diff --git a/docs/howtos/airgap/02-install.md b/docs/howtos/airgap/02-install.md index 43365d6f39..9be019ecde 100644 --- a/docs/howtos/airgap/02-install.md +++ b/docs/howtos/airgap/02-install.md @@ -152,119 +152,6 @@ learn how to configure the `sources.yaml` file. ::: -## Install Kubewarden - -Now that your private registry has everything required you can install -Kubewarden. The only difference to a standard Kubewarden installation is that -you need to change the registry in the container images and policies to be the -private registry. - -Install the Kubewarden stack: - -```shell -helm install --wait -n kubewarden \ - kubewarden-crds kubewarden-crds.tgz -``` - -```shell -helm install --wait -n kubewarden \ - kubewarden-controller kubewarden-controller.tgz \ - --set global.cattle.systemDefaultRegistry= -``` - -:::caution - -To use the Policy Reporter subchart available in the `kubewarden-controller` -chart, you need to define other values specific for the subchart in an -air-gapped environment. See an example below: - -```shell -helm install --wait -n kubewarden kubewarden-controller kubewarden-controller.tgz \ - --set global.cattle.systemDefaultRegistry= \ - --set auditScanner.policyReporter=true \ - --set policy-reporter.image.registry= \ - --set policy-reporter.ui.image.registry= \ - --set policy-reporter.image.repository=kyverno/policy-reporter \ - --set policy-reporter.ui.image.repository=kyverno/policy-reporter-ui -``` - -It's necessary to define `auditScanner.policyReporter` to enable the subchart -and 4 more values to configure the registry and repository where you store the -Policy Reporter images. For more information about the policy report subchart -values, see [Policy Reporter -documentation](https://kyverno.github.io/policy-reporter-docs/getting-started/helm.html). - -::: - -```shell -helm install --wait -n kubewarden \ - kubewarden-defaults kubewarden-defaults.tgz \ - --set global.cattle.systemDefaultRegistry= -``` - -:::caution - -To download the recommended policies installed by the `kubewarden-defaults` -Helm Chart from a registry other than `global.cattle.systemDefaultRegistry`, -use the `recommendedPolicies.defaultPoliciesRegistry` configuration. -This configuration lets users specify a registry dedicated to pulling the OCI -artifacts of the policies. It's particularly useful when their container image -repository doesn't support OCI artifacts. - -To install and wait for the installation to complete, use the following -command: - -```console -helm install --wait -n kubewarden \ - kubewarden-defaults kubewarden-defaults.tgz \ - --set global.cattle.systemDefaultRegistry= \ - --set recommendedPolicies.defaultPoliciesRegistry= -``` - -If the `recommendedPolicies.defaultPoliciesRegistry` configuration isn't set, -you use `global.cattle.systemDefaultRegistry` as the default registry. - -::: - -Finally, you need to configure Policy Server to fetch policies from your -private registry. See the [using private -registry](../policy-servers/private-registry) section of the documentation. - -Now you can create Kubewarden policies in your cluster. Policies must be -available in your private registry. - -``` -kubectl apply -f - </kubewarden/policies/pod-privileged:v0.2.2 - rules: - - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - operations: - - CREATE - mutating: false -EOF -``` - -:::caution - -`PolicyServer` resources must use the image available in your private registry. -For example: - -```yaml -apiVersion: policies.kubewarden.io/v1 -kind: PolicyServer -metadata: - name: reserved-instance-for-tenant-a -spec: - image: /kubewarden/policy-server:v1.3.0 - replicas: 2 - serviceAccountName: sa -``` - -::: +After loading the images and policies into your private registry, continue with +[installing and configuring Kubewarden from the private +registry](./install-configure). diff --git a/docs/howtos/airgap/03-hauler.md b/docs/howtos/airgap/03-hauler.md index 82a1ccc9e1..a8e375a66d 100644 --- a/docs/howtos/airgap/03-hauler.md +++ b/docs/howtos/airgap/03-hauler.md @@ -125,91 +125,6 @@ This starts a registry at the `localhost:5000` address. From this point, you can use other commands like Skopeo to copy all the container images, policy modules and Helm charts used by Kubewarden into your private registry. -## Install Kubewarden - -Now that your private registry is complete, you can