Implement mTLS resources for CloudWatch Agent client #163
Conversation
musa-asad
changed the title
musa-asad
changed the title
| metadata: | ||
| labels: | ||
| {{- include "amazon-cloudwatch-observability.labels" . | nindent 4 }} | ||
| name: "amazon-cloudwatch-observability-agent-outbound-cert" |
There was a problem hiding this comment.
is there a reason why we can't use "amazon-cloudwatch-observability-agent-cert" ?
I see that we specify the target allocator service as a dns name we can make calls to?
Are we using this outbound cert specifically for target allocator?
There was a problem hiding this comment.
We do use "amazon-cloudwatch-observability-agent-cert" for the server cert and key for the TA server: https://github.com/aws/amazon-cloudwatch-agent-operator/blob/d6c5c6d9aa983222ac3557fe1c3bb2c367fff615/internal/manifests/targetallocator/volume.go#L47.
The "amazon-cloudwatch-observability-agent-outbound-cert" is for the client cert and key for the agent client. We could technically use "amazon-cloudwatch-observability-agent-server-cert", but I avoided doing so due to separation of concerns.
There was a problem hiding this comment.
Could you elaborate on what you meant by
I avoided doing so due to separation of concerns.
There was a problem hiding this comment.
The server-cert is used to generate server cert and keys when the CloudWatch Agent operates as a server for FluentBit.
The outbound-cert is used to generate client cert and keys when the CloudWatch Agent operates as a client for the Target Allocator.
We are able to use the server-cert to generate client cert and keys as well when the CloudWatch Agent operates as a client, but it's preferable to separate that functionality to the outbound-cert.
There was a problem hiding this comment.
Updated the naming from outbound-cert to ta-client-cert.
Description of the issue
The Helm charts for the CloudWatch Agent do not include a server-side Certificate Authority, client certificate, and client key when the CloudWatch Agent behaves as a client for mutual TLS (mTLS). Without these mTLS resources, the agent cannot properly connect to the Target Allocator server, as it lacks the required certificates and keys to authenticate the mTLS connection.
Description of changes
Important
Co-PRs: 1) aws/amazon-cloudwatch-agent#1510; 2) aws/amazon-cloudwatch-agent-operator#284
certmanager.yaml.certmanager.yamlcontaining the CloudWatch Agent client certificate, key, and CA certificate, for mutual TLS authentication.genSignedCertto generate the CloudWatch Agent client certificate and key.License
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Tests
helm upgrade --install --debug amazon-cloudwatch-observability helm-charts/charts/amazon-cloudwatch-observability --set clusterName=<cluster_name> --set region=us-west-2 --namespace amazon-cloudwatch --create-namespaceand editedvalues.yamlwith a custom agent and prometheus configuration.Secrets
Volumes
Volume Mounts
