search string side menu

Policy for adding CA certificates to BRIX containers

In some cases, it is necessary to trust user-generated CA certificates. Kyverno allows you to automatically add a volume containing user CA certificates to containers with a specific label.

The installation consists of two stages:

  1. Prepare a Secret with a root CA certificate.
  2. Fill in the configuration file.

Step 1: Prepare a Secret with a root CA certificate

Create a Secret with the root CA certificate in namespace where the BRIX application is installed. If there are multiple instances of BRIX installed in the Kubernetes cluster, add the Secret only to the namespace of the necessary instances of BRIX.

Create a Secret named elma365-onpremise-ca in the namespace where BRIX is installed by running the following command:

kubectl create secret generic elma365-onpremise-ca --from-file=elma365-onpremise-ca.pem=/etc/ssl/certs/rootCA.pem [-n namespace]

Where --from-file specifies the path to your root CA certificate in .pem format.

Step 2: Fill in the configuration file

Fill in the configuration file values-kyverno.yaml for setting up Kyverno:

  1. Configure the policy to add user CA certificates to all containers. The policy is enabled by default, the kyverno.injectCerts.enabled parameter is set to true.
  2. In the kyverno.injectCerts.secretCA parameter, specify the name of the Secret created in Step 1. In the example in this article, it is elma365-onpremise-ca. The policy adds a volume containing the CA certificate to all containers with the label tier=elma365.
  3. If there are multiple instances of the BRIX On-Premises application installed in the Kubernetes cluster, but the user CA certificate needs to be added only to some instances of the BRIX applications, fill in the kyverno.injectCerts.injectNamespace parameter.

In the kyverno.injectCerts.injectNamespace parameter, specify the namespaces of BRIX instances to which the policy of adding certificates will be applied and a volume containing the CA certificate will be added. Ensure that in Step 1, the Secret with the root CA certificate was added to the namespaces listed in kyverno.injectNamespace.

  1. Specify the namespace for the Kyverno service, in this article, it is kyverno. To ensure high availability, set the required number of replicas in the kyverno.injectCerts.injectNamespace parameter.

# kyverno settings
kyverno:
  # the policy adds the volume containing the CA certificate to all the containers labeled tier=elma365
  injectCerts:
    enabled: true
    # name of the secret with the CA root certificate for https with a self-signed certificate
    secretCA: elma365-onpremise-ca
    # list of namespaces where the policy will be applied
#    injectNamespace:
#      - elma365-dev
#      - elma365-prod
  # namespace for kyverno (before installation, create kubectl create ns kyverno)
  namespace: kyverno
  # number of replicas for high availability
  replicaCount: 1
  # Install crds (not required, is added to directory crds)
  installCRDs: false
...

Filling out connection parameters to a private registry for installation in a closed network without internet access

 
To connect to the private registry:

  1. Download BRIX images and upload them to your local image registry. For more details, see the article Download BRIX images.
  2. Set the address and path for the parameters kyverno.image.repository, kyverno.initImage.repository and kyverno.cleanupController.image.repository.
  3. Specify the name of the secret with access rights to the private registry in the parameters kyverno.image.pullSecrets and kyverno.cleanupController.image.pullSecrets. The secret must be manually created and encrypted in Base64.

# kyverno settings
kyverno:
...
  # Connection parameters to the private registry
  image:
# Address and path for the private registry
    repository: registry.example.com/kyverno/kyverno
    tag: v1.9.0
# The secret with access rights to the private registry must be manually created, encrypted in Base64
    pullSecrets:
      - myRegistryKeySecretName
  initImage:
# Address and path for the private registry
    repository: registry.example.com/kyverno/kyvernopre
    tag: v1.9.0
  cleanupController:
    image:
# Address and path for the private registry
      repository: registry.example.com/kyverno/cleanup-controller
      tag: v1.9.0
# The secret with access rights to the private registry must be manually created, encrypted in Base64
      pullSecrets:
        - myRegistryKeySecretName

 
Where:

  • kyverno.image.repository format is as follows:
    • Address is registry.example.com.
    • Path is /kyverno/kyverno.
  • kyverno.initImage.repository format is as follows:
    • Address is registry.example.com.
    • Path is /kyverno/kyvernopre.
  • kyverno.cleanupController.repository format is as follows:
    • Address is registry.example.com.
    • Path is /kyverno/cleanup-controller.

начало внимание

Installing the Kyverno add-on component does not automatically connect the volume containing the CA certificate to the already running pods of the BRIX application. After installing Kyverno, restart the BRIX application services.

конец внимание

install-kyverno.html docker-image-verification-policy.html