docs/doc/source/security/kubernetes/portieris-server-certificate-a0c7054844bd.rst
Elisamara Aoki Goncalves b5151a0efd Portieris Server Certificate Renewal Policy (r6,dsR6)
Removed contradictory info about certificate renewal

Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
Change-Id: I1c107cc49953047b2478458eb0a5e11c5514ea2b
2022-08-31 20:09:43 +00:00

2.4 KiB

Portieris Server Certificate

Portieris allows you to configure trust policies for an individual namespace or cluster-wide, and checks the image against a signed image list on a specified notary server to enforce the configured image policies.

Refer to Portieris Admission Controller <portieris-admission-controller-security-index> for details about Portieris installation and configuration.

The implementation of Portieris is integrated with cert-manager.

Once Portieris application is applied, the server certificate is created in cert-manager and stored in a secret in the Portieris namespace.

The server certificate has default 3 month validity.

  • Certificate in cert-manager: portieris-certs
  • Certificate secret: portieris-certs

This server certificate is used by Portieris webhook for secure communication with kube-apiserver.

In order for Portieris on the to securely access registries or notary servers with certificates signed by a custom certificate, the caCert: CERTIFICATE override must be added to the portieris-certs Helm chart so that Portieris trusts the custom certificate.

This must be passed as the base-64 encoded (b64enc) format of the certificate and may contain one or more certificates.

Install Portieris certificates

The Portieris server certificate is automatically created and managed by cert-manager once Portieris application is applied.

One or more certificates can be installed for Portieris to trust registries and notary servers.

Refer to Install Portieris <install-portieris> for certificates installation.

Update/Renew Portieris certificates

Portieris server certificate is managed by cert-manager.

Note

Currently notification of the renewal is not supported.

It is recommended to re-configure the automatically configured Portieris Certificate to have a long duration since certificate renewal is not fully supported for Portieris.

certificates can be updated the same way as installation.

Once certificates are updated, you must restart Portieris using the command:

~(keystone_admin)]$ kubectl rollout restart deployment portieris-portieris -n portieris