3.7.0
What's New in ioFog 3.7.0?Core ConceptsArchitectureQuick Start With Local Deployment
IntroductionDownloadGetting FamiliarResource ManagementConnect/DisconnectLegacy
CLI Reference
iofogctliofogctl attachiofogctl attach agentiofogctl attach edge-resourceiofogctl attach execiofogctl attach exec agentiofogctl attach exec microserviceiofogctl attach volume-mountiofogctl completioniofogctl completion bashiofogctl completion fishiofogctl completion powershelliofogctl completion zshiofogctl configureiofogctl connectiofogctl createiofogctl create namespaceiofogctl deleteiofogctl delete agentiofogctl delete alliofogctl delete application-templateiofogctl delete applicationiofogctl delete catalogitemiofogctl delete certificateiofogctl delete configmapiofogctl delete controlleriofogctl delete edge-resourceiofogctl delete microserviceiofogctl delete namespaceiofogctl delete nats-account-ruleiofogctl delete nats-user-ruleiofogctl delete registryiofogctl delete roleiofogctl delete rolebindingiofogctl delete secretiofogctl delete serviceiofogctl delete serviceaccountiofogctl delete volume-mountiofogctl delete volumeiofogctl deployiofogctl describeiofogctl describe agent-configiofogctl describe agentiofogctl describe application-templateiofogctl describe applicationiofogctl describe certificateiofogctl describe configmapiofogctl describe controlleriofogctl describe controlplaneiofogctl describe edge-resourceiofogctl describe microserviceiofogctl describe namespaceiofogctl describe nats-account-ruleiofogctl describe nats-accountiofogctl describe nats-user-ruleiofogctl describe nats-useriofogctl describe registryiofogctl describe roleiofogctl describe rolebindingiofogctl describe secretiofogctl describe serviceiofogctl describe serviceaccountiofogctl describe system-microserviceiofogctl describe volume-mountiofogctl describe volumeiofogctl detachiofogctl detach agentiofogctl detach edge-resourceiofogctl detach execiofogctl detach exec agentiofogctl detach exec microserviceiofogctl detach volume-mountiofogctl disconnectiofogctl execiofogctl exec agentiofogctl exec microserviceiofogctl getiofogctl legacyiofogctl logsiofogctl moveiofogctl move agentiofogctl move microserviceiofogctl natsiofogctl nats accountsiofogctl nats accounts ensureiofogctl nats operatoriofogctl nats operator describeiofogctl nats usersiofogctl nats users create-mqtt-beareriofogctl nats users createiofogctl nats users credsiofogctl nats users delete-mqtt-beareriofogctl nats users deleteiofogctl pruneiofogctl prune agentiofogctl rebuildiofogctl rebuild microserviceiofogctl rebuild system-microserviceiofogctl renameiofogctl rename agentiofogctl rename applicationiofogctl rename controlleriofogctl rename edge-resourceiofogctl rename microserviceiofogctl rename namespaceiofogctl rollbackiofogctl startiofogctl start applicationiofogctl start microserviceiofogctl stopiofogctl stop applicationiofogctl stop microserviceiofogctl upgradeiofogctl versioniofogctl view
IntroductionPrepare Your NetworkPrepare Realm and OIDC ClientKeycloak DeploymentPrepare Your Remote HostsRemote Control PlaneKubernetes Prepare ClusterExternal Database DeploymentKubernetes iofogctlSetup Your AgentsAirgap Deployment
Securing ClusterRolesRole BindingsCertificates ManagerNATs Account RuleNATs User RuleNATs JWT Authentication
IntroductionAgent ConfigurationAttach/DetachVolumesDocker Image PruningUpgrade/Rollback
IntroductionApplication TemplatesMicroservice Lifecycle ManagementMicroservice LogsMicroservice Move/RenameMicroservice Registry Catalog
YAML KindsControl PlaneAgentApplicationApplication TemplateRegistryCatalogOfflineImageSecretCertificateConfigMapVolumeMountServiceRoleRoleBindingNatsAccountRuleNatsUserRule
ECN Viewer
OverviewConfigurationREST API
OverviewCLI UsageLocal APIConfigurationAgent Logs
HALREST Blue
GuidelinesCode of Conduct

Built-in Certificate Manager

The Eclipse ioFog Controller includes a built-in X.509 certificate manager for creating and managing TLS certificates and certificate authorities (CAs).

Example: CA from an existing secret and a certificate signed by it. Define a Secret with your CA/key material, then a CertificateAuthority that references it, then a Certificate that uses that CA:

---
apiVersion: iofog.org/v3
kind: Secret
metadata:
  name: test-authority
spec:
  type: tls
data:
  tls.crt: # base64 encoded string 
  tls.key: # base64 encoded string
  ca.crt: # base64 encoded string

---
apiVersion: iofog.org/v3
kind: CertificateAuthority
metadata:
  name: test-authority
spec:
  type: direct
  secretName: test-authority

---
apiVersion: iofog.org/v3
kind: Certificate
metadata:
  name: test-certificate
spec:
  subject: "test-server-cert"
  hosts: "x.x.x.x"
  expiration: 36
  ca:
    type: direct
    secretName: test-authority

Example: Self-signed CA and a certificate. Create a CertificateAuthority with type: self-signed, then a Certificate that references it via ca.secretName:

---
apiVersion: iofog.org/v3
kind: CertificateAuthority
metadata:
  name: self-ca
spec:
  subject: self-ca
  type: self-signed
  expiration: 36

---
apiVersion: iofog.org/v3
kind: Certificate
metadata:
  name: test-server
spec:
  subject: "test-server"
  hosts: "x.x.x.x"
  expiration: 36
  ca:
    type: direct
    secretName: test-ca

When you create a certificate, the Controller automatically creates a TLS-type Secret. You can reference this secret in a VolumeMount and attach that VolumeMount to a Microservice. The Agent is notified when volumes change, pulls the volume content locally, and mounts it into the microservice container.

---
apiVersion: iofog.org/v3
kind: VolumeMount
metadata:
  name: test-server-cert
spec:
  secretName: test-server

---
apiVersion: iofog.org/v3
kind: Microservice
metadata:
  name: foo
spec:
  agent:
    name: bar
  images:
    ...
  container:
    ...
    volumes:
      - hostDestination: test-server-cert
        containerDestination: /etc/cert/test
        accessMode: ro
        type: volumeMount

Certificates for Router and NATs

Router and NATs instances in Eclipse ioFog are secured by default with TLS. For Router and NATs instances running on ioFog Agents, the Controller automatically generates TLS certificates and binds the corresponding VolumeMounts.

For a Kubernetes ControlPlane, the Operator generates server certificates for Router and NATs instances on the control plane. The Controller obtains CA certificates from Kubernetes Secrets and manages TLS for Router and NATs instances running on ioFog Agents.

For full control plane deployment options (including NATs and Router images and replicas), see the Control Plane YAML Specification, Kubernetes Helm, and Kubernetes iofogctl.