Skip to main content
Version: 1.34

Using custom certificate authorities

Custom Certificate Authorities for Policy registries​

It's possible to specify and configure the Certificate Authorities that a PolicyServer uses when pulling the ClusterAdmissionPolicy artifacts from the policy registry. The following spec fields configure the deployed policy-server executable to that effect.

Insecure sources​

note

The default behavior of kwctl and policy-server is to enforce HTTPS with trusted certificates matching the system CA store. You can interact with registries using untrusted certificates or even without TLS, by using the insecure_sources setting. This approach is highly discouraged for environments closer to production.

To configure the PolicyServer to accept insecure connections to specific registries, use the spec.insecureSources field of PolicyServer. This field accepts a list of insecure URIs. For example:

spec:
  insecureSources:
    - localhost:5000
    - host.k3d.internal:5000

See the Custom Certificates Authority documentation for more information on how the policy-server executable treats insecure URIs.

Custom Certificate Authorities​

You can configure the PolicyServer with a custom certificate chain of 1 or more certificates for a specific URI. To do this you use the field spec.sourceAuthorities.

This field is a map of URIs, each with its own list of strings that contain Privacy-Enhanced Mail (PEM) encoded certificates. For example:

spec:
  sourceAuthorities:
    "registry-pre.example.com":
      - |
        -----BEGIN CERTIFICATE-----
        ca-pre1-1 PEM cert
        -----END CERTIFICATE-----
      - |
        -----BEGIN CERTIFICATE-----
        ca-pre1-2 PEM cert
        -----END CERTIFICATE-----
    "registry-pre2.example.com:5500":
      - |
        -----BEGIN CERTIFICATE-----
        ca-pre2 PEM cert
        -----END CERTIFICATE-----

See the Custom Certificate Authorities documentation for more information on how the policy-server executable treats them.

Default PolicyServer managed by Helm​

The kubewarden-defaults Helm chart owns the PolicyServer named default. If you use that default PolicyServer, configure custom source settings with policyServer.* Helm values instead of editing the generated resource directly.

For registries without TLS, set policyServer.insecureSources:

# values.yaml
policyServer:
  insecureSources:
    - registry-pre.example.com:5000

For a registry that uses a custom CA, set policyServer.sourceAuthorities:

# values.yaml
policyServer:
  sourceAuthorities:
    - uri: registry-pre2.example.com:5500
      certs:
        - |
          -----BEGIN CERTIFICATE-----
          ca-pre2 PEM cert
          -----END CERTIFICATE-----

Apply those values when installing or upgrading kubewarden-defaults:

helm upgrade --install --wait -n kubewarden kubewarden-defaults kubewarden/kubewarden-defaults \
  -f values.yaml
Edit this page
Last updated on
(Simulated during dev for better perf)