Supporting Custom Certificates for HTTPS

IT Asset Management (Cloud)

When the inventory beacon identified for communication with the Flexera Kubernetes Inventory Agent is configured for the HTTPS protocol, communications are secured with certificates. The inventory beacon presents its certificate, and the Flexera Kubernetes Inventory Agent validates that certificate by validating the Certificate Authority (CA) issuing the beacon certificate using its own local copy of the CA's certificate. In the common case that the CA is one of the industry-standard major authorities, such as DigiCert, the Flexera Kubernetes Inventory Agent already has the standard CA certificate bundle included in the Ubuntu operating system that forms the agent's base. However, if your enterprise chooses to use internal certificates, or to use certificates issued by a CA that is not included in the standard bundle, the Flexera Kubernetes Inventory Agent must be supplied with the CA certificate(s) needed to verify the security certificate presented by the inventory beacon.

Internally, the Flexera Kubernetes Inventory Agent relies on components of the standard FlexNet Inventory Agent for all interactions with the inventory beacon. This means that the CA certificates must be configured in the same way as they are for third-party deployments of the FlexNet Inventory Agent on Linux. However, because in this case the FlexNet Inventory Agent is installed within a container in Kubernetes, the process by which the CA certificates file is supplied to the FlexNet Inventory Agent is specific to the Flexera Kubernetes Inventory Agent.

At the summary level, the process consists of:
  • Making sure that your version of the Flexera Kubernetes Inventory Agent supports custom certificates
  • Preparing the certificates in the format required by the FlexNet Inventory Agent
  • Storing those certificates in a volume that is to be mounted in the container(s) where the Flexera Kubernetes Inventory Agent is running
  • Configuring the Flexera Kubernetes Inventory Agent to reference that storage volume so that it discovers and uses the CA certificate(s).

To use custom CA certificates with the Flexera Kubernetes Inventory Agent:

  1. Ensure that a sufficiently recent version of the Flexera Kubernetes Inventory Agent is installed.
    As a minimum, version 1.3.0 must be installed. If this or a more recent version is already installed, no further action on this point is needed. If an earlier version is installed, update it by following the standard download/installation process until the script has successfully completed.
    Tip: If you don't already know which version of Flexera Kubernetes Inventory Agent is installed within the cluster, it is reflected in the version of the deployed container image. For example, this container image:
    includes version 1.3.0 of Flexera Kubernetes Inventory Agent. You can inspect the image using the relevant controller deployment (all one command line, here wrapped for presentation):
    kubectl get deployments --namespace flexera 
        krm-controller -o jsonpath={.spec.template.spec.containers[0].image}
  2. Prepare a single certificate file that combines all required client-side certificates needed for validating the server-side certificates that are presented by your selected inventory beacon.
    This concatenated certificate file should be saved using the PEM format. Each PEM-format certificate should be base-64 encoded plain text surrounded by a BEGIN CERTIFICATE header and an END CERTIFICATE footer. That is:
    -----BEGIN CERTIFICATE----- 
    -----END CERTIFICATE----- 
    If you have multiple root CA certificates, simple shell commands allow the concatenation:
     rm cert.pem
     for i in ca1.pem ca2.pem ca3.pem ; do
       openssl x509 -in $i -text >> cert.pem
    Tip: Before, between, and after the certificates in the concatenated file (that is, everywhere except between BEGIN and END tags), free text is allowed that can be used, for example, for descriptions of the certificates.
    Name your resulting file cert.pem. (This file name is mandatory. Without this name, the FlexNet inventory agent will not detect and use the certificates.)
  3. Save the certificate file in a volume that will be mounted into the containers where the Flexera Kubernetes Inventory Agent is to operate.
    The storage may be any type of volume supported by the Kubernetes VolumeSource type, but common choices include a configmap or a secret (the examples that follow assume that the certificates are stored in a secret). The volume must be mounted at the path /var/opt/managesoft/etc/ssl (this happens to be the default value of the SSLDirectory option, but in this situation is mandatory). Also note that the volume must be in the flexera namespace. If, for example, we name the secret as myorg-certificates, the command line for creating the secret containing the certificate becomes:
    kubectl create secret generic myorg-certificates --namespace flexera --from-file=cert.pem
  4. Configure the Flexera Kubernetes Inventory Agent to reference this volume, using the spec.monitor.tlsFiles attribute, by editing the YAML file for the agent's configuration.
    For example, using the same example values as above, the relevant extract from the YAML file is:
    kind: KRM
            secretName: myorg-certificates

When the container is instantiated, the controller automatically ensures that the storage volume is correctly mounted. When the Flexera Kubernetes Inventory Agent uses components (such as the ndpolicy component) of the FlexNet Inventory Agent to communicate with the inventory beacon, it also hands off the CA certificate(s) so that these are used to authenticate the secure HTTPS communications.

IT Asset Management (Cloud)