Configure Comply TLS certificates for a custom NGINX ingress

You need to generate certificates for Comply in Puppet Enterprise (PE) to enable automatic upgrades of the CIS-CAT assessor and for tasks to upload reports.

Before you begin
Make sure you have configured Comply in Puppet Application Manager (PAM) and you have followed the instructions in Configure Comply for a custom NGINX ingress (online environment) or Configure Comply for a custom NGINX ingress (offline environment) as appropriate to your implementation.
This process involves generating certificates in Puppet Enterprise (PE) and setting up Mutual Transport Layer Security (MTLS) in Puppet Application Manager (PAM). MTLS enables a secure authenticated connection between your nodes and Comply.

Certificates are required when setting up Comply for the following interactions:

  • Interactions between Comply and PE. Interactions between Comply and PE require correct configuration of the CA certificate. Any issues with the CA certificate with regard to communication between Comply and PE result in an error on the Comply UI.
  • Agent runs. If you have set up the Comply module to download the assessor from the Comply server (as opposed to being hosted locally) then the assessor is downloaded using MTLS with the client certificate from the node. The Comply mtls-proxy component requires the configured TLS and CA certificate.
  • Scan task runs. Running a scan sends reports back into Comply via an HTTP POST. This POST goes through the mtls-proxy and uses MTLS with the client certificate from the node.

Configuring Comply TLS certificates involves first generating the certificates in Puppet Enterprise (PE) and then setting up MTLS in PAM. MTLS enables a secure authenticated connection between your nodes and Comply.

For information on troubleshooting problems with certificates, see Troubleshooting TLS issues in Comply.

  1. SSH into your PE primary server and generate the certificates: 
    puppetserver ca generate --certname <COMPLY-HOSTNAME>
    This command does the following:
    • Saves the private key to /etc/puppetlabs/puppet/ssl/private_keys/<COMPLY-HOSTNAME>.pem
    • Saves the certificate to /etc/puppetlabs/puppet/ssl/certs/<COMPLY-HOSTNAME>.pem
  2. Log in to Puppet Application Manager, click the Version history tab, and click Check for update.
  3. Click the Config tab, and scroll down to Transport layer security (TLS) certificates to interact with PE.
  4. Select Use an ingress with a hostname.
  5. Enter the fully-qualified domain name in the PE TLS hostname field using the same fully-qualified domain name that you used to generate the TLS certificates.
    Important: The fully-qualified domain name in the PE TLS hostname field MUST be different from that used in the Hostname field in the Required set-up area.
  6. Check that the following annotations are in the SSL Passthrough Annotation field and add them if not: 
    kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    Note: If you are not using NGINX, replace these annotations with those specific to your chosen ingress controller. For example, add OpenShift as an MLTS proxy for PE certificates.
  7. Enter the hostname of you PE instance in the PE hostname field to enable validation of the keys and certificates added in the next step.
  8. Copy the signed certificate public key, the private key files, and the CA certificate, to the following locations:
    • Paste the contents of /etc/puppetlabs/puppet/ssl/certs/<COMPLY-HOSTNAME>.pem to the TLS certificate field.
    • Paste the contents of /etc/puppetlabs/puppet/ssl/private_keys/<COMPLY-HOSTNAME>.pem to the TLS private key field.
    • Paste the contents of /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem to the CA certificate field.
  9. Click Save Config.
  10. Monitor the new version's preflight checks. The Running Checks indicator is shown on the screen while Comply checks your system to make sure your cluster meets minimum system requirements. When the preflight check is complete:
    • If the status is Checks Failed, click View preflights. Correct the issues and click Re-run. Repeat this step as needed.
      Important: Do not move on until all preflight checks pass.

    If the status is Ready to Deploy, move on to the next step.

  11. The nginx-ingress controller configuration is configured with the --enable-ssl-passthrough setting disabled by default. This feature is required to enable passthrough in Ingress controller, allowing for the connection to be accepted by the application backends.
    1. To edit the configuration inline with the running configuration, execute: 
      kubectl edit deployment -n <namespace> <ingress-controller>
    2. Find the spec: configuration section in the ingress-nginx-deployment.yaml and append - --enable-ssl-passthrough under containers: -args. For example: 
      apiVersion: apps/v1
kind: Deployment
metadata:
 [...]
spec:
      containers:
      - args:
        [...]
        - --enable-ssl-passthrough
What to do next
Install the comply module.