Policy for adding CA certificates to BRIX containers

In some cases, it is necessary to trust user-generated CA certificates. Kyverno allows you to automatically add a volume containing user CA certificates to containers with a specific label.

The installation consists of two stages:

1. Prepare a Secret with a root CA certificate.
2. Fill in the configuration file.

Step 1: Prepare a Secret with a root CA certificate

Create a Secret with the root CA certificate in namespace where the BRIX application is installed. If there are multiple instances of BRIX installed in the Kubernetes cluster, add the Secret only to the namespace of the necessary instances of BRIX.

Create a Secret named elma365-onpremise-ca in the namespace where BRIX is installed by running the following command:

kubectl create secret generic elma365-onpremise-ca --from-file=elma365-onpremise-ca.pem=/etc/ssl/certs/rootCA.pem [-n namespace]

Where --from-file specifies the path to your root CA certificate in .pem format.

Step 2: Fill in the configuration file

Fill in the configuration file values-kyverno.yaml for setting up Kyverno:

1. Configure the policy to add user CA certificates to all containers. The policy is enabled by default, the kyverno.injectCerts.enabled parameter is set to true.
2. In the kyverno.injectCerts.secretCA parameter, specify the name of the Secret created in Step 1. In the example in this article, it is elma365-onpremise-ca. The policy adds a volume containing the CA certificate to all containers with the label tier=elma365.
3. If there are multiple instances of the BRIX On-Premises application installed in the Kubernetes cluster, but the user CA certificate needs to be added only to some instances of the BRIX applications, fill in the kyverno.injectCerts.injectNamespace parameter.

In the kyverno.injectCerts.injectNamespace parameter, specify the namespaces of BRIX instances to which the policy of adding certificates will be applied and a volume containing the CA certificate will be added. Ensure that in Step 1, the Secret with the root CA certificate was added to the namespaces listed in kyverno.injectNamespace.

4. Specify the namespace for the Kyverno service, in this article, it is kyverno. To ensure high availability, set the required number of replicas in the kyverno.injectCerts.injectNamespace parameter.

# kyverno settings
kyverno:
  # the policy adds the volume containing the CA certificate to all the containers labeled tier=elma365
  injectCerts:
    enabled: true
    # name of the secret with the CA root certificate for https with a self-signed certificate
    secretCA: elma365-onpremise-ca
    # list of namespaces where the policy will be applied
#    injectNamespace:
#      - elma365-dev
#      - elma365-prod
  # namespace for kyverno (before installation, create kubectl create ns kyverno)
  namespace: kyverno
  # number of replicas for high availability
  replicaCount: 1
  # Install crds (not required, is added to directory crds)
  installCRDs: false
...

Filling out connection parameters to a private registry for installation in a closed network without internet access

Was this helpful?

Thanks for your feedback!

Please specify why:

Recommendations did not help meArticle is hard to understandDidn’t answer my questionContent does not match the topicOther

How can we improve the article?

YesNo

Please specify whyRecommendations did not help meArticle is hard to understandDidn’t answer my questionContent does not match the topicOther