-
Notifications
You must be signed in to change notification settings - Fork 76
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: add management plane connect doc
- Loading branch information
1 parent
a66a4e2
commit 518836b
Showing
1 changed file
with
116 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| --- | ||
| title: "Connect to management plane" | ||
| draft: false | ||
| weight: 400 | ||
| toc: true | ||
| tags: [ "docs" ] | ||
| categories: ["configuration"] | ||
| doctypes: ["task"] | ||
| --- | ||
|
|
||
| ## Overview | ||
|
|
||
| To monitor and manage all your NGINX Agent instances from a central management plane server, you first need to connect your instances and the server. You can configure the connection by making the required changes to the NGINX Agent configuration file. | ||
|
|
||
| There are three types of connections you can establish between the NGINX Agent and the management plane server: | ||
|
|
||
| - [Mutual Transport Layer Security (mTLS) connection](#mtls-connection) | ||
| - [Transport Layer Security (TLS) connection](#tls-connection) | ||
| - [Insecure connection](#insecure-connection) | ||
|
|
||
| ## mTLS Connection | ||
|
|
||
| To establish a mTLS connection between the NGINX Agent and the management plane server, follow these steps: | ||
|
|
||
| 1. Edit the `/etc/nginx-agent/nginx-agent.conf` file to enable mTLS for NGINX Agent. Replace the example values with your own: | ||
|
|
||
| ```yaml | ||
| command: | ||
| server: | ||
| # the server host to connect to in order to send | ||
| # and receive commands e.g. config apply instructions | ||
| host: example.com | ||
| # the server port to connect to in order to send and receive commands | ||
| # e.g. config apply instructions | ||
| port: 443 | ||
| # the type of connection. Currently only "grpc" is supported. | ||
| type: grpc | ||
| auth: | ||
| # the token to be used in the authorization header | ||
| # for the Agent initiated requests | ||
| token: ... | ||
| tls: | ||
| # The client key to be used in the TLS/mTLS connection | ||
| key: /etc/ssl/certs/key.pem | ||
| # The client certificate to be used in the TLS/mTLS connection | ||
| cert: /etc/ssl/certs/cert.pem | ||
| # The certificate authority certificate to be used in the mTLS connection | ||
| ca: /etc/ssl/certs/ca.pem | ||
| # controls whether the server certificate chain and host name are verified | ||
| skip_verify: false | ||
| # A hostname value specified in the Subject Alternative Name extension | ||
| server_name: example.com | ||
| ``` | ||
| 2. Restart the NGINX Agent service: | ||
| ```bash | ||
| sudo systemctl restart nginx-agent | ||
| ``` | ||
|
|
||
| ## TLS Connection | ||
|
|
||
| To establish a TLS connection between the NGINX Agent and the management plane server, follow these steps: | ||
|
|
||
| 1. Edit the `/etc/nginx-agent/nginx-agent.conf` file to enable TLS for NGINX Agent. Replace the example values with your own: | ||
|
|
||
| ```yaml | ||
| command: | ||
| server: | ||
| # the server host to connect to in order to send and receive commands | ||
| # e.g. config apply instructions | ||
| host: example.com | ||
| # the server port to connect to in order to send and receive commands | ||
| # e.g. config apply instructions | ||
| port: 443 | ||
| # the type of connection. Currently only "grpc" is supported. | ||
| type: grpc | ||
| auth: | ||
| # the token to be used in the authorization header for the | ||
| # Agent initiated requests | ||
| token: ... | ||
| tls: | ||
| # controls whether the server certificate chain and host name are verified | ||
| skip_verify: false | ||
| ``` | ||
| {{< note >}}To enable server-side TLS with a self-signed certificate, you must have TLS enabled and set `skip_verify` to `true`, which disables hostname validation. Setting `skip_verify` can be done only by updating the configuration file. **This is not recommended for production environments**.{{< /note >}} | ||
|
|
||
| 2. Restart the NGINX Agent service: | ||
|
|
||
| ```bash | ||
| sudo systemctl restart nginx-agent | ||
| ``` | ||
| ## Insecure Connection | ||
|
|
||
| {{< warning >}}Insecure connections are not recommended for production environments.{{< /warning >}} | ||
|
|
||
| To establish an insecure connection between the NGINX Agent and the management plane server, follow these steps: | ||
|
|
||
| 1. Edit the `/etc/nginx-agent/nginx-agent.conf` file to enable an insecure connection for NGINX Agent. Replace the example values with your own: | ||
|
|
||
| ```yaml | ||
| command: | ||
| server: | ||
| # the server host to connect to in order to send and receive commands e.g. config apply instructions | ||
| host: example.com | ||
| # the server port to connect to in order to send and receive commands e.g. config apply instructions | ||
| port: 443 | ||
| # the type of connection. Currently only "grpc" is supported. | ||
| type: grpc | ||
| ``` | ||
|
|
||
| 2. Restart the NGINX Agent service: | ||
|
|
||
| ```bash | ||
| sudo systemctl restart nginx-agent | ||
| ``` |