Instana U

 View Only

Synthetic PoP with Cert-manager and Reloader

By Jun Shi Wang posted Wed September 20, 2023 01:34 AM

  

Co-Authors

Rui Yin (yinrui@cn.ibm.com) - Tech lead for Instana Synthetic

  

   

   

   

Synthetic PoP is an agent where synthetic tests are run. It supports basic installation without TLS and enhanced security for Synthetic PoP with TLS especially in production environment. 

The TLS certificates contains 3 files that you need to create or manage. And Synthetic PoP uses several secrets connecting with different services or components. Every time the secrets got updated, you need to restart or redeploy Synthetic PoP.

 

This blog covers how to create TLS certificates and restart Synthetic PoP and restart Synthetic
PoP automatically without manual invention after updating the secrets by using
cert-manager and Reloader tools.

Namespace and secret name

In the blog, the following namespace and secret names are used as examples. You can use different names. 

  • The namespace syn is created in advance.
  • Synthetic PoP is installed under the namespace syn.
  • cert-manager is installed under the namespace cert-manager.
  • Reloader is installed under the namespace syn. You must install Reloader under the same namespace with Synthetic PoP.
  • Redis TLS secret name is redis-secret.

cert-manager

cert-manager is a certificate management tool. You can use cert-manager when you enable TLS in Synthetic PoP to create and manage TLS keys and certificates.

Installing cert-manager

Install cert-manger by using kubectl, the Kubernetes command-line tool. Use kubectl 1.19 or later versions. For more information on cert manager installation, refer to cert-manager installation by kubectl.

  1. Install cert-manager by running the following command:
    kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml
    By default, cert-manager is installed into the cert-manager namespace.
  2. Check the status of the pods by running the following command:
    kubectl get po -n cert-manager
    A sample output of the installation from the console is shown below:   
  3. (Optional): Install the cert-manger command line tool
    1. Download the cmctl.tar.gz file depending on the operating system architecture from the https://github.com/cert-manager/cert-manager/releases page.  
    2. Untar cert-manage cli and install in your machine by running the following command:
      tar xzf cmctl.tar.gz
      sudo mv cmctl /usr/local/bin
    3.  Check whether cert-manager cli tool is installed by running the following command:
      $ cmctl check api 
      The cert-manager API is ready
  4. Issue TLS certificates
    1. Copy the following contents and save the contents with the file name cert.yaml:
      ---
      apiVersion: cert-manager.io/v1
      kind: ClusterIssuer
      metadata:
        name: selfsigned-issuer
      spec:
        selfSigned: {}
      ---
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: pop-selfsigned-ca
        namespace: syn
      spec:
        isCA: true
        commonName: pop-selfsigned-ca
        secretName: redis-secret
        privateKey:
          algorithm: ECDSA
          size: 256
        issuerRef:
          name: selfsigned-issuer
          kind: ClusterIssuer
          group: cert-manager.io
      ---
      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: pop-ca-issuer
        namespace: syn
      spec:
        ca:
          secretName: redis-secret
      
    2.  Generate TLS keys and certificates by running the following command:
      kubectl apply –f cert.yaml
  5.  Verify the outputs 
    1. Verify whether Redis secret is generated by running the following command
      kubectl get secret redis-secret -n syn
    2. Verify TLS keys and certificates are generated by running the following command:
      kubectl describe secret redis-secret -n syn
      A sample output shown in the following example.
    3. Check whether ca.crt, tls.crt and tls.key are listed in Data.

 

Deploying Synthetic PoP

After you install cert-manage and generates secrets, deploy Synthetic PoP by using the generated secret name redis-secret.

To deploy Synthetic PoP, run the following command:

helm install synthetic-pop \
--repo https://agents.instana.io/helm/ \
--set controller.location="test;test cert manager;China;Beijing;39.54;116.23;A PoP for testing cert-manager" \
--set controller.instanaKey="your instanakey" \
--set controller.instanaSyntheticEndpoint="https://synthetics-pink-saas.instana.rocks" \
--set redis.password="a1fc5d01bcbb" \
--create-namespace \
--set redis.tls.enabled=true   \
--set redis.tls.secretName="redis-secret" \
--namespace syn \
--set downloadKey="your downloadkey" \
synthetic-pop

Reloader

If Redis secret is changed, you need to install or upgrade Synthetic PoP again. The Reloader tool solves this problem.

Reloader can watch secrets and automatically update Synthetic PoP pods to apply updated secrets. To enable the Reloader tool, install the latest version of Synthetic PoP and then install reloader.

Installing Reloader

  1. Add Reloader Helm repo by running the following command:
    helm repo add stakater https://stakater.github.io/stakater-charts
    helm repo update
  2. Install Reloader by running one of the following Helm commands depending on your environment:
    • Kubernetes
      helm install stakater/reloader --generate-name -n syn --set reloader.reloadOnCreate=true
    • Red Hat OpenShift Container Platform
      helm install stakater/reloader --generate-name -n syn --set reloader.isOpenshift=true --set reloader.deployment.securityContext.runAsUser=null --set reloader.reloadOnCreate=true

Verification

  1. Verify whether Reloader is running by running the following command:
    kubectl get po -n syn
  2. Verify whether Reloader is working
    1. Update or delete Redis secret. Since cert-manager tool manages and automatically recreates redis-secret, we can delete redis-secret to mock secret change.
      kubectl delete secret redis-secret –n syn
    2. Verify pod restarting status by running the following command
      kubectl get pod

                       A sample output is shown in the following example:

                

      Summary

      cert-manager generates and manages TLS certificates. Reloader detects secret changes and reloads pod. Certificate management is simplified by using Synthetic PoP with cert-manager and Reloader.


      Permalink