Files
help365/platform/ca-certificates-adding-policy.html
koziavin 00717a92fb
All checks were successful
Deploy Static Site / deploy (push) Successful in 6m6s
update
2025-05-29 16:42:45 +04:00

263 lines
24 KiB
HTML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en">
<head>
<title>Policy for adding CA certificates to BRIX containers</title>
<meta name="generator" content="Help+Manual" />
<meta name="keywords" content="" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="In some cases, it is necessary to trust user-generated CA certificates. Kyverno allows you to automatically add a volume containing user CA certificates to containers with a..." />
<meta name="picture" content="" />
<meta property="og:type" content="website" />
<meta property="og:title" content="Full documentation for BRIX365 platform. Low-code developer guide. User guide. Admin guide. Developer guide." />
<meta property="og:url" content="https://brix365.com/en/help" />
<meta property="og:image" content="" />
<link rel="icon" href="favicon.png" type="image/png" />
<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap" rel="stylesheet" />
<link rel="stylesheet" href="./jquery-ui.min.css" />
<link rel="stylesheet" href="default.css" />
<link rel="stylesheet" href="./search-yandex.css" />
<link rel="stylesheet" href="./article.css" />
<link rel="stylesheet" href="./glossary.css" />
<link rel="stylesheet" href="./theme.css" />
<script type="text/javascript" src="jquery.js"></script>
<script type="text/javascript" src="helpman_settings.js"></script>
<script type="text/javascript" src="helpman_topicinit.js"></script>
<script type="text/javascript" src="highlight.js"></script>
<script type="text/javascript">
$(document).ready(function(){highlight();});
</script>
</head>
<body>
<script>!function(e,t,c,n,r,a,m){e.ym=e.ym||function(){(e.ym.a=e.ym.a||[]).push(arguments)},e.ym.l=1*new Date;for(var s=0;s<document.scripts.length;s++)if(document.scripts[s].src===n)return;a=t.createElement(c),m=t.getElementsByTagName(c)[0],a.async=1,a.src=n,m.parentNode.insertBefore(a,m)}(window,document,"script","https://mc.yandex.ru/metrika/tag.js"),ym(83179930,"init",{clickmap:!0,trackLinks:!0,accurateTrackBounce:!0,webvisor:!0})</script><noscript><div><img alt=""src=https://mc.yandex.ru/watch/83179930 style=position:absolute;left:-9999px></div></noscript>
<header class="header elma-365">
<div class="container">
<a class="header__logo" href="https://brix365.com/en/help">
<img src="./logo-en.svg" alt="header logo">
</a>
<!-- <div class="hero__search-form" id="search-panel">
<form class="search-form" onsubmit="ym(83180416,'reachGoal','poisk')">
<label class="search-form__label">
<span id="reset-search" class="search__icon"></span>
<input class="search-form__input" type="text">
</label>
<input class="search-form__submit" type="submit" value="Submit">
</form>
</div> -->
<div class="hero__search-form" id="search-panel"> <form class="search-form"> <label class="search-form__label"> <span id="reset-search" class="search__icon"></span> <input class="search-form__input" type="text"> </label> <input class="search-form__submit" type="submit" value="Submit"> </form> </div>
<div class="hero__search">
<a href="#" id="search-icon" class="hero__search-icon">
<img src="search-icon-white.svg" alt="search string">
</a>
<a href="#" id="side-menu-icon" class="hero__side-icon">
<img src="side_menu.svg" alt="side menu">
</a>
</div>
<div class="header__navi">
<ul class="header__list"><li><span class="solution-select"><span class="solution-select__selected"></span><svg width="7" height="4" viewBox="0 0 7 4" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M1 1L3.5 3.5L6 1" stroke="white" stroke-linecap="round" stroke-linejoin="round"/></svg><ul class="solution-select__list"><li><a class="project-link" href="https://brix365.com/en/help/platform/get-trial.html">Platform</a></li><li><a class="project-link" href="https://brix365.com/en/help/ecm/ecm-functions.html">ECM</a></li><li><a class="project-link" href="https://brix365.com/en/help/crm/crm_overview.html">CRM</a></li><li><a class="project-link" href="https://brix365.com/en/help/service/service-functions.html">Service</a></li><li><a class="project-link" href="https://brix365.com/en/help/projects/projects-functions.html">Projects</a></li><li><a class="project-link" href="https://brix365.com/en/help/business_solutions/-elma365-store.html">Business Solutions</a></li></ul></span></li><li><a href="https://api.brix365.com/en/" target="_blank">API</a></li><li><a href="https://tssdk.brix365.com/" target="_blank">SDK</a></li></ul>