install Kubewarden. The -difference from a standard Kubewarden installation is that you need to change -the registry referenced in the container images and policies to be the private -registry. Additionally, the Helm charts must be installed from OCI artifacts. - -Install the Kubewarden stack: - -```shell -helm install --wait -n kubewarden kubewarden-crds --create-namespace \ - oci:///hauler/kubewarden-crds -helm install --wait -n kubewarden kubewarden-controller \ - --set "global.cattle.systemDefaultRegistry=" \ - oci:///hauler/kubewarden-controller -``` - -:::caution - -To use the PolicyReporter sub-chart available in the `kubewarden-controller` -chart you need to define other values specific for the sub-chart in an -air-gapped environment. See an example below: - -```shell -helm install --wait -n kubewarden kubewarden-controller oci:///hauler/kubewarden-controller \ - --set global.cattle.systemDefaultRegistry= \ - --set auditScanner.policyReporter=true \ - --set policy-reporter.image.registry= \ - --set policy-reporter.image.repository=kyverno/policy-reporter \ - --set policy-reporter.ui.image.registry= \ - --set policy-reporter.ui.image.repository=kyverno/policy-reporter-ui -``` - -It's necessary to define `auditScanner.policyReporter` and four other values to -enable the sub-chart and to configure the registry and repository with the -location of the Policy Reporter image store. For more information about the -policy report sub-chart values, refer to [Policy Reporter -documentation](https://kyverno.github.io/policy-reporter-docs/getting-started/helm.html). - -::: - -```shell -helm install --wait -n kubewarden \ - kubewarden-defaults oci:///hauler/kubewarden-defaults \ - --set global.cattle.systemDefaultRegistry= -``` - -Finally, configure each Policy Server to fetch policies from your private -registry. See the [using private registry](../policy-servers/private-registry) -section of the documentation. - -Now create Kubewarden policies in your cluster. Policies must be available in -your private registry. - -``` -kubectl apply -f - </kubewarden/policies/pod-privileged:v0.2.2 - rules: - - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - operations: - - CREATE - mutating: false -EOF -``` - -:::caution -`PolicyServer` resources must use the image available in your private registry. -For example: - -```yaml -apiVersion: policies.kubewarden.io/v1 -kind: PolicyServer -metadata: - name: reserved-instance-for-tenant-a -spec: - image: /kubewarden/policy-server:v1.3.0 - replicas: 2 - serviceAccountName: sa -``` - -::: +After copying the Hauler store into your private registry, continue with +[installing and configuring Kubewarden from the private +registry](./install-configure). diff --git a/docs/howtos/airgap/04-install-configure.md b/docs/howtos/airgap/04-install-configure.md new file mode 100644 index 0000000000..ad5d7c4528 --- /dev/null +++ b/docs/howtos/airgap/04-install-configure.md @@ -0,0 +1,192 @@ +--- +sidebar_label: Install and configure +title: Install and configure Kubewarden from a private registry +description: Install Kubewarden from a private registry and configure PolicyServers in air-gapped environments. +keywords: [kubewarden, kubernetes, air gap installation, policyserver] +doc-persona: [kubewarden-operator, kubewarden-integrator] +doc-type: [howto] +doc-topic: [operator-manual, air gap, installation, policyservers] +--- + + + + + +After you populate the private registry, install Kubewarden from the Helm +charts and artifacts that are available inside the air-gapped environment. + +The installation needs two registry-related settings: + +- `global.cattle.systemDefaultRegistry` points the Kubewarden charts to the + private registry that contains container images. +- `recommendedPolicies.defaultPoliciesRegistry` points `kubewarden-defaults` + to the registry that contains the recommended policy OCI artifacts. When + unset, `kubewarden-defaults` uses `global.cattle.systemDefaultRegistry`. + +If your private registry requires credentials or uses custom TLS settings, +configure the `default` PolicyServer with `kubewarden-defaults` Helm values. +For custom PolicyServers, configure the `PolicyServer` resource directly. + +## Install from chart archives + +Use this path when you copied `.tgz` chart archives into the air-gapped +environment with the manual process. + +```shell +helm install --wait -n kubewarden kubewarden-crds kubewarden-crds.tgz \ + --create-namespace +helm install --wait -n kubewarden kubewarden-controller kubewarden-controller.tgz \ + --set global.cattle.systemDefaultRegistry= +helm install --wait -n kubewarden kubewarden-defaults kubewarden-defaults.tgz \ + --set global.cattle.systemDefaultRegistry= +``` + +## Install from Hauler OCI artifacts + +Use this path when Hauler copied the Helm charts into your private registry as +OCI artifacts. + +```shell +helm install --wait -n kubewarden kubewarden-crds \ + oci:///hauler/kubewarden-crds \ + --create-namespace +helm install --wait -n kubewarden kubewarden-controller \ + oci:///hauler/kubewarden-controller \ + --set global.cattle.systemDefaultRegistry= +helm install --wait -n kubewarden kubewarden-defaults \ + oci:///hauler/kubewarden-defaults \ + --set global.cattle.systemDefaultRegistry= +``` + +In the commands below, replace `kubewarden-defaults.tgz` with the Hauler OCI +chart URL if you installed `kubewarden-defaults` from an OCI artifact. + +## Configure recommended policy registry + +If the recommended policy OCI artifacts are mirrored to a registry different +from `global.cattle.systemDefaultRegistry`, set +`recommendedPolicies.defaultPoliciesRegistry` on `kubewarden-defaults`: + +```shell +helm upgrade --install --wait -n kubewarden kubewarden-defaults kubewarden-defaults.tgz \ + --set global.cattle.systemDefaultRegistry= \ + --set recommendedPolicies.defaultPoliciesRegistry= +``` + +## Configure the default PolicyServer + +The `kubewarden-defaults` chart owns the `PolicyServer` named `default`. +Configure that PolicyServer by setting `policyServer.*` Helm values when you +install or upgrade `kubewarden-defaults`. + +For a private registry that requires credentials, create the image pull Secret +in the Kubewarden namespace and set `policyServer.imagePullSecret`: + +```shell +kubectl --namespace kubewarden create secret docker-registry secret-private-registry \ + --docker-username= \ + --docker-password= \ + --docker-server= + +helm upgrade --install --wait -n kubewarden kubewarden-defaults kubewarden-defaults.tgz \ + --set global.cattle.systemDefaultRegistry= \ + --set policyServer.imagePullSecret=secret-private-registry +``` + +For a private registry without TLS, set `policyServer.insecureSources`: + +```yaml +# values.yaml +global: + cattle: + systemDefaultRegistry: +policyServer: + insecureSources: + - +``` + +For a private registry that uses a custom CA, set +`policyServer.sourceAuthorities`: + +```yaml +# values.yaml +global: + cattle: + systemDefaultRegistry: +policyServer: + sourceAuthorities: + - uri: + certs: + - | + -----BEGIN CERTIFICATE----- + + -----END CERTIFICATE----- +``` + +Then install or upgrade the chart with the values file: + +```shell +helm upgrade --install --wait -n kubewarden kubewarden-defaults kubewarden-defaults.tgz \ + -f values.yaml +``` + +## Configure custom PolicyServers + +For a custom PolicyServer that you manage yourself, configure the +`PolicyServer` resource. The `image` field must reference the policy-server +image in your private registry. Add `imagePullSecret`, `insecureSources`, or +`sourceAuthorities` when your registry needs them. + +```yaml +apiVersion: policies.kubewarden.io/v1 +kind: PolicyServer +metadata: + name: reserved-instance-for-tenant-a +spec: + image: /kubewarden/policy-server:v1.34.2 + replicas: 2 + serviceAccountName: policy-server + imagePullSecret: secret-private-registry + insecureSources: + - +``` + +## Create policies + +After Kubewarden is installed and the target PolicyServer can reach your +private registry, create policies that reference policy modules from the same +registry: + +```yaml +apiVersion: policies.kubewarden.io/v1 +kind: ClusterAdmissionPolicy +metadata: + name: privileged-pods +spec: + module: registry:///kubewarden/policies/pod-privileged:v0.2.2 + rules: + - apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + operations: + - CREATE + mutating: false +``` + +## Policy Reporter subchart + +If you enable the Policy Reporter subchart in `kubewarden-controller`, configure +its image registry and repository values for the air-gapped registry: + +```shell +helm upgrade --install --wait -n kubewarden kubewarden-controller kubewarden-controller.tgz \ + --set global.cattle.systemDefaultRegistry= \ + --set auditScanner.policyReporter=true \ + --set policy-reporter.image.registry= \ + --set policy-reporter.image.repository=kyverno/policy-reporter \ + --set policy-reporter.ui.image.registry= \ + --set policy-reporter.ui.image.repository=kyverno/policy-reporter-ui +``` + +For more information about Policy Reporter chart values, see the +[Policy Reporter documentation](https://kyverno.github.io/policy-reporter-docs/getting-started/helm.html). diff --git a/docs/howtos/policy-servers/01-custom-cas.md b/docs/howtos/policy-servers/01-custom-cas.md index efaaf4a780..5f8c1cf802 100644 --- a/docs/howtos/policy-servers/01-custom-cas.md +++ b/docs/howtos/policy-servers/01-custom-cas.md @@ -78,3 +78,40 @@ spec: See the [Custom Certificate Authorities](../custom-certificate-authorities.md) documentation for more information on how the `policy-server` executable treats them. + +## Default PolicyServer managed by Helm + +The `kubewarden-defaults` Helm chart owns the `PolicyServer` named `default`. +If you use that default PolicyServer, configure custom source settings with +`policyServer.*` Helm values instead of editing the generated resource +directly. + +For registries without TLS, set `policyServer.insecureSources`: + +```yaml +# values.yaml +policyServer: + insecureSources: + - registry-pre.example.com:5000 +``` + +For a registry that uses a custom CA, set `policyServer.sourceAuthorities`: + +```yaml +# values.yaml +policyServer: + sourceAuthorities: + - uri: registry-pre2.example.com:5500 + certs: + - | + -----BEGIN CERTIFICATE----- + ca-pre2 PEM cert + -----END CERTIFICATE----- +``` + +Apply those values when installing or upgrading `kubewarden-defaults`: + +```shell +helm upgrade --install --wait -n kubewarden kubewarden-defaults kubewarden/kubewarden-defaults \ + -f values.yaml +``` diff --git a/docs/howtos/policy-servers/02-private-registry.md b/docs/howtos/policy-servers/02-private-registry.md index fc523b8a39..dd07ae86fd 100644 --- a/docs/howtos/policy-servers/02-private-registry.md +++ b/docs/howtos/policy-servers/02-private-registry.md @@ -50,7 +50,7 @@ kubectl --namespace kubewarden create secret docker-registry secret-ghcr-docker :::tip Label the Secret as specified -[here](../rancher-backup-operator.md#User-secrets) for it to be part of +[here](../rancher-backup-operator.md#user-secrets) for it to be part of backups done by Rancher Backup Operator ::: @@ -76,17 +76,22 @@ spec: imagePullSecret: "secret-ghcr-docker" ``` -## Consuming the Secret in Helm charts +## Default PolicyServer managed by Helm -When deployed from the `kubewarden-defaults` Helm chart, you can set the -`policyServer.imagePullSecret` value to the Secret name. Then, -the created default policy server is able to download policies from your -private registry as well: +The `kubewarden-defaults` Helm chart owns the `PolicyServer` named `default`. +If you use that default PolicyServer, set `policyServer.imagePullSecret` to +the Secret name. Then, the default PolicyServer can download policies from your +private registry: ```yaml -# values file example +# values.yaml policyServer: - telemetry: - enabled: False imagePullSecret: secret-ghcr-docker ``` + +Apply those values when installing or upgrading `kubewarden-defaults`: + +```shell +helm upgrade --install --wait -n kubewarden kubewarden-defaults kubewarden/kubewarden-defaults \ + -f values.yaml +``` diff --git a/versioned_docs/version-1.34/howtos/airgap/02-install.md b/versioned_docs/version-1.34/howtos/airgap/02-install.md index 43365d6f39..9be019ecde 100644 --- a/versioned_docs/version-1.34/howtos/airgap/02-install.md +++ b/versioned_docs/version-1.34/howtos/airgap/02-install.md @@ -152,119 +152,6 @@ learn how to configure the `sources.yaml` file. ::: -## Install Kubewarden - -Now that your private registry has everything required you can install -Kubewarden. The only difference to a standard Kubewarden installation is that -you need to change the registry in the container images and policies to be the -private registry. - -Install the Kubewarden stack: - -```shell -helm install --wait -n kubewarden \ - kubewarden-crds kubewarden-crds.tgz -``` - -```shell -helm install --wait -n kubewarden \ - kubewarden-controller kubewarden-controller.tgz \ - --set global.cattle.systemDefaultRegistry= -``` - -:::caution - -To use the Policy Reporter subchart available in the `kubewarden-controