When the Flexera Kubernetes inventory agent is configured for HTTPS protocol, it uses the standard bundle of trusted Certificate Authorities (CA) as distributed by Mozilla. However, if the beacon server's upload endpoint certificate is signed by an unrecognized authority internal to your organization, it won't be validated, causing an SSL error.

If you are having SSL issues with the Flexera Kubernetes inventory agent, you can look at the uploader log using the following Kubernetes agent command:

kubectl exec -n flexera krm-instance-monitor-0 -- cat /var/opt/managesoft/log/uploader.log

The uploader logs will show the following information if your CA is not validated:

Uploading file 'k8s-inventory-12345678-20221026T131026.ndi' to 
'https://myorg.beacon.com/ManageSoftRL/Inventories'
Error 0xE1BBFC14: OpenSSL error 0xFC14: unable to get local issuer certificate
Error 0xE050044D: Failed to create remote directory /ManageSoftRL
Error 0xE0690099: Specified remote directory is invalid, or could not be created 
 ERROR: Remote directory is invalid

Generally, in this scenario, you can copy the CA certificates that you want to be validated by the beacon to /var/opt/managesoft/etc/ssl/cert.pem, but another approach must used with the Flexera Kubernetes inventory agent. Follow the steps below to allow validation of custom CA certificates.

Use custom CA Certificates with the Flexera Kubernetes inventory agent

1. Verify you have at least version 1.3.0 of the Flexera Kubernetes inventory agent installed. You can use the following command to check for the version:
   

   kubectl get deployments --namespace flexera ​

2. Prepare a single certificate file that combines all required client-side certificates for validating the server-side certificates. This must be named: cert.pem
3. Save the certificate file in a volume that will be mounted into the containers where the Flexera Kubernetes inventory agent will operate. Use the following command as an example:
   

   kubectl create secret generic myorg-certificates 
   --namespace flexera --from-file=cert.pem

4. Configure the YAML file referencing the volume using the spec.monitor.tlsFiles attribute. For example:

   apiVersion: agents.flexera.com/v1
   kind: KRM
   spec:
     monitor:
       tlsFiles:
         secret:
           secretName: myorg-certificates

For more details, see Supporting Custom Certificates for HTTPS in the IT Asset Management Online Help.