Certificates for sidecar injection

SUSE Observability

The sidecar injection mechanism, which gets enabled when using --set httpHeaderInjectorWebhook.enabled=true when installing the agent, creates a self-signed certificate and uses a ClusterRole which grants write access to Secret and MutatingWebhookConfiguration objects in the Kubernetes cluster.

If for security purposes it is undesirable to create ClusterRoles which grant cluster-wide write rights, or there are alternative ways to provide a certificate:

  1. Generate a self-signed certificate locally.

  2. Use the k8s cert-manager (if it already on the cluster) with a ClusterIssuer.

Generate a certificate locally

To generate a certificate locally, take the following steps:

  1. Download the certificate generation script and run it to produce a helm values (tls_values.yaml) file with the right certificate:

wget https://raw.githubusercontent.com/StackVista/http-header-injector/main/scripts/generate_ca_cert.sh
chmod +x generate_ca_cert.sh
./generate_ca_cert.sh <helm-agent-release-name> <helm-agent-namespace>

Be sure to use the release name that will be used in the helm command and the namespace, otherwise the certificate will be invalid. 2. Install the agent adding the additional configuration by adding --set httpHeaderInjectorWebhook.enabled=true -f tls_values.yaml to the helm invocation command

Generate a certificate using the cert-manager

If your cluster has the cert-manager installed, and a ClusterIssuer configured, it is possible to use the certificate issued by the ClusterIssuer in the agent for the sidecar injector. To do this, add the following command line arguments to install the agent: --set httpHeaderInjectorWebhook.enabled=true --set-string httpHeaderInjectorWebhook.webhook.tls.mode="cert-manager" --set-string httpHeaderInjectorWebhook.webhook.tls.certManager.issuer="<my-cluster-issuer>". Be sure to replace my-cluster-issuer with the name of the issuer in your cluster.

Last updated