Co-Authors:
Rui Yin (yinrui@cn.ibm.com) - Tech lead for Instana Synthetic
Synthetic PoP is an agent where synthetic tests are run. It supports basic installation without TLS and enhanced security for Synthetic PoP with TLS especially in production environment.
The TLS certificates contains 3 files that you need to create or manage. And Synthetic PoP uses several secrets connecting with different services or components. Every time the secrets got updated, you need to restart or redeploy Synthetic PoP.
This blog covers how to create TLS certificates and restart Synthetic PoP and restart Synthetic
PoP automatically without manual invention after updating the secrets by using cert-manager and Reloader tools.
Namespace and secret name
In the blog, the following namespace and secret names are used as examples. You can use different names.
- The namespace syn is created in advance.
- Synthetic PoP is installed under the namespace syn.
- cert-manager is installed under the namespace cert-manager.
- Reloader is installed under the namespace syn. You must install Reloader under the same namespace with Synthetic PoP.
- Redis TLS secret name is redis-secret.
cert-manager
cert-manager is a certificate management tool. You can use cert-manager when you enable TLS in Synthetic PoP to create and manage TLS keys and certificates.
Installing cert-manager
Install cert-manger by using kubectl, the Kubernetes command-line tool. Use kubectl 1.19 or later versions. For more information on cert manager installation, refer to cert-manager installation by kubectl.
- Install cert-manager by running the following command:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml
By default, cert-manager is installed into the cert-manager namespace.
- Check the status of the pods by running the following command:
kubectl get po -n cert-manager
A sample output of the installation from the console is shown below: 
- (Optional): Install the cert-manger command line tool
- Download the cmctl.tar.gz file depending on the operating system architecture from the https://github.com/cert-manager/cert-manager/releases page.
- Untar cert-manage cli and install in your machine by running the following command:
tar xzf cmctl.tar.gz
sudo mv cmctl /usr/local/bin
- Check whether cert-manager cli tool is installed by running the following command:
$ cmctl check api
The cert-manager API is ready
- Issue TLS certificates
- Copy the following contents and save the contents with the file name cert.yaml:
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: pop-selfsigned-ca
namespace: syn
spec:
isCA: true
commonName: pop-selfsigned-ca
secretName: redis-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: pop-ca-issuer
namespace: syn
spec:
ca:
secretName: redis-secret
- Generate TLS keys and certificates by running the following command:
kubectl apply –f cert.yaml
- Verify the outputs
- Verify whether Redis secret is generated by running the following command:
kubectl get secret redis-secret -n syn
- Verify TLS keys and certificates are generated by running the following command:
kubectl describe secret redis-secret -n syn
A sample output shown in the following example.
- Check whether ca.crt, tls.crt and tls.key are listed in Data.
Deploying Synthetic PoP
After you install cert-manage and generates secrets, deploy Synthetic PoP by using the generated secret name redis-secret.
To deploy Synthetic PoP, run the following command:
helm install synthetic-pop \
--repo https://agents.instana.io/helm/ \
--set controller.location="test;test cert manager;China;Beijing;39.54;116.23;A PoP for testing cert-manager" \
--set controller.instanaKey="your instanakey" \
--set controller.instanaSyntheticEndpoint="https://synthetics-pink-saas.instana.rocks" \
--set redis.password="a1fc5d01bcbb" \
--create-namespace \
--set redis.tls.enabled=true \
--set redis.tls.secretName="redis-secret" \
--namespace syn \
--set downloadKey="your downloadkey" \
synthetic-pop
Reloader
If Redis secret is changed, you need to install or upgrade Synthetic PoP again. The Reloader tool solves this problem.
Reloader can watch secrets and automatically update Synthetic PoP pods to apply updated secrets. To enable the Reloader tool, install the latest version of Synthetic PoP and then install reloader.
Installing Reloader
- Add Reloader Helm repo by running the following command:
helm repo add stakater https://stakater.github.io/stakater-charts
helm repo update
- Install Reloader by running one of the following Helm commands depending on your environment:
- Kubernetes
helm install stakater/reloader --generate-name -n syn --set reloader.reloadOnCreate=true
- Red Hat OpenShift Container Platform
helm install stakater/reloader --generate-name -n syn --set reloader.isOpenshift=true --set reloader.deployment.securityContext.runAsUser=null --set reloader.reloadOnCreate=true
Verification
- Verify whether Reloader is running by running the following command:
kubectl get po -n syn
- Verify whether Reloader is working
- Update or delete Redis secret. Since cert-manager tool manages and automatically recreates
redis-secret, we can delete redis-secret to mock secret change.
kubectl delete secret redis-secret –n syn
- Verify pod restarting status by running the following command
kubectl get pod
A sample output is shown in the following example:
Summary
cert-manager generates and manages TLS certificates. Reloader detects secret changes and reloads pod. Certificate management is simplified by using Synthetic PoP with cert-manager and Reloader.