OpsMx
Ask or search…
K
Links

Agent Overview

Introduction

OpsMx Agents allow ISD access to controlled clusters while maintaining customer network security. ISD may be situated in a network outside of a customer’s private network however, in order to function it requires credentials that are only available inside a customer’s private network. Due to security reasons, these credentials cannot leave this private network.
In this situation, the Agent serves as a delegate--a liaison-- within a customer’s private network. Based on directions from the controller, the Agent supplies the required credentials the customer provides during the configuration process and routes requests to the appropriate service or cluster (Kubernetes, Jenkins, etc.). Because Agents do not act autonomously, they are lightweight and require minimal resources to operate.

Agent Controller

There are two main components: An Agent and a Controller. The Controller runs outside of the customer’s private network(typically in the same cluster as ISD) while an Agent runs inside a customer’s private network. The Agent serves as a secure point of contact between ISD and the customer’s network environment. The Agent is configured to communicate with specific services (Kubernetes, Jenkins etc.) within a customer's security domain.
Once configured, ISD provides the Agent manifest for download. Using the manifest the customer creates the Agent within his network environment and configures the services.
ISD receives service information from the controller, and allows a user to connect an Agent service to a Spinnaker instance. Connecting an Agent service to a Spinnaker instance allows access to crucial information such as per-service health along with overall Agent health.

Agent Security

All communication between Agent and the Controller using Mutual Transport Layer Security(mTLS) Protocol. Agent-side credentials are never transmitted to ISD.
The Controller maintains its own certificate authority, and issues certificates to Agents, and credentials for Spinnaker to identify specific services. All Communication is secured using these certificates.

Architecture Diagram