Using custom certificate authorities
Custom Certificate Authorities for Policy registries​
It is possible to specify and configure the Certificate Authorities that a
PolicyServer uses when pulling the ClusterAdmissionPolicy artifacts from the
policy registry. The following spec fields will configure the deployed
policy-server executable to that effect.
Insecure sources​
Important: the default behavior of
kwctlandpolicy-serveris to enforce HTTPS with trusted certificates matching the system CA store. You can interact with registries using untrusted certificates or even without TLS, by using theinsecure_sourcessetting. This approach is highly discouraged for environments closer to production.
To configure the PolicyServer to accept insecure connections to specific
registries, use the spec.insecureSources field of PolicyServer. This field
accepts a list of URIs to be regarded as insecure. Example:
spec:
insecureSources:
- localhost:5000
- host.k3d.internal:5000
See here for more
information on how the policy-server executable treats them.
Custom Certificate Authorities​
To configure the PolicyServer with a custom certificate chain of 1 or more
certificates for a specific URI, use the field spec.sourceAuthorities.
This field is a map of URIs, each with its own list of strings that contain PEM encoded certificates. Example:
spec:
sourceAuthorities:
"registry-pre.example.com":
- |
-----BEGIN CERTIFICATE-----
ca-pre1-1 PEM cert
-----END CERTIFICATE-----
- |
-----BEGIN CERTIFICATE-----
ca-pre1-2 PEM cert
-----END CERTIFICATE-----
"registry-pre2.example.com:5500":
- |
-----BEGIN CERTIFICATE-----
ca-pre2 PEM cert
-----END CERTIFICATE-----
See here for more
information on how the policy-server executable treats them.