Portieris Server Certificate¶
Portieris allows you to configure trust policies for an individual namespace or cluster-wide, and checks the image against a signed image list on a specified notary server to enforce the configured image policies.
Refer to Portieris Admission Controller for details about Portieris installation and configuration.
The StarlingX implementation of Portieris is integrated with cert-manager.
Once Portieris application is applied, the server certificate is created in cert-manager and stored in a secret in the Portieris namespace.
The server certificate has default 3 month validity.
Certificate in cert-manager: portieris-certs
Certificate secret: portieris-certs
This server certificate is used by Portieris webhook for secure communication
In order for Portieris on the StarlingX to securely access registries or notary servers with certificates signed by a custom CA certificate, the caCert: CERTIFICATE override must be added to the portieris-certs Helm chart so that Portieris trusts the custom CA certificate.
This must be passed as the base-64 encoded (b64enc) format of the CA certificate and may contain one or more CA certificates.
Install Portieris certificates¶
The Portieris server certificate is automatically created and managed by cert-manager once Portieris application is applied.
One or more CA certificates can be installed for Portieris to trust registries and notary servers.
Refer to Install Portieris for CA certificates installation.
Update/Renew Portieris certificates¶
Portieris server certificate is managed by cert-manager.
Currently notification of the renewal is not supported.
It is recommended to re-configure the automatically configured Portieris Certificate to have a long duration since certificate renewal is not fully supported for Portieris.
CA certificates can be updated the same way as installation.
Once CA certificates are updated, you must restart Portieris using the command:
~(keystone_admin)]$ kubectl rollout restart deployment portieris-portieris -n portieris