FlexNet Manager Suite
2024 R1
(On-Premises)
When the inventory beacon identified for communication with the Flexera Kubernetes Inventory Agent is configured for the HTTPS protocol, communications are secured
with certificates. The inventory beacon presents its certificate, and the
Flexera Kubernetes Inventory Agent validates that certificate by validating the
Certificate Authority (CA) issuing the beacon certificate using its own local copy
of the CA's certificate. In the common case that the CA is one of the
industry-standard major authorities, such as DigiCert, the Flexera Kubernetes Inventory Agent
already has the standard CA certificate bundle included in the Ubuntu operating
system that forms the agent's base. However, if your enterprise chooses to use
internal certificates, or to use certificates issued by a CA that is not included in
the standard bundle, the Flexera Kubernetes Inventory Agent must be supplied with the CA
certificate(s) needed to verify the security certificate presented by the inventory beacon.
Internally, the Flexera Kubernetes Inventory Agent relies on components of the standard
FlexNet Inventory Agent for all interactions with the inventory beacon.
This means that the CA certificates must be configured in the same way as they are
for third-party deployments of the FlexNet Inventory Agent on Linux. However,
because in this case the FlexNet Inventory Agent is installed within a container in
Kubernetes, the process by which the CA certificates file is supplied to the
FlexNet Inventory Agent is specific to the Flexera Kubernetes Inventory Agent.
At the summary level, the process consists of:
- Making sure that your version of the Flexera Kubernetes Inventory Agent supports
custom certificates
- Preparing the certificates in the format required by the FlexNet Inventory Agent
- Storing those certificates in a volume that is to be mounted in the
container(s) where the Flexera Kubernetes Inventory Agent is running
- Configuring the Flexera Kubernetes Inventory Agent to reference that storage volume so
that it discovers and uses the CA certificate(s).
To use custom CA certificates with the Flexera Kubernetes Inventory Agent:
-
Ensure that a sufficiently recent version of the Flexera Kubernetes Inventory Agent is
installed.
As a minimum, version 1.3.0 must be installed. If this or a more recent
version is already installed, no further action on this point is needed. If
an earlier version is installed, update it by following the standard
download/installation process until the
install.sh
script has successfully completed.
Tip: If you don't already know
which version of
Flexera Kubernetes Inventory Agent is installed within the
cluster, it is reflected in the version of the deployed container image.
For example, this container
image:
flexera/krm:1.3.0
includes version
1.3.0 of
Flexera Kubernetes Inventory Agent. You can inspect
the image using the relevant controller deployment (all one command
line, here wrapped for
presentation):
kubectl get deployments --namespace flexera
krm-controller -o jsonpath={.spec.template.spec.containers[0].image}
-
Prepare a single certificate file that combines all required client-side
certificates needed for validating the server-side certificates that are
presented by your selected inventory beacon.
This concatenated certificate file should be saved using the PEM
format. Each PEM-format certificate should be base-64 encoded plain text surrounded
by a
BEGIN CERTIFICATE header and an
END
CERTIFICATE footer. That
is:
-----BEGIN CERTIFICATE-----
MIIDiTCCAnGgAwIBAgIQWO/IibrLpZ5Hts3u3xH7TzANBgkqhkiG9w0BAQUFADAR
MQ8wDQYDVQQDEwZ0ZncyazMwHhcNMTAxMTI1MDEyMDM4WhcNMTUxMTI1MDEyODA1
......
wXvMSERKsNsJ6FwwXFGA3HBrRLTHzqzsfUlUAbV+SBm/FSFkuWsy4QWAuJCbnCnv
c3ClFHXqwaIq9UWvO5FR5kD4gK9LZOUY4B7tLTQmpJScFSiPZrIBa1cQ5uWl
-----END CERTIFICATE-----
If you have
multiple root CA certificates, simple shell commands allow the
concatenation:
#!/bin/sh
rm cert.pem
for i in ca1.pem ca2.pem ca3.pem ; do
openssl x509 -in $i -text >> cert.pem
done
Tip: Before, between, and after the certificates in the
concatenated file (that is, everywhere except between BEGIN and END tags), free text
is allowed that can be used, for example, for descriptions of the
certificates.
Name your
resulting file
cert.pem. (This file name is mandatory.
Without this name, the FlexNet inventory agent will not detect and use the
certificates.)
-
Save the certificate file in a volume that will be mounted into the containers
where the Flexera Kubernetes Inventory Agent is to operate.
The storage may be any type of volume supported by the Kubernetes
VolumeSource type, but common choices include a
configmap or a
secret (the examples
that follow assume that the certificates are stored in a
secret). The volume must be mounted at the path
/var/opt/managesoft/etc/ssl (this happens to be the
default value of the
SSLDirectory option, but in this
situation is mandatory). Also note that the volume must be in the
flexera namespace. If, for example, we name the
secret as
myorg-certificates, the
command line for creating the
secret containing the
certificate
becomes:
kubectl create secret generic myorg-certificates --namespace flexera --from-file=cert.pem
-
Configure the Flexera Kubernetes Inventory Agent to reference this volume, using the
spec.monitor.tlsFiles attribute, by editing the YAML file
for the agent's configuration.
For example, using the same example values as above, the relevant extract from
the YAML file
is:
apiVersion: agents.flexera.com/v1
kind: KRM
spec:
monitor:
tlsFiles:
secret:
secretName: myorg-certificates
When the container is instantiated, the controller automatically ensures that the
storage volume is correctly mounted. When the Flexera Kubernetes Inventory Agent uses
components (such as the ndpolicy component) of the FlexNet Inventory Agent to communicate with the inventory beacon, it also hands off
the CA certificate(s) so that these are used to authenticate the secure HTTPS
communications.
FlexNet Manager Suite (On-Premises)
2024 R1