This article explains how to deploy your Telemetry Collector in a Kubernetes environment and assumes you have already configured your Telemetry Collector, met the required system requirements, have a Kubernetes cluster available that can be configured via helm and have already deployed a Gateway Sensor Collector to work with your Telemetry Collector.
Step 1. Retrieve Telemetry Collector Helm Charts (Required only for Air gapped deployments)
Since air gapped deployments can not access the internet to retrieve Helm charts, this step must be done manually. For environments with access to the internet, proceed to step 2.
Download the Telemetry Collector helm charts to a local file and transfer to the working directory on the machine where you configure your Kubernetes cluster via helm.
Step 2. Retrieve The Telemetry Collector Docker Image (Required only for Air gapped deployments)
Download the docker image for the Telemetry Collector to a local file and transfer to the working directory on the machine where you configure your Kubernetes cluster via helm.
Command for pulling the image:
docker pull gcr.io/sky-agents/agent-telemetry-amd64:ca
Example for saving image to a file:
docker save -o agent-telemetry-amd64-ca.tar gcr.io/sky-agents/agent-telemetry-amd64:ca
Load the saved docker image into the helm machine's local docker registry.
Example:
docker load -i agent-telemetry-amd64-ca.tar
Step 3. Import The Telemetry Collector Image Into The Kubernetes Cluster
The Telemetry Collector docker image must be uploaded to the Kubernetes cluster's OCI registry. If you're using the Provider Connectivity Assurance Kubernetes cluster, you can follow the example below. If you're using your own registry, you must upload the image to it.
Example:
kubectl get secret kotsadm-replicated-registry -n pca -o jsonpath='{.data..dockerconfigjson}' | base64 -d
{"auths":{"10.244.128.11:5000":{"auth":"ZW1iZWRkZWQtY2x1c3RlcjpsRFVkTWRqZjg5dWlGcHV6ODBvQQ=="}}}
In this case 10.244.128.11:5000 is the address of our internal registry. We will use that below.
Decode the Base64 from the previous response to get our authentication credentials:
Example:
echo 'ZW1iZWRkZWQtY2x1c3RlcjpsRFVkTWRqZjg5dWlGcHV6ODBvQQ==' | base64 -d
embedded-cluster:lDUdMdjf89uiFpuz80oA
Use the extracted address and credentials to log into the docker registry.
Example:
docker login 10.244.128.11:5000 -u embedded-cluster -p lDUdMdjf89uiFpuz80oA
Re-tag the Telemetry Collector image for the PCA cluster's internal registry.
Example:
docker tag gcr.io/sky-agents/agent-telemetry-amd64:ca 10.244.128.11:5000/pca-dev/agent-telemetry-amd64:ca
Push the re-tagged image to the PCA cluster's internal registry:
Example:
docker push 10.244.128.11:5000/pca-dev/agent-telemetry-amd64:ca
Step 4. Create Agent TLS Secrets (For Connecting To Sensor Collector)
Create a pair of Kubernetes secrets for the TLS credentials that will be used when the Telemetry Collector attempts to connect to the Sensor Collector.
You will need the ca.pem and tls.pem files produced in step 6 of Configure Sensor Collector. Copy them to a convenient location. The following examples assume that they were copied to a director named certs in the Telemetry Collector working directory.
Example:
kubectl create secret generic ca-certificate-secret --from-file=ca.pem=certs/ca.pem --namespace cisco-sensor-collectors
kubectl create secret generic tls-certificate-secret --from-file=tls.pem=certs/tls.pem --namespace cisco-sensor-collectors
Step 5. Create Values File
Create a values.yaml file that will be used by helm during the install. It must contain the following information:
agentAgentId: {agent id retreived from PCA UI}
agentAuthenticationToken: {agent token retrieved from PCA UI}
agentManagement: {IP address of your sensor collector instance}
agentManagementPort: {management port from the sensor collector provisioning}
custom_ca_certificates:
ca:
enabled: true
secretName: ca-certificate-secret
secretKey: ca.pem
tls:
enabled: true
secretName: tls-certificate-secret
secretKey: tls.pem
image:
repository: {registry address as retrieve in step 3}/pca-dev/agent-telemetry-amd64
imagePullSecrets:
- name: {registry secret for registry setup in step 3. If using PCA's registry, value is `pca-dev-registry`}
NOTE: This assumes that you have already run through the deployment steps for the sensor collector. If using PCA's registry, the pca-dev-registry pull secret is created automatically as part of the Sensor Collector installation
process so you must create your telemetry collector in the same namespace. This secret provides helm the credentials to pull the Telemetry Collector image from the PCA cluster's internal registry.
If you are deploying into a different namespace, you will need to create a pull secret in that namespace with the same credentials as pca-dev-registry and update the values.yaml accordingly.
Step 6. Install The Telemetry Collector
Helm install the Telemetry Collector, referencing the locally pulled chart and the values.yaml file that you just created.
Example:
helm install telemetry-collector ./telemetry-collector-ca.tgz -f ./values.yaml -n cisco-sensor-collectors
© 2026 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms