Certificates for single container sidecar deployments

You can use Cyral's default sidecar-created certificate or use a custom certificate to secure the communications between the Cyral control plane and the sidecar.

Managing the sidecar-created certificate

Single container sidecars by default store the sidecar-created certificate in local memory. You may wish to manage the certificate in a secrets manager service such as AWS Secrets Manager. In that case, point the sidecar to the secret location by using environment variables CYRAL_CERTIFICATE_MANAGER_SELFSIGNED_SECRET_TYPE and CYRAL_CERTIFICATE_MANAGER_SELFSIGNED_SECRET_ID. For example, to use AWS Secrets Manager, setup the variables like below:

CYRAL_CERTIFICATE_MANAGER_SELFSIGNED_SECRET_TYPE=aws
CYRAL_CERTIFICATE_MANAGER_SELFSIGNED_SECRET_ID=arn:aws:secretsmanager:us-east-1:111111111111:secret:my-self-signed-certificate

For AWS, the sidecar needs permission to perform IAM actions secretsmanager:GetSecretValue and secretsmanager:UpdateSecret on the secret resource. For Kubernetes, the sidecar needs get and patch permissions on the secret resource. The update permission is used in case the secret is empty: the sidecar would need to fill the secret with a self-signed certificate it creates.