In my last post I talked about Rancher fleet, as a next step we will manage RHACS with fleet.
As you know from my post, there are two main components, central-services and Sensors. As mentioned in the post, central components are used to be installed via helm, while the sensors are installed by downloading the sensor bundle. However, as we are using Rancher Fleet to manage the cluster tooling, we want to use a different approach. Luckily you can also install RHACS sensors using helm. Steps are pretty straight forward:
Helm chart repository
Install the central-services Helm chart to install the centralized components (Central and Scanner).
Generate an init bundle.
Install the secured-cluster-services Helm chart to install the per-cluster and per-node components (Sensor, Admission Controller, and Collector).
Before we can configure fleet, we have to create an init bundle within RHACS
The secured cluster uses this bundle to authenticate with Central.
We have multiple clusters, that we manage with RHACS, but we can use the same bundle. Knowing this, we take the approach of targetCustomizations:
Target customization are used to determine how resources should be modified per target.
Targets are evaluated in order and the first one to match a cluster is used for that cluster
We already have created all clusters under Platform Configuration > Clusters, hence we have to tell fleet, to use different values for each cluster. But before we need a GitRepo which targets all clusters:
Within the folder stackrox/sensors/nop defined in the GitRepo we have a fleet.yaml.
The valuesFiles points to the init bundle we downloaded
Using it that way, we will have to add the nop-cluster-init-bundle.yaml to the source code repo, which is definitively a bad practice as it contains private keys. So a better approach is using values files from configmaps or secrets as suggested by the documentation.
Hence we add nop-cluster-init-bundle.yaml to as secret called cluster-init-bundle, to the desired namespace stackrox in all our clusters:
Then we can use the following in the fleet.yaml
Unfortunately at the time of writing the post this did not work neither in Rancher 2.5.11 nor 2.6.2. Maybe I miss something or it is a bug. I may update the post once, the problem is solved.
I then have a targetCustomizations for each cluster which defines/overrides clusterName and confirmNewClusterName for each cluster:
Wrap-up
Using fleet to manage RHACS works fine, but I had some hard time to make it work. Particularly with the additionalCAs for the sensors - we use internally signed certificates for the central endpoint stackrox.intra:443. While I had to specify it for the central, I ran into issues while specifying it for the sensor: It simply would failed to connect with Get "https://stackrox.intra:443/v1/metadata": remote error: tls: bad certificate. Somehow additionalCAs is not needed to be specified for the sensor while using helm, but while you do it messes up things. Not sure if that’s an issue specifically to RHACS or it is related to fleet. However after sorting it out, all looks very good: