search string side menu

BRIX On-Premises > BRIX On-Premises Enterprise > Install add-on components for BRIX > Install Kyverno / Policy for adding CA certificates to BRIX containers

Policy for adding CA certificates to BRIX containers

In some cases, it is necessary to trust user-generated CA certificates. Kyverno allows you to automatically add a volume containing user CA certificates to containers with a specific label.

The installation consists of two stages:

  1. Prepare a Secret with a root CA certificate.
  2. Fill in the configuration file.

Step 1: Prepare a Secret with a root CA certificate

Create a Secret withe the root CA certificate in namespace, where the BRIX application is installed. If   there are multiple instances of BRIX installed in the Kubernetes cluster, add the Secret only to the namespace of the necessary instances of BRIX.

Create a Secret named elma365-onpremise-ca in namespace, where BRIX is installed by running the following command:

kubectl create secret generic elma365-onpremise-ca --from-file=elma365-onpremise-ca.pem=/etc/ssl/certs/rootCA.pem [-n namespace]

Where --from-file specifies the path to your root CA certificate in .pem format.

Step 2: Fill in the configuration file

Fill in the configuration file values-kyverno.yaml for setting up Kyverno:

  1. Configure the policy to add user CA certificates to all containers. The policy is enabled by default, the kyverno.injectСerts.enabled parameter is set to true.
  2. In the kyverno.injectСerts.secretCA parameter, specify the name of the Secret created in Step 1. In the example in this article, it is elma365-onpremise-ca. he policy adds a volume containing the CA certificate to all containers with the label tier=elma365.
  3. If there are multiple instances of the BRIX On-Premises application installed in the Kubernetes cluster, but the user CA certificate needs to be added only to some instances of the BRIX applications, fill in the kyverno.injectСerts.injectNamespace parameter. In the kyverno.injectСerts.injectNamespace parameter, specify the namespaces of BRIX instances to which the policy of adding certificates will be applied and a volume containing the CA certificate will be added. Ensure that in Step 1, the Secret with the root CA certificate was added to the namespaces listed in kyverno.injectNamespace.
  1. Specify the namespace for the Kyverno service, in this article, it is kyverno. To ensure high availability, set the required number of replicas in the kyverno.injectСerts.injectNamespace parameter.

## kyverno settings
kyverno:
  ## the policy adds the volume containing the CA certificate to all the containers labeled tier=elma365
  injectСerts:
    enabled: true
    ## name of the secret with the CA root certificate for https with a self-signed certificate
    secretCA: elma365-onpremise-ca
    ## list of namespaces where the policy will be applied
#    injectNamespace:
#      - elma365-dev
#      - elma365-prod
  ## namespace for kyverno (before installation, create kubectl create ns kyverno)
  namespace: kyverno
  ## number of replicas for high availability
  replicaCount: 1
  ## Install crds (not required, is added to directory crds)
  installCRDs: false
...

Filling out connection parameters to a private registry for installation in a closed network without internet access

To connect to the private registry:

  1. Download BRIX images and upload them to your local image registry. For more details, see the article Download BRIX images.
  2. Set the address and path for the parameters kyverno.image.repository, kyverno.initImage.repository and kyverno.cleanupController.image.repository.
  1. Specify the name of the secret with access rights to the private registry in the parameters kyverno.image.pullSecrets and kyverno.cleanupController.image.pullSecrets. The secret must be manually created and encrypted in Base64.

## kyverno settings
kyverno:
...
  ## Connection parameters to the private registry
  image:
## Address and path for the private registry
    repository: registry.example.com/kyverno/kyverno
    tag: v1.9.0
## The secret with access rights to the private registry must be manually created, encrypted in Base64
    pullSecrets:
      - myRegistryKeySecretName
  initImage:
## Address and path for the private registry
    repository: registry.example.com/kyverno/kyvernopre
    tag: v1.9.0
  cleanupController:
    image:
## Address and path for the private registry
      repository: registry.example.com/kyverno/cleanup-controller
      tag: v1.9.0
## The secret with access rights to the private registry must be manually created, encrypted in Base64
      pullSecrets:
        - myRegistryKeySecretName

where:

  • kyverno.image.repository format is as follows:
    • address is registry.example.com;
    • path is /kyverno/kyverno;
  • kyverno.initImage.repository format is as follows:
    • address is registry.example.com;
    • path is /kyverno/kyvernopre;
  • kyverno.cleanupController.repository format is as follows:
    • address is registry.example.com;
    • path is /kyverno/cleanup-controller.

начало внимание

Installing the Kyverno add-on component does not automatically attach the volume containing the CA certificate to the already running pods of the BRIX application. After installing Kyverno, do not forget to restart the BRIX application services.

конец внимание

install-kyverno.html docker-image-verification-policy.html