Prerequisites to Install Calibo Accelerate Orchestrator Agent on AKS Cluster

A dedicated AKS cluster is required to deploy Calibo Accelerate Orchestrator Agent. Consider the following minimum requirements for compute resources as you configure the Kubernetes nodes in the cluster:

AKS Cluster Requirements

• AKS version 1.29 or later

• Minimum 2 nodes (Minimum 8GiB RAM and 2vCPU per node)

Install NGINX Ingress Controller.

NGINX Ingress Controller Requirements

• Version 1.3.0 or later.

  For information about how to install the Ingress-Nginx Controller, see Ingress-Nginx Controller Installation Guide.

1. Ensure Azure Key Vault is within the same subscription as the AKS cluster used for deploying the Calibo Accelerate Orchestrator Agent.

2. In Azure Key Vault, create a secret specifically for the API key and set the secret value to the following JSON string (The entire JSON string should be entered as the value of the secret.):

   {"apiKey":""}
   Note the vault name and secret name as you need to provide these values when running the agent installation command.

   The Orchestrator Agent uses this secret to store and periodically update its API key. This key is used to authenticate the agent during registration with the Calibo Accelerate platform.

Best Practice:

For security purposes, it is recommended to store the API key secret in a separate key vault from other tools' secrets. The Orchestrator Agent needs read and write access to this API key vault to update the API key, but only read access to the vault containing tools' secrets. Storing the API key separately prevents the agent from accidentally having write access to tools' secrets.

When you create an AKS cluster, a managed identity is generated with the agent pool name. You must add this managed identity to the access policies of the vault created for storing the API key and the one created for storing tools’ secrets with appropriate permissions.

To grant the required secret permissions to the managed identity, do the following:

1. In the Azure Portal, go to Managed Identities.

2. Locate a managed identity with a name resembling the name of your AKS cluster (that you created earlier in the prerequisites), followed by the keyword 'agentpool'.

3. Note down this name, as you need to add it to configure the vault access policies.
   
   

4. To configure access for the vault storing Orchestrator Agent API key, do the following:

   1. Go to Key vaults, select the vault created for storing the API key, and then go to Access Policies > Create.

   2. Under Secret permissions, select:

      • Get

      • List

      • Set

        

   3. Under the Principal selection pane, enter the name of the managed identity (your cluster name-agentpool) that you noted down in step 3. Add it to the vault access policy.

   4. Review the access policy settings and click Create to save the policy.

   5. On the Access policies page, confirm that the new access policy is listed.

5. To configure access for the vault storing tools' secrets, do the following:

   1. Navigate to the vault created for storing tools’ secrets, and then go to Access Policies > Create.

   2. Under Secret permissions, select:

      • Get

      • List

        

   3. Under the Principal selection pane, enter the name of the managed identity (your cluster name-agentpool) that you noted down in step 3. Add it to the vault access policy.

   4. Review the access policy settings and click Create to save the policy.

   5. On the Access policies page, confirm that the new access policy is listed.

Allow inbound and outbound connectivity on port 443 to the Microsoft AKS cluster dedicated to the Orchestrator Agent.

This connectivity is required to download the Orchestrator Agent images and to establish a secure connection between the agent and the Calibo Accelerate platform.

The following commands help you generate a self-signed Certificate Authority (CA) certificate, server certificate, and client certificate. You can also use your trusted root CA to generate these certificates.

1. Create a CA certificate by running the following command in your command-line interface. Replace Test Cert Authority with the name of your trusted certificate authority. The -days parameter indicates the validity period of the certificate. By default, it is set to 365. You can modify this value. After the specified period, the certificate will expire and you must regenerate the self-signed CA certificate.

   Copy

   openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 365 -nodes -subj '/CN=Test Cert Authority'

 

2. Create a server certificate for your domain by using the CA certificate that you created in step 1. To create the server certificate, run the following command in your command-line interface. Replace <your_domain_name> with your domain name. The -days parameter indicates the validity period of the certificate. By default, it is set to 365. You can modify this value. After the specified period, the server certificate will expire and you must regenerate it.

   Copy

   openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN= <your_domain_name> ' && openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

 

3. Create a client certificate by using the CA certificate that you created in step 1. To create a client certificate, run the following command in your command line interface. The -days parameter indicates the validity period of the certificate. By default, it is set to 365. You can modify this value. After the specified period, the certificate will expire and you must regenerate the certificate and upload it to the Calibo Accelerate platform by editing the agent details.

   Copy

   openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=Lazsa' && openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt

 

4. Convert the client certificate to PKCS#12 format by running the following command. Remember the password that you add to create the certificate in PKCS#12 format. You must provide this password when you upload the client certificate during agent installation.

   Copy

   openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt