Exposing the API Controller for Trace Sources

When using gateway plugins to provide Trace Sources for Panoptica's API Security controller – such as AWS API Gateway, F5 BIG-IP, APIgee X, etc – the plugins need to be able to communicate with the controller, in order to provide visibility into your API traffic. When the gateways are external to the cluster where the API Security controller is running, the controller needs to be exposed externally through a publicly reachable URL.

Follow these steps to manually expose your API Security controller externally, so it can be reached by your external trace sources, and enable Panoptica to monitor run-time activity across your environment.

Controller installed in a cluster

A standard installation of the API Security controller in your cluster would not be exposed externally.

In this situation, when trying to attach an external trace source, the controller name would be grayed-out in the Attach Trace Source dialog box.

Expose API Security controller telemetry endpoint externally

To remedy this, you need to expose the controller telemetry endpoint externally. The endpoint to expose is the one corresponding to the following service:

$ kubectl -n panoptica get service panoptica-apisec-controller  
NAME                          TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)          AGE  
panoptica-apisec-controller   ClusterIP   10.8.1.77    <none>        80/TCP,443/TCP   20m

To achieve this, you need to provide:

The external hostname where the service panoptica-apisec-controller is exposed
A self-signed certificate used to expose the endpoint over TLS. (Optional)
In the absence of a self-signed certificate, Panoptica will assume that the certificate is a public one.

The external hostname and certificate are used to generate the appropriate configurations for the external trace sources (e.g. AWS GW) and need to be provided to the controller as described in the following section.

Provide external hostname and self-signed certificate to API Security controller

This section assumes that

the external hostname is held in an environment variable named APISEC_EXTERNAL_HOSTNAME:

% echo ${APISEC_EXTERNAL_HOSTNAME}
my-apisec-contoller.acme.com

the certificate is contained in a file named ca.crt:

% cat ca.crt  
-----BEGIN CERTIFICATE-----  
EXAMPLE/EXAMPLE/EXAMPLE/AUsJOotp3ux4uSUPuu+2pWcwDQYJKoZIhvcNAQEL  
BQAwHzEdMBsGA1UEAwwUMzQuMTIxLjMwLjI0NC5uaXAuaW8wHhcNMjQwMjA2MTU0  
OTAwWhcNMjYxMTI2MTU0OTAwWjAfMR0wGwYDVQQDDBQzNC4xMjEuMzAuMjQ0Lm5p  
cC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMmminl4/bnv5/Cu  
LXB5uKYe0DotWFKzt1IT5DKcSgA75mp3TPPbIyn2NtPGImSQMHdwTzX6oMhNSsRL  
xt6BYpAh5J2ghBVBFNGMGeITVNQD89em67p4J/gUw8s4lKb8/Qt+tjvp9urHmDsn  
AabGogtm9XeeBSPqa1rwHZexCV/Cn8O9oz/lMLsPqEghTPh5hfG+1JRLt2H4UoNC  
OotGuRe/LgKJpL2yGwLRZ0PdraiaRS56zWCo63N4EZnLcAE2CVl/QTjtWKVKxVd0  
r3ueeZfYx0/dk3gSMgx+0q103Us9LPYXLLewLhv7eAmXq/8Z4ljU9A/o0GYgOYYm  
JrlVIWsCAwEAAaNCMEAwHwYDVR0RBBgwFoIUMzQuMTIxLjMwLjI0NC5uaXAuaW8w  
HQYDVR0OBBYEFAyz8TGT71qoWOijy/QcEsG5Y+ICMA0GCSqGSIb3DQEBCwUAA4IB  
AQAwCvaokkWO+Gw24BfXcATycFugqXX5qA6ZOtChsjBouqcA5RwfBn7GGNGs0TZY  
wddvUr9Up2YP3pO8lnFy+g/Ykj90/KIyqGXXWeOF+kQX+M5F5kZRgyU5mkRyqTmE  
+Uhr8jlLIB4KjHT36Iae2igcC0CGwKbZkhPkT5NIhPQRoexDMVtcTaOQc17gp4zG  
uBRLbXJBbOH96NbhaqYgUd9DK9xb7QXT4I37w4/9fj9Y/cWloQT/381Z1e3vGa3Q  
eDPX0JfgCxvc0uLIid3sLaPDBrwuLSyRIamVfRSbKZqRTRImqtAdqKnhoMa6R6GZ  
yRhCgHOQo+LIhHkMB+rPwUWt  
-----END CERTIFICATE-----

Run the following command:

kubectl -n panoptica set env deployment/panoptica-apisec-controller EXTERNAL_HOSTNAME=${APISEC_EXTERNAL_HOSTNAME} EXTERNAL_CERT="$(cat ./ca.crt)"

If successful the environment variable of the API Security Controller should be updated as follows:

aduminuc@ADUMINUC-M-59XM controller-manual-exposure % kubectl -n panoptica set env deployment/panoptica-apisec-controller --list  
# Deployment panoptica-apisec-controller, container apisec-controller  
...  
...  
EXTERNAL_CERT=-----BEGIN CERTIFICATE-----  
EXAMPLE/EXAMPLE/EXAMPLE/AUsJOotp3ux4uSUPuu+2pWcwDQYJKoZIhvcNAQEL  
BQAwHzEdMBsGA1UEAwwUMzQuMTIxLjMwLjI0NC5uaXAuaW8wHhcNMjQwMjA2MTU0  
OTAwWhcNMjYxMTI2MTU0OTAwWjAfMR0wGwYDVQQDDBQzNC4xMjEuMzAuMjQ0Lm5p  
cC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMmminl4/bnv5/Cu  
LXB5uKYe0DotWFKzt1IT5DKcSgA75mp3TPPbIyn2NtPGImSQMHdwTzX6oMhNSsRL  
xt6BYpAh5J2ghBVBFNGMGeITVNQD89em67p4J/gUw8s4lKb8/Qt+tjvp9urHmDsn  
AabGogtm9XeeBSPqa1rwHZexCV/Cn8O9oz/lMLsPqEghTPh5hfG+1JRLt2H4UoNC  
OotGuRe/LgKJpL2yGwLRZ0PdraiaRS56zWCo63N4EZnLcAE2CVl/QTjtWKVKxVd0  
r3ueeZfYx0/dk3gSMgx+0q103Us9LPYXLLewLhv7eAmXq/8Z4ljU9A/o0GYgOYYm  
JrlVIWsCAwEAAaNCMEAwHwYDVR0RBBgwFoIUMzQuMTIxLjMwLjI0NC5uaXAuaW8w  
HQYDVR0OBBYEFAyz8TGT71qoWOijy/QcEsG5Y+ICMA0GCSqGSIb3DQEBCwUAA4IB  
AQAwCvaokkWO+Gw24BfXcATycFugqXX5qA6ZOtChsjBouqcA5RwfBn7GGNGs0TZY  
wddvUr9Up2YP3pO8lnFy+g/Ykj90/KIyqGXXWeOF+kQX+M5F5kZRgyU5mkRyqTmE  
+Uhr8jlLIB4KjHT36Iae2igcC0CGwKbZkhPkT5NIhPQRoexDMVtcTaOQc17gp4zG  
uBRLbXJBbOH96NbhaqYgUd9DK9xb7QXT4I37w4/9fj9Y/cWloQT/381Z1e3vGa3Q  
eDPX0JfgCxvc0uLIid3sLaPDBrwuLSyRIamVfRSbKZqRTRImqtAdqKnhoMa6R6GZ  
yRhCgHOQo+LIhHkMB+rPwUWt  
-----END CERTIFICATE-----  
EXTERNAL_HOSTNAME=my-apisec-contoller.acme.com

It is now now possible to attach the external trace source to this controller, as descriped in API Trace Sources.