</div>
</div>
</header>
<main class="main container">
<aside class="sidebar" id="sidebar">
<div class="sidebar__header">
<a class="header__logo" href="https://brix365.com/en/help">
<img src="./logo-light-en.svg">
</a>
<span class="sidebar__close elma-365-close" id="close"></span>
</div>
<div class="sidebar__wrapper" id="side-menu">
</div>
</aside>
<article class="article" id="article">
<div class="article-inner">
<div class="content">
<header class="article__header">
<div class="article__bread" style="display:flex; gap:10px;">
<span id="subcategory" class="search-res__item-category search-res__item-category_subcategory subcategory article__badge"></span>
<div class="topic__breadcrumbs">
<p><a href="elma365-on-premises.html">BRIX On-Premises</a> &gt; <a href="elma365-enterprise.html">BRIX On-Premises Enterprise</a> &gt; Install add-on components for BRIX &gt; <a href="install-kyverno.html">Install Kyverno</a> / Policy for adding CA certificates to BRIX containers</p>
</div>
</div>
<div class="topic__title"><h1 class="p_Heading1"><span class="f_Heading1">Policy for adding CA certificates to BRIX containers</span></h1>
</div>
</header>
<section class="article__content">
<div class="scroll-top-inner">
<a href="#h1-article" class="scroll-top"></a>
</div>
<!-- Placeholder for topic body. -->
<p class="p_Normal">In some cases, it is necessary to trust user-generated CA certificates. Kyverno allows you to automatically add a volume containing user CA certificates to containers with a specific label.</p>
<p class="p_Normal">The installation consists of two stages:</p>
<ol style="list-style-type:decimal">
<li value="1" class="p_Normal"><a href="ca-certificates-adding-policy.html#secret-preparation" class="topiclink">Prepare a Secret with a root CA certificate</a>.</li><li value="2" class="p_Normal"><a href="ca-certificates-adding-policy.html#fill-config-file" class="topiclink">Fill in the configuration file</a>.</li></ol>
<h2 class="p_Heading2"><a id="secret-preparation" class="hmanchor"></a><span class="f_Heading2">Step 1: Prepare a Secret with a root CA certificate</span></h2>
<p class="p_Normal">Create a <span style="font-weight: bold;">Secret</span> with the root CA certificate in <code><b>namespace</b></code> where the BRIX application is installed. If there are multiple instances of BRIX installed in the Kubernetes cluster, add the <span style="font-weight: bold;">Secret</span> only to the <code><b>namespace</b></code> of the necessary instances of BRIX.</p>
<p class="p_Normal">Create a <span style="font-weight: bold;">Secret</span> named <code><b>elma365-onpremise-ca</b></code> in the <code><b>namespace</b></code> where BRIX is installed by running the following command:</p>
<p class="p_CodeExample" style="page-break-inside: avoid;"><span class="f_CodeExample">kubectl&nbsp;create&nbsp;secret&nbsp;generic&nbsp;elma365-onpremise-ca&nbsp;--from-file=elma365-onpremise-ca.pem=/etc/ssl/certs/rootCA.pem&nbsp;[-n&nbsp;namespace]</span></p>
<p class="p_Normal">Where <code><b>--from-file</b></code> specifies the path to your root CA certificate in <span style="font-weight: bold;">.pem</span> format.</p>
<h2 class="p_Heading2"><a id="fill-config-file" class="hmanchor"></a><span class="f_Heading2">Step 2: Fill in the configuration file</span></h2>
<p class="p_Normal">Fill in the configuration file <code><b>values-kyverno.yaml</b></code> for setting up Kyverno:</p>
<ol style="list-style-type:upper-roman">
<li value="1" class="p_Normal">Configure the policy to add user CA certificates to all containers. The policy is enabled by default, the <code><b>kyverno.injectCerts.enabled</b></code> parameter is set to <code><b>true</b></code>. </li><li value="2" class="p_Normal">In the <code><b>kyverno.injectCerts.secretCA</b></code> parameter, specify the name of the <span style="font-weight: bold;">Secret</span> created in Step 1. In the example in this article, it is <code><b>elma365-onpremise-ca</b></code>. The policy adds a volume containing the CA certificate to all containers with the label <code><b>tier=elma365</b></code>.</li><li value="3" class="p_Normal">If there are multiple instances of the BRIX On-Premises application installed in the Kubernetes cluster, but the user CA certificate needs to be added only to some instances of the BRIX applications, fill in the <code><b>kyverno.injectCerts.injectNamespace</b></code> parameter. </li></ol>
<p class="p_Normal" style="margin: 0 0 0 34px;">In the <code><b>kyverno.injectCerts.injectNamespace</b></code> parameter, specify the <code><b>namespaces</b></code> of BRIX instances to which the policy of adding certificates will be applied and a volume containing the CA certificate will be added. Ensure that in Step 1, the <span style="font-weight: bold;">Secret</span> with the root CA certificate was added to the <code><b>namespaces</b></code> listed in <code><b>kyverno.injectNamespace</b></code>.</p>
<ol style="list-style-type:upper-roman" start="4">
<li value="4" class="p_Normal">Specify the <code><b>namespace</b></code> for the Kyverno service, in this article, it is <code><b>kyverno</b></code>. To ensure high availability, set the required number of replicas in the <code><b>kyverno.injectCerts.injectNamespace</b></code> parameter.</li></ol>
<p class="p_CodeExample" style="white-space: normal; page-break-inside: avoid;"><span class="f_CodeExample"># kyverno settings</span><br />
<span class="f_CodeExample">kyverno:</span><br />
<span class="f_CodeExample">  # the policy adds the volume containing the CA certificate to all the containers labeled tier=elma365</span><br />
<span class="f_CodeExample">  injectCerts:</span><br />
<span class="f_CodeExample">  &nbsp; enabled: </span><span class="f_CodeExample" style="font-weight: bold;">true</span><br />
<span class="f_CodeExample">  &nbsp; # name of the secret with the CA root certificate for https with a self-signed certificate</span><br />
<span class="f_CodeExample">  &nbsp; secretCA: elma365-onpremise-ca</span><br />
<span class="f_CodeExample">  &nbsp; # list of namespaces where the policy will be applied</span><br />
<span class="f_CodeExample">#  &nbsp; injectNamespace:</span><br />
<span class="f_CodeExample">#  &nbsp; &nbsp; - elma365-dev</span><br />
<span class="f_CodeExample">#  &nbsp; &nbsp; - elma365-prod</span><br />
<span class="f_CodeExample">  # namespace for kyverno (before installation, create kubectl create ns kyverno)</span><br />
<span class="f_CodeExample">  namespace: kyverno</span><br />
<span class="f_CodeExample">  # number of replicas for high availability</span><br />
<span class="f_CodeExample">  replicaCount: 1</span><br />
<span class="f_CodeExample">  # Install crds (not required, is added to directory crds)</span><br />
<span class="f_CodeExample">  installCRDs: </span><span class="f_CodeExample" style="font-weight: bold;">false</span><br />
<span class="f_CodeExample">...</span></p>
<p class="p_Normal"><a class="dropdown-toggle" style="font-style: normal; font-weight: normal; color: #000000; background-color: transparent; text-decoration: none;" href="javascript:HMToggle('toggle','TOGGLE0186A1')">Filling out connection parameters to a private registry for installation in a closed network without internet access</a></p>
<div id="TOGGLE0186A1" class="dropdown-toggle-body" style="text-align: left; text-indent: 0; line-height: 1.80; padding: 0 0 0 0; margin: 0 0 0 0;"><table style="border:none; border-spacing:0;">
<tr>
<td style="vertical-align:top; padding:0; border:none"><p class="p_Normal">&nbsp;<br />
To connect to the private <span style="font-weight: bold;">registry</span>:</p>
<ol style="list-style-type:decimal">
<li value="1" class="p_Normal">Download BRIX images and upload them to your local image registry. For more details, see the article <a href="downloadin-images-elma365.html" class="topiclink">Download BRIX images</a>.</li><li value="2" class="p_Normal">Set the address and path for the parameters <code><b>kyverno.image.repository</b></code>, <code><b> kyverno.initImage.repository</b></code> and <code><b>kyverno.cleanupController.image.repository</b></code>.</li><li value="3" class="p_Normal">Specify the name of the secret with access rights to the private <span style="font-weight: bold;">registry</span> in the parameters <code><b>kyverno.image.pullSecrets</b></code> and <code><b>kyverno.cleanupController.image.pullSecrets</b></code>. The secret must be manually created and encrypted in Base64.</li></ol>
<p class="p_CodeExample" style="white-space: normal; page-break-inside: avoid;"><span class="f_CodeExample"># kyverno settings</span><br />
