluster has the [cert-manager](https://cert-manager.io/) installed, and a `ClusterIssuer` configured, it is possible to use the certificate issued by the `ClusterIssuer` in the agent for the sidecar injector. To do this, add the following command line arguments to install the agent: `--set httpHeaderInjectorWebhook.enabled=true --set-string httpHeaderInjectorWebhook.webhook.tls.mode="cert-manager" --set-string httpHeaderInjectorWebhook.webhook.tls.certManager.issuer="<my-cluster-issuer>"`. Be sure to replace my-cluster-issuer with the name of the issuer in your cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Microsoft.Terms] Prefer 'personal digital assistant' over 'agent'.
|
||
## Generate a certificate using the cert-manager | ||
|
||
If your cluster has the [cert-manager](https://cert-manager.io/) installed, and a `ClusterIssuer` configured, it is possible to use the certificate issued by the `ClusterIssuer` in the agent for the sidecar injector. To do this, add the following command line arguments to install the agent: `--set httpHeaderInjectorWebhook.enabled=true --set-string httpHeaderInjectorWebhook.webhook.tls.mode="cert-manager" --set-string httpHeaderInjectorWebhook.webhook.tls.certManager.issuer="<my-cluster-issuer>"`. Be sure to replace my-cluster-issuer with the name of the issuer in your cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Microsoft.FirstPerson] Use first person (such as 'my') sparingly.
No description provided.