Agent Deployment
This guide covers deployment options for the TigerTrust agent across different environments.
Deployment Architecture
┌─────────────────────────────────────────────────────────────┐
│ Your Infrastructure │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Agent 1 │ │ Agent 2 │ │ Agent 3 │ │ Agent N │ │
│ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │
│ │ │ │ │ │
│ └────────────┴─────┬──────┴────────────┘ │
│ │ HTTPS (Outbound Only) │
└──────────────────────────┼──────────────────────────────────┘
│
▼
┌────────────────────────┐
│ TigerTrust Collector │
│ (collector.tigertrust.io)
└────────────────────────┘Linux Deployment
Binary Installation
# Download
curl -LO https://releases.tigertrust.io/agent/latest/tigertrust-agent-linux-amd64
# Install
chmod +x tigertrust-agent-linux-amd64
sudo mv tigertrust-agent-linux-amd64 /usr/local/bin/tigertrust-agent
# Create config directory
sudo mkdir -p /etc/tigertrust
sudo vim /etc/tigertrust/agent.yaml
# Create key storage directory
sudo mkdir -p /var/lib/tigertrust/keys
sudo chmod 700 /var/lib/tigertrust/keyssystemd Service
# /etc/systemd/system/tigertrust-agent.service
[Unit]
Description=TigerTrust Agent
Documentation=https://docs.tigertrust.io
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=root
Group=root
ExecStart=/usr/local/bin/tigertrust-agent -config=/etc/tigertrust/agent.yaml
Restart=always
RestartSec=10
StandardOutput=journal
StandardError=journal
# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=/var/lib/tigertrust
[Install]
WantedBy=multi-user.targetEnable the service:
sudo systemctl daemon-reload
sudo systemctl enable tigertrust-agent
sudo systemctl start tigertrust-agentWindows Deployment
Binary Installation
# Download
Invoke-WebRequest -Uri "https://releases.tigertrust.io/agent/latest/tigertrust-agent-windows-amd64.exe" -OutFile "C:\Program Files\TigerTrust\agent.exe"
# Create config
New-Item -ItemType Directory -Path "C:\ProgramData\TigerTrust" -Force
# Edit C:\ProgramData\TigerTrust\agent.yamlWindows Service
# Install as service using NSSM or sc.exe
sc.exe create TigerTrustAgent binPath= "C:\Program Files\TigerTrust\agent.exe -config=C:\ProgramData\TigerTrust\agent.yaml" start= auto
sc.exe start TigerTrustAgentDocker Deployment
# docker-compose.yml
version: '3.8'
services:
tigertrust-agent:
image: tigertrust/agent:latest
container_name: tigertrust-agent
restart: unless-stopped
volumes:
- /etc/tigertrust:/etc/tigertrust:ro
- /etc/ssl:/etc/ssl:ro
- /etc/pki:/etc/pki:ro
- /etc/nginx/ssl:/etc/nginx/ssl:ro
- tigertrust-keys:/var/lib/tigertrust/keys
environment:
- TIGERTRUST_LOG_LEVEL=info
volumes:
tigertrust-keys:Kubernetes Deployment
DaemonSet (Node-level Discovery)
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: tigertrust-agent
namespace: tigertrust
spec:
selector:
matchLabels:
app: tigertrust-agent
template:
metadata:
labels:
app: tigertrust-agent
spec:
serviceAccountName: tigertrust-agent
containers:
- name: agent
image: tigertrust/agent:latest
volumeMounts:
- name: config
mountPath: /etc/tigertrust
- name: host-certs
mountPath: /host/etc/ssl
readOnly: true
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumes:
- name: config
configMap:
name: tigertrust-agent-config
- name: host-certs
hostPath:
path: /etc/sslDeployment (Cluster-level Discovery)
apiVersion: apps/v1
kind: Deployment
metadata:
name: tigertrust-agent
namespace: tigertrust
spec:
replicas: 1
selector:
matchLabels:
app: tigertrust-agent
template:
metadata:
labels:
app: tigertrust-agent
spec:
serviceAccountName: tigertrust-agent
containers:
- name: agent
image: tigertrust/agent:latest
volumeMounts:
- name: config
mountPath: /etc/tigertrust
- name: api-key
mountPath: /etc/tigertrust/secrets
readOnly: true
volumes:
- name: config
configMap:
name: tigertrust-agent-config
- name: api-key
secret:
secretName: tigertrust-api-keyRBAC Configuration
apiVersion: v1
kind: ServiceAccount
metadata:
name: tigertrust-agent
namespace: tigertrust
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tigertrust-agent
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tigertrust-agent
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tigertrust-agent
subjects:
- kind: ServiceAccount
name: tigertrust-agent
namespace: tigertrustHelm Chart
helm repo add tigertrust https://charts.tigertrust.io
helm install tigertrust-agent tigertrust/agent \
--namespace tigertrust \
--create-namespace \
--set collector.apiKey="ak_your_api_key" \
--set discovery.kubernetes.enabled=trueMonitoring Agent Health
Prometheus Metrics
The agent exposes metrics on port 9090:
tigertrust_agent_up
tigertrust_agent_certificates_discovered_total
tigertrust_agent_tasks_total{status="completed|failed"}
tigertrust_agent_task_duration_seconds
tigertrust_agent_http_requests_total
tigertrust_agent_ssh_keys_discovered_totalHealth Check Endpoint
curl http://localhost:9090/healthScaling Considerations
| Scenario | Deployment Type | Agent Count |
|---|---|---|
| Single server | Binary/systemd | 1 per server |
| VM fleet | Binary + config mgmt | 1 per VM |
| Kubernetes cluster | Deployment | 1 per cluster |
| Multi-region | Per-region agents | 1+ per region |