When the Flexera Kubernetes inventory agent is configured for HTTPS protocol, it uses the standard bundle of trusted Certificate Authorities (CA) as distributed by Mozilla. However, if the beacon server's upload endpoint certificate is signed by an unrecognized authority internal to your organization, it won't be validated, causing an SSL error.
If you are having SSL issues with the Flexera Kubernetes inventory agent, you can look at the uploader log using the following Kubernetes agent command:
The uploader logs will show the following information if your CA is not validated:
Uploading file 'k8s-inventory-12345678-20221026T131026.ndi' to 'https://myorg.beacon.com/ManageSoftRL/Inventories' Error 0xE1BBFC14: OpenSSL error 0xFC14: unable to get local issuer certificate Error 0xE050044D: Failed to create remote directory /ManageSoftRL Error 0xE0690099: Specified remote directory is invalid, or could not be created ERROR: Remote directory is invalid
Generally, in this scenario, you can copy the CA certificates that you want to be validated by the beacon to /var/opt/managesoft/etc/ssl/cert.pem, but another approach must used with the Flexera Kubernetes inventory agent. Follow the steps below to allow validation of custom CA certificates.
Use custom CA Certificates with the Flexera Kubernetes inventory agent
Verify you have at least version 1.3.0 of the Flexera Kubernetes inventory agent installed. You can use the following command to check for the version:
kubectl get deployments --namespace flexera
Prepare a single certificate file that combines all required client-side certificates for validating the server-side certificates. This must be named: cert.pem
Save the certificate file in a volume that will be mounted into the containers where the Flexera Kubernetes inventory agent will operate. Use the following command as an example: