Agent Configuration Reference
The TigerTrust agent is configured via YAML file at /etc/tigertrust/agent.yaml.
Agent Identity
agent:
id: "agent-prod-01" # Optional - UUID auto-generated if empty
capabilities:
- fs-scan # Filesystem certificate scanning
- cert-renewal # Certificate renewal via CSR
- csr-generation # CSR generation for renewals
- cert-deploy # Certificate deployment to targetsCollector Connection
collector:
base_url: "https://collector.tigertrust.io"
api_key: "ak_your_api_key_here"
poll_interval: 30 # seconds between task polls
timeout: 10 # HTTP request timeout
tls:
enabled: false
cert_file: "/etc/tigertrust/certs/agent.crt"
key_file: "/etc/tigertrust/certs/agent.key"
ca_file: "/etc/tigertrust/certs/ca.crt"Local Discovery
discovery:
local:
enabled: true
scan_paths:
- /etc/ssl
- /etc/pki/tls/certs
- /etc/nginx/ssl
- /opt/app/certs
include_patterns:
- "*.pem"
- "*.crt"
- "*.cer"
- "*.der"
- "*.p12"
- "*.pfx"
exclude_patterns:
- "*.bak"
- "*.old"
- "*~"
max_file_size: 10485760 # 10MB
follow_symlinks: false
keystore_types:
- jks
- pkcs12
include_ca_certs: false
include_expired_certs: trueNetwork Discovery
network:
enabled: false
cidr_ranges:
- "192.168.1.0/24"
- "10.0.0.0/24"
ports:
- 443
- 8443
- 636
- 993
- 995
scan_timeout: 2000 # milliseconds per host
max_concurrency: 50
exclude_hosts:
- "192.168.1.1"
discover_subnets: false
schedule: "" # cron format for scheduled scansKubernetes Integration
kubernetes:
enabled: true
kubeconfig: "" # Empty = use in-cluster config
namespaces:
- default
- production
- staging
scan_certmanager: true # Scan cert-manager certificates
scan_ingress: true # Scan ingress TLS secrets
scan_all_secrets: false # Scan all TLS-type secretsCloud Provider Integration
cloud:
aws:
enabled: true
regions:
- us-east-1
- us-west-2
assume_role_arn: "arn:aws:iam::123456789012:role/TigerTrustAgent"
scan_acm: true
scan_secrets_manager: true
scan_parameter_store: false
azure:
enabled: false
subscription_id: ""
tenant_id: ""
client_id: ""
client_secret: ""
key_vaults:
- "vault-name-1"
- "vault-name-2"
gcp:
enabled: false
project_id: ""
credentials_file: ""
regions:
- us-central1
scan_secret_manager: true
scan_certificate_manager: trueSSH Key Management
ssh:
enabled: true
scan_paths:
- /home
- /root/.ssh
- /etc/ssh
scan_authorized_keys: true
scan_known_hosts: false
key_types:
- rsa
- ecdsa
- ed25519Deployment Targets
deployment_targets:
- name: "nginx-main"
type: nginx
enabled: true
cert_path: "/etc/nginx/ssl/server.crt"
key_path: "/etc/nginx/ssl/server.key"
chain_path: "/etc/nginx/ssl/chain.crt"
reload_command: "systemctl reload nginx"
owner: "root"
group: "root"
mode: "0644"
key_mode: "0600"
labels:
environment: production
service: web
- name: "apache-main"
type: apache
enabled: true
cert_path: "/etc/apache2/ssl/server.crt"
key_path: "/etc/apache2/ssl/server.key"
reload_command: "systemctl reload apache2"
- name: "haproxy-lb"
type: haproxy
enabled: true
cert_path: "/etc/haproxy/ssl/combined.pem"
reload_command: "systemctl reload haproxy"Key Storage
key_storage:
type: file # file or pkcs11
key_store_path: "/var/lib/tigertrust/keys"
# For PKCS#11/HSM:
# pkcs11_library: "/usr/lib/softhsm/libsofthsm2.so"
# pkcs11_slot_id: 0
# pkcs11_pin: "${HSM_PIN}"
# pkcs11_token_label: "tigertrust"Renewal Settings
renewal:
auto_reload: true
key_algorithm: RSA # RSA, ECDSA, ED25519
key_size: 2048 # 2048/4096 for RSA, 256/384 for ECDSA
backup_before_install: true
backup_path: "/var/lib/tigertrust/backups"Logging & Metrics
logging:
level: info # debug, info, warn, error
format: json # json or text
output: stdout
metrics:
enabled: true
port: 9090
path: /metricsEnvironment Variable Override
Configuration values can be overridden via environment variables:
| Variable | Config Path |
|---|---|
TIGERTRUST_API_KEY | collector.api_key |
TIGERTRUST_COLLECTOR_URL | collector.base_url |
TIGERTRUST_POLL_INTERVAL | collector.poll_interval |
TIGERTRUST_LOG_LEVEL | logging.level |
HSM_PIN | key_storage.pkcs11_pin |