Click on the desired cloud provider and follow the installation and configuration instructions:
Follow the steps below to install and configure an agent within your Amazon Web Services (AWS) environment.
Follow the Create an Agent guide to define an agent and generate the bootstrap config file that will be used in step two.
Control Plane Secure Communications Agent
within the AWS Marketplace.ARM
s version of the agent, click here.Continue to Subscribe
button in the upper right corner.Accept Terms
.Continue to Configuration
button in the upper right corner.region
pull-down and select the region where your AWS resources reside.Continue to Launch
button in the upper right corner.Choose Action
pull-down and select Launch through EC2
. Click the Launch
button.Launch an instance
wizard will be displayed.Name and tag
section, enter the agent's name. (e.g., cpln-agent
).Instance type
section, select an applicable instance type.Refer to the Agent Sizing Guidance page for additional details on which instance type to select.
Optional:
Under the Key pair(login)
section, select or create a new key pair to
enable SSH access to the agent. A key pair is necessary only for accessing the
agent during troubleshooting.If you do not have an AWS key-pair created, the console will help you to create one.
Since the agent instance will never need to be connected to (except for troubleshooting), you may proceed without a key-pair.
Network setting
section, review the details and verify that the selected VPC is the same as the AWS resource you are trying to access.For the agent to properly connect to the Control Plane servers, it requires outbound Internet access.
Verify that the Auto-assign Public IP
option is set to Enable
.
If your requirements do not allow the instance to have a public IP, please review the section
How do instances without public IP addresses access the Internet
in this AWS FAQ.
Either create or select an existing security group. The security groups belonging to the resources that the agent will need to have access to will require to have the security group belonging to the agent added to its list of allowed inbound traffic.
Initially, remove the checkbox for the "Allow SSH from" property. SSH access is only necessary for troubleshooting purposes. Control Plane will never need to connect directly to the agent.
Under the Configure storage
section, click the Advanced
link and expand the volume property. Modify the Delete on termination
dropdown to Yes
. This will ensure the associated volume is removed if the agent is terminated, thereby preventing any orphaned volumes.
Expand the Advanced details
section. Scroll to the bottom and paste the contents
of the JSON payload generated in step one within the User data
textbox.
Please review the other properties in this section to check if any default values
need to be modified.
Click Launch instance
in the lower right corner.
After a brief moment, the instance will launch and be ready to process requests.
Now that you have an agent configured and running, it can be used within an identity to allow your workload to connect to your internal AWS resources.
Follow the steps below to install and configure an agent within your Microsoft Azure environment.
Follow the Create an Agent guide to define an agent and generate the bootstrap config file that will be used in step two.
Marketplace
icon.copyControl Plane Secure Communications Agent
Enter
.Create
dropdown, select gen-1
.Create a virtual machine
wizard:Control-Plane-Agent-01
. If installing multiple agents, increment the number.No infrastructure redundancy required
. Use a different option for your environment if you are running in production.gen-1
.SSH public key
.azureuser
.None
. The agent does not need any inbound ports open.Next: Disks
.Premium SSD
.(Default) Encryption at-rest with a platform-managed key
.Next: Networking
.None
.Basic
.None
.Next: Management
.Enable with managed storage account
.Image default
.Next: Advanced
.Next: Tags
.Next: Review + create
.Create
.Download private key and create resource
.The agent virtual machine will begin the deployment process. After a few moments, the agent will be running, connecting to the Control Plane servers, and ready to process requests.
Now that you have an agent configured and running, it can be used within an identity to allow your workload to connect to your internal Azure resources.
Follow the steps below to install and configure an agent within your Google Cloud Platform (GCP) environment.
Follow the Create an Agent guide to define an agent and generate the bootstrap config file that will be used in step two.
gcloud init
.INSTANCE_NAME
and the bootstrap file (AGENT_NAME-bootstrapConfig.json)
that was created in step one.gcloud compute instances create INSTANCE_NAME --image controlplane-agent-1398-958088785-43dce8055 --image-project cpln-build --metadata-from-file=user-data=AGENT_NAME-bootstrapConfig.json
Refer to the Agent Sizing Guidance page for additional details on which machine type to select.
Add the flag --machine-type=MACHINE_TYPE
to the command above to select a different type. Otherwise, the default type is
n1-standard-1
.
By default, the GCP firewall rules open the common SSH, RDP, and ICMP ports to the world and allows all internal ports within the VPC. The agent does not need any of these ports open.
At a minimum, the agent needs to be able to connect to your GCP resources and the Internet.
Now that you have an agent configured and running, it can be used within an identity to allow your workload to connect to your internal GCP resources.
Follow the steps below to install and configure an agent within your private network.
Follow the Create an Agent guide to define an agent and generate the bootstrap config file that will be used in step two.
copycpln agent up --bootstrap-file=PATH/AGENT_NAME-bootstrapConfig.json
If you are using Windows, follow these instructions:
cpln
command above using a Windows command prompt and not using WSL.Now that you have an agent configured and running, it can be used within an identity to allow your workload to connect to your local resources.
When running an agent locally, it is running within a local Docker container. When configuring an identity network resource, you must use the IP of the network adapter that Docker installed on the local machine.
Follow the steps below to install and configure an agent within your k8s cluster.
Follow the Create an Agent guide to define an agent and generate the bootstrap config file that will be used in step two.
copycpln agent manifest --bootstrap-file bootstrap.json --namespace NAMESPACE --replicas 2 --cluster CLUSTER_ID > manifest.yaml# inspect/modify the manifest file manually, if needed.kubectl apply -f manifest.yaml
cpln
will generate the manifest.yaml file that will deploy two replicas of the agent to the namespace of your
choice (NAMESPACE
in the example). The parameter --cluster CLUSTER_ID
will be added to the agent's status
which is used as a hint to know which cluster an agent has been deploy to.
It is recommended to use --replicas=2 for high availability (HA).
On startup, the agent will generate a public/private key-pair which is persisted as a k8s secret. In this scenario, the agents run under a k8s service account, which can create/modify secrets in its own namespace. If this is a concern, the agent can be configured to run in a dedicated namespace.
Now that you have an agent configured and running, it can be used within an identity to allow your workload to connect to your local resources.