Skip to main content
Version: 1.27

Reference for sources.yaml

You can tune the push-pull behavior of kwctl and policy-server binaries with the --sources-path argument, for specifying the path to the sources.yaml file.

To configure a PolicyServer CR, set its spec.insecureSources and spec.sourceAuthorities fields. The format of these fields corresponds with the respective sections below.

The sources.yaml file​

If you omit the --sources-path argument from the kwctl command, it tries to load the sources.yaml file from these folders:

  • Linux: $HOME/.config/kubewarden/sources.yaml
  • Mac: $HOME/Library/Application Support/io.kubewarden.kubewarden/sources.yaml
  • Windows: $HOME\AppData\Roaming\kubewarden\config\sources.yaml

Its structure is as follows:

insecure_sources:
  - "registry-dev.example.com"
  - "registry-dev2.example.com:5500"
source_authorities:
  "registry-pre.example.com":
    - type: Path
      path: /opt/example.com/pki/ca-pre1-1.pem
    - type: Path
      path: /opt/example.com/pki/ca-pre1-2.der
  "registry-pre2.example.com:5500":
    - type: Data
      data: |
            -----BEGIN CERTIFICATE-----
            ca-pre2 PEM cert
            -----END CERTIFICATE-----

This file is in either YAML or JSON format. All keys are optional, so the following is a valid sources.yaml file:

insecure_sources: ["dev.registry.example.com"]

As is:

{
    "source_authorities": {
        "host.k3d.internal:5000": [
            {"type": "Data","data":"pem cert 1"},
            {"type": "Data","data":"pem cert 2"}
        ]
    }
}

Insecure sources section​

Hosts in the insecure_sources section behave differently to those not listed.

  • Hosts not listed, try:

    • to connect using HTTPS, verifying the server identity

    If the connection fails, then the operation stops.

  • Hosts listed in insecure_sources, try in order:

    • to connect using HTTPS verifying the server identity
    • to connect using HTTPS, skipping host verification
    • to connect using HTTP

    The operation stops if all fail.

note

It's usually fine to use insecure_sources when using local registries or HTTP servers for development. It avoids the burden of managing certificates. Clearly, this is not for production use.

Source authorities section​

The source_authorities section contains URIs and CA certificates. It forms a certificate chain for that URI. It's used to verify the identity of OpenContainer Initiative (OCI) registries and HTTPS servers.

You encode these certificates in either Privacy Enhanced Mail (PEM) or Distinguished Encoding Rule (DER) formats. For specifying DER format certificates you use a path to a file containing the certificate. In PEM format you specify either a path to the certificate file, or a string with the actual certificate. You specify both with a type key:

source_authorities:
  "registry-pre.example.com":
    - type: Path
      path: /opt/example.com/pki/ca-pre1-1.pem
    - type: Path
      path: /opt/example.com/pki/ca-pre1-2.der
    - type: Data
      data: |
            -----BEGIN CERTIFICATE-----
            A string with the ca-pre1-3 PEM cert
            -----END CERTIFICATE-----
  "registry-pre2.example.com:5500":
    - type: Path
      path: /opt/example.com/pki/ca-pre2-1.der