<span class="f_CodeExample">kyverno:</span><br />
<span class="f_CodeExample">...</span><br />
<span class="f_CodeExample">  # Connection parameters to the private registry</span><br />
<span class="f_CodeExample">  image:</span><br />
<span class="f_CodeExample"># Address and path for the private registry</span><br />
<span class="f_CodeExample">  &nbsp; repository: registry.example.com/kyverno/kyverno</span><br />
<span class="f_CodeExample">  &nbsp; tag: v1.9.0</span><br />
<span class="f_CodeExample"># The secret with access rights to the private registry must be manually created, encrypted in Base64</span><br />
<span class="f_CodeExample">  &nbsp; pullSecrets:</span><br />
<span class="f_CodeExample">  &nbsp; &nbsp; - myRegistryKeySecretName</span><br />
<span class="f_CodeExample">  initImage:</span><br />
<span class="f_CodeExample"># Address and path for the private registry</span><br />
<span class="f_CodeExample">  &nbsp; repository: registry.example.com/kyverno/kyvernopre</span><br />
<span class="f_CodeExample">  &nbsp; tag: v1.9.0</span><br />
<span class="f_CodeExample">  cleanupController:</span><br />
<span class="f_CodeExample">  &nbsp; image:</span><br />
<span class="f_CodeExample"># Address and path for the private registry</span><br />
<span class="f_CodeExample">  &nbsp; &nbsp; repository: registry.example.com/kyverno/cleanup-controller</span><br />
<span class="f_CodeExample">  &nbsp; &nbsp; tag: v1.9.0</span><br />
<span class="f_CodeExample"># The secret with access rights to the private registry must be manually created, encrypted in Base64</span><br />
<span class="f_CodeExample">  &nbsp; &nbsp; pullSecrets:</span><br />
<span class="f_CodeExample">  &nbsp; &nbsp; &nbsp; - myRegistryKeySecretName</span></p>
<p class="p_Normal">&nbsp;<br />
Where:</p>
<ul style="list-style-type:disc">
<li class="p_Normal"> <code><b>kyverno.image.repository</b></code> format is as follows:</li></ul>
<ul style="list-style-type:disc"><ul style="list-style-type:circle">
<li class="p_Normal">Address is <code><b>registry.example.com</b></code>.</li><li class="p_Normal">Path is <code><b>/kyverno/kyverno</b></code>.</li></ul>
<li class="p_Normal"><code><b>kyverno.initImage.repository</b></code> format is as follows:<ul style="list-style-type:circle">
<li class="p_Normal">Address is <code><b>registry.example.com</b></code>.</li><li class="p_Normal">Path is <code><b>/kyverno/kyvernopre</b></code>.</li></ul>
<li class="p_Normal"><code><b>kyverno.cleanupController.repository</b></code> format is as follows:<ul style="list-style-type:circle">
<li class="p_Normal">Address is <code><b>registry.example.com</b></code>.</li><li class="p_Normal">Path is <code><b>/kyverno/cleanup-controller</b></code>.</li></ul></li></ul>
</td>
</tr>
</table>
</div>
<p class="p_CodeExample" style="page-break-inside: avoid;"><span class="f_CodeExample">начало&nbsp;внимание</span></p>
<p class="p_Normal">Installing the Kyverno add-on component does not automatically connect the volume containing the CA certificate to the already running pods of the BRIX application. After installing Kyverno, restart the BRIX application services.</p>
<p class="p_CodeExample" style="page-break-inside: avoid;"><span class="f_CodeExample">конец&nbsp;внимание</span></p>
<div class="bottom-nav">
<a id="prev-link" class="topic__navi_prev" href="install-kyverno.html">
<span class="bottom-nav__arrow bottom-nav__arrow--prev"></span> <span
class="bottom-nav__link">install-kyverno.html</span>
</a>
<a id="next-link" class="topic__navi_next" href="docker-image-verification-policy.html">
<span class="bottom-nav__link">docker-image-verification-policy.html</span> <span
class="bottom-nav__arrow bottom-nav__arrow--next"></span>
</a>
</div>
<!-- добавляет на страницу строку блок Была ли статья полезной? -->
<div class="feedback" id="feedback"><div class="feedback-help"><span><b>Was this helpful?</b></span><form action="" method="POST" class="feedback-form" id="feedback-form"><div class="feedback__popup feedback__popup-response" id="feedback__popup_thx" style="display: none;">Thanks for your feedback!</div><div class="feedback__popup" id="feedback__popup_why" style="display: none;"><div class="feedback__popup-header">Please specify why:</div><input type="radio" name="category" id="bad_recommendation" value="bad_recommendation"><label for="bad_recommendation">Recommendations did not help me</label><input type="radio" name="category" id="difficult_text" value="difficult_text"><label for="difficult_text">Article is hard to understand</label><input type="radio" name="category" id="no_answer" value="no_answer"><label for="no_answer">Didn`t answer my question</label><input type="radio" name="category" id="bad_header" value="bad_header"><label for="bad_header">Content does not match the topic</label><input type="radio" name="category" id="other_reason" value="other_reason"><label for="other_reason">Other</label></div><div class="feedback__popup" id="feedback__popup-other" style="display: none;"><div class="feedback__popup-header">How we can improve it?</div><textarea class="feedback__textarea" name="other" id=""></textarea><input type="submit" class="feedback__other-btn" value="Submit"></div><div class="feedback-form__btn-group"><input type="radio" name="useful" id="feedback__useful_yes" value="true"><label for="feedback__useful_yes"><img src="like.svg" class="small-img" alt="like"><spanclass="feedback-form__btn-group_yes-btn">Yes</spanclass="feedback-form__btn-group_yes-btn"></label><input type="radio" name="useful" id="feedback__useful_no" value="false"><label for="feedback__useful_no"><img src="dislike.svg" class="small-img" alt="dislike"><spanclass="feedback-form__btn-group_no-btn">No</spanclass="feedback-form__btn-group_no-btn"></label></div><select name="category"><option disabled="">Please specify why</option><option value="bad_recommendation" selected="">Recommendations did not help me</option><option value="difficult_text">Article is hard to understand</option><option value="no_answer">Didn`t answer my question</option><option value="bad_header">Content does not match the topic</option><option value="other_reason">Other</option></select><input type="submit"></form></div><div class="found_typo"><p style="margin: 0px; margin-top: 16px !important;"><span><b>Found a typo?</b></span> Select it and press <i>Ctrl+Enter</i> to send us feedback</p></div></div>
</section>
</div>
<aside class="article__sidebar" style="display:none">
<input type="checkbox" />
<div class="article__arrow"></div>
<div class="table-of-contents elma365-right" id="toc2Content">
<h3 class="h3-toc">In this topic</h3>
<nav id="toc2"></nav>
</div>
</aside>
</div>
</article>
</main>
<footer class="footer">
<div class="footer-container">
<div class="footer-mobile">
<ul class="footer-mobile__list"><li><a href="https://brix365.com/en/" target="_blank">BRIX</a></li><li><a href="https://tssdk.brix365.com/en/latest/" target="_blank">SDK</a></li><li><a href="https://api.brix365.com/en/" target="_blank">API</a></li></ul><ul class="footer-mobile__list"><li><a href="https://brix365.com/en/help/platform/get-trial.html">Platform</a></li><li><a href="https://brix365.com/en/help/ecm/ecm-functions.html">ECM</a></li><li><a href="https://brix365.com/en/help/service/service-functions.html">Service</a></li><li><a href="https://brix365.com/en/help/projects/projects-functions.html">Projects</a></li></ul>
</div>
<div class="footer-wrap">
<div><span class="mobile-question-popup">Send feedback</span><form method="POST" action class="question__popup question-xs" id="question__popup"><div class="question-wrap"><span class="close"></span><span class="title">Ask a question</span><label for="help_question" style="display: none;"></label><textarea name="help_question" id="help_question"></textarea><input type="submit" value="Send"></div></form><div class="hidden fade-in question-success-xs">Sent</div></div>
<div class="footer-flex-b">
<span class="footer-copy">&copy; 2025 BRIX</span>
<ul class="footer-list">
<li class="footer-item">
<a href="#" class="arrow-top" style="display: block;"></a>
</li>
</ul>
</div>
</div>
</div>
</footer>
<iframe name="hmnavigation" style="display:none!important"></iframe>
<script src="./jquery-ui.js"></script>
<!--script src="//cdn.jsdelivr.net/npm/featherlight@1.7.14/release/featherlight.min.js" type="text/javascript" charset="utf-8"></script-->
<script src="./jquery.tocify.min.js"></script>
<script src="./TypoReporter.min.js"></script>
<script src="./google-search.js"></script>
<script src="./main.js"></script>
<script type="text/javascript">
HMInitToggle('TOGGLE0186A1','hm.type','dropdown','hm.state','0');
</script>
</body>
</html>