Create a PKI Infrastructure
The following happens outside the platform's user interface and it will most probably be done by the likes of a system administrator or infrastructure engineer.
Both the data agent and the data proxy require a key infrastructure to authenticate with the control plane. The platform uses a private/public key pair mechanism for authentication, in the same way you would authenticate to, for example, GitHub.
Before deployment, you must generate a private/public key pair for each service. You then configure the data plane components with the private key and inform the control plane of the public key.
First, create a public/private key pair for the data agent:
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out ./rsa-private.pem openssl rsa -pubout -in ./rsa-private.pem -out ./rsa-public.pem
In this guide, we use the same private/public key pair for both the data agent and the data proxy. In production, use separate key pairs.
You will also need a copy of the public certificate used by the control plane. Use the following command to grab the certificate file from your control plane:
kubectl get secret dpp-control-plane-tls-ingress-cert -n istio-system -o jsonpath='{.data.tls\.crt}' | base64 --decode > ./control-plane.crtkubectl get secret dpp-control-plane-tls-ingress-cert -n istio-system -o jsonpath='{.data.tls\.crt}' | base64 --decode > ./control-plane.crt