Application: portieris-armada-app

Source

• Code Repository
• Gerrit Reviews

Building

• From the Debian Build environment:

build-pkgs -p portieris-helm,python-k8sapp-portieris,stx-portieris-helm

Testing

Portieris works with signed images. One way to work with image signing is to deploy Harbor with Notary:

https://goharbor.io/docs/2.7.0/install-config/run-installer-script/#installation-with-notary

https://goharbor.io/docs/2.7.0/working-with-projects/working-with-images/sign-images/

Portieris is an optional application in StarlingX, not applied by default. To apply the Portieris application, find the application tarball in

/usr/local/share/applications/helm

and upload using

system application-upload /usr/local/share/applications/helm/name-of-portieris-tarball

Create caCert.yaml with the CA certificate for your Notary

caCert: <base64 encoded CA certificate for your Notary>

Apply helm overrides to portieris-certs, setting up the CA cert for your Notary

system helm-override-update portieris portieris-certs portieris --values caCert.yaml

Apply the Portieris application

system application-apply portieris

Create an ImagePolicy (image-policy.yaml) to enforce that images from a certain registry must be signed by a certain notary:

apiVersion: portieris.cloud.ibm.com/v1
kind: ImagePolicy
metadata:
  name: allow-custom
spec:
   repositories:
    - name: "my.harbor.registry.com:12345/*"
      policy:
        trust:
          enabled: true
          trustServer: "https://my.harbor.notary.com:54321"

Apply your ImagePolicy

kubectl apply -f image-policy.yaml

Now Kubernetes deployments/pods should fail if they used an image without proper signing information with an error like the following:

trust: policy denied the request: Deny "my.harbor.registry.com:12345/test-unsigned/busybox:latest", failed to get content trust information: my.harbor.notary.com:54321 does not have trust data for my.harbor.registry.com:12345/test-unsigned/busybox