Using custom certificate authorities
Custom Certificate Authorities for Policy registries​
It is possible to specify and configure the Certificate Authorities that a
PolicyServer uses when pulling the ClusterAdmissionPolicy artifacts from the
policy registry. The following spec
fields will configure the deployed
policy-server
executable to that effect.
Insecure sources​
Important: the default behavior of
kwctl
andpolicy-server
is to enforce HTTPS with trusted certificates matching the system CA store. You can interact with registries using untrusted certificates or even without TLS, by using theinsecure_sources
setting. This approach is highly discouraged for environments closer to production.
To configure the PolicyServer to accept insecure connections to specific
registries, use the spec.insecureSources
field of PolicyServer. This field
accepts a list of URIs to be regarded as insecure. Example:
spec:
insecureSources:
- localhost:5000
- host.k3d.internal:5000
See here for more
information on how the policy-server
executable treats them.
Custom Certificate Authorities​
To configure the PolicyServer with a custom certificate chain of 1 or more
certificates for a specific URI, use the field spec.sourceAuthorities
.
This field is a map of URIs, each with its own list of strings that contain PEM encoded certificates. Example:
spec:
sourceAuthorities:
"registry-pre.example.com":
- |
-----BEGIN CERTIFICATE-----
ca-pre1-1 PEM cert
-----END CERTIFICATE-----
- |
-----BEGIN CERTIFICATE-----
ca-pre1-2 PEM cert
-----END CERTIFICATE-----
"registry-pre2.example.com:5500":
- |
-----BEGIN CERTIFICATE-----
ca-pre2 PEM cert
-----END CERTIFICATE-----
See here for more
information on how the policy-server
executable treats them.