Difference between revisions of "StarlingX/Containers/Applications/app-portieris"
(Created page with "= Application: portieris-armada-app = == Source == * [https://opendev.org/starlingx/portieris-armada-app Code Repository] * [https://review.opendev.org/q/project:starlingx/por...") |
(→Testing) |
||
(One intermediate revision by the same user not shown) | |||
Line 5: | Line 5: | ||
== Building == | == Building == | ||
* From the Debian Build environment: | * From the Debian Build environment: | ||
− | + | build-pkgs -p portieris-helm,python-k8sapp-portieris,stx-portieris-helm | |
== Testing == | == Testing == | ||
− | + | Portieris works with signed images. One way to work with image signing is to deploy Harbor with Notary: | |
+ | |||
+ | https://goharbor.io/docs/2.7.0/install-config/run-installer-script/#installation-with-notary | ||
+ | |||
+ | https://goharbor.io/docs/2.7.0/working-with-projects/working-with-images/sign-images/ | ||
+ | |||
+ | Portieris is an optional application in StarlingX, not applied by default. To apply the Portieris application, find the application tarball in | ||
+ | |||
+ | /usr/local/share/applications/helm | ||
+ | |||
+ | and upload using | ||
+ | |||
+ | system application-upload /usr/local/share/applications/helm/name-of-portieris-tarball | ||
+ | |||
+ | Create caCert.yaml with the CA certificate for your Notary | ||
+ | |||
+ | caCert: <base64 encoded CA certificate for your Notary> | ||
+ | |||
+ | Apply helm overrides to portieris-certs, setting up the CA cert for your Notary | ||
+ | |||
+ | system helm-override-update portieris portieris-certs portieris --values caCert.yaml | ||
+ | |||
+ | Apply the Portieris application | ||
+ | |||
+ | system application-apply portieris | ||
+ | |||
+ | Create an ImagePolicy (image-policy.yaml) to enforce that images from a certain registry must be signed by a certain notary: | ||
+ | |||
+ | apiVersion: portieris.cloud.ibm.com/v1 | ||
+ | kind: ImagePolicy | ||
+ | metadata: | ||
+ | name: allow-custom | ||
+ | spec: | ||
+ | repositories: | ||
+ | - name: "my.harbor.registry.com:12345/*" | ||
+ | policy: | ||
+ | trust: | ||
+ | enabled: true | ||
+ | trustServer: "https://my.harbor.notary.com:54321" | ||
+ | |||
+ | Apply your ImagePolicy | ||
+ | |||
+ | kubectl apply -f image-policy.yaml | ||
+ | |||
+ | Now Kubernetes deployments/pods should fail if they used an image without proper signing information with an error like the following: | ||
+ | trust: policy denied the request: Deny "my.harbor.registry.com:12345/test-unsigned/busybox:latest", failed to get content trust information: my.harbor.notary.com:54321 does not have trust data for my.harbor.registry.com:12345/test-unsigned/busybox |
Latest revision as of 19:38, 14 February 2024
Application: portieris-armada-app
Source
Building
- From the Debian Build environment:
build-pkgs -p portieris-helm,python-k8sapp-portieris,stx-portieris-helm
Testing
Portieris works with signed images. One way to work with image signing is to deploy Harbor with Notary:
https://goharbor.io/docs/2.7.0/install-config/run-installer-script/#installation-with-notary
https://goharbor.io/docs/2.7.0/working-with-projects/working-with-images/sign-images/
Portieris is an optional application in StarlingX, not applied by default. To apply the Portieris application, find the application tarball in
/usr/local/share/applications/helm
and upload using
system application-upload /usr/local/share/applications/helm/name-of-portieris-tarball
Create caCert.yaml with the CA certificate for your Notary
caCert: <base64 encoded CA certificate for your Notary>
Apply helm overrides to portieris-certs, setting up the CA cert for your Notary
system helm-override-update portieris portieris-certs portieris --values caCert.yaml
Apply the Portieris application
system application-apply portieris
Create an ImagePolicy (image-policy.yaml) to enforce that images from a certain registry must be signed by a certain notary:
apiVersion: portieris.cloud.ibm.com/v1 kind: ImagePolicy metadata: name: allow-custom spec: repositories: - name: "my.harbor.registry.com:12345/*" policy: trust: enabled: true trustServer: "https://my.harbor.notary.com:54321"
Apply your ImagePolicy
kubectl apply -f image-policy.yaml
Now Kubernetes deployments/pods should fail if they used an image without proper signing information with an error like the following:
trust: policy denied the request: Deny "my.harbor.registry.com:12345/test-unsigned/busybox:latest", failed to get content trust information: my.harbor.notary.com:54321 does not have trust data for my.harbor.registry.com:12345/test-unsigned/busybox