3.6 Starting the Platform API Server and Platform Agent Services

This section discusses using certificates to set up secure communication between the Platform API Server and the Platform Agent on nodes in the cluster. You can set up secure communication using certificates managed by Vault, or using your own certificates copied to each node. You must configure the Platform API Server and the Platform Agent to use the certificates when you start the services.

For information on setting up the certificates with Vault, see Section 3.5, “Setting up X.509 Certificates”.

For information on creating a private CA to sign certificates that can be used during testing, see Section 3.5.3, “Setting up Private CA Certificates”.

3.6.1 Starting the Services Using Vault

This section shows you how to set up the Platform API Server and Platform Agent services to use certificates managed by Vault.

To set up and start the services using Vault:

  1. On the operator node, use the /etc/olcne/bootstrap-olcne.sh script to configure the Platform API Server to retrieve and use a Vault certificate. Use the bootstrap-olcne.sh --help command for a list of options for this script. For example:

    $ sudo /etc/olcne/bootstrap-olcne.sh \
        --secret-manager-type vault \
        --vault-token s.3QKNuRoTqLbjXaGBOmO6Psjh \
        --vault-address https://192.0.2.20:8200 \
        --force-download-certs \
        --olcne-component api-server

    The certificates are generated and downloaded from Vault. By default, the certificates are saved to the /etc/olcne/certificates/ directory. You can alternatively specify a path for the certificates, for example, by including the following options in the bootstrap-olcne.sh command:

        --olcne-ca-path /etc/olcne/configs/certificates/production/ca.cert \
        --olcne-node-cert-path /etc/olcne/configs/certificates/production/node.cert \
        --olcne-node-key-path /etc/olcne/configs/certificates/production/node.key \

    The Platform API Server is configured to use the certificates, and started.

  2. On each Kubernetes node, use the /etc/olcne/bootstrap-olcne.sh script to configure the Platform Agent to retrieve and use a certificate. For example:

    $ sudo /etc/olcne/bootstrap-olcne.sh \
        --secret-manager-type vault \
        --vault-token s.3QKNuRoTqLbjXaGBOmO6Psjh \
        --vault-address https://192.0.2.20:8200 \
        --force-download-certs \
        --olcne-component agent

    The certificates are generated and downloaded from Vault.

    The Platform Agent is configured to use the certificates, and started.