Administrative tasks Innovation Release
- Hybrid Manager dual release strategy
- Documentation for the current Long-term support release
To configure the agent, users need access to some resources that they can’t obtain by themselves. However, these resources are available to administrators, as they have the rights and permissions to configure certificate and host-related settings while installing Hybrid Manager (HM) or after.
What is the beacon_server?
To configure the agent, users must set the beacon_server value in the beacon_agent.yaml file. This is a string consisting of two values: host and port.
The host is the URL provided in the Helm chart configuration file used for installation or values.yaml. Look up the value set for upm-beacon.server_host (or BEACON_SERVICE_DOMAIN_NAME) to obtain the URL. The port is fixed as 9443.
What is the root certificate authority (CA)?
The agent makes a secure connection to the beacon_server URL using TLS. You therefore need the machine on which the agent is running to trust the server certificate provided by beacon_server.
Generally, this trust is already managed by your organization's existing security infrastructure. The certificate authority (CA) responsible for signing your internal server certificates must be configured as a trusted CA across your network. This ensures that servers within your environment, including the one running the agent, inherently trust certificates issued by this CA.
If this isn't the case, users can set the root_ca_path value in the beacon_agent.yaml file. This is a directory where the user stored the root certificate, which is capable of validating the EDB Postgres AI Platform server certificate. However, non-admin users don’t have access to the certificate, so you need to provide it to them.
To see the Kubernetes secret containing the root certificate:
# The certificate is base64 encoded as the data field "public.crt" kubectl get secret -n upm-beacon beaconator-ca-bundle -o json
For a more readable output that prints only the root certificate, ensure you have jq and base64 installed and run:
# If `jq` and `base64` are available kubectl get secret -n upm-beacon beaconator-ca-bundle -o json | jq -r '.data."public.crt"' | base64 --decode
This command outputs the contents of the certificate. Send them to the user that requires them through a secure channel. The user must store it locally in crt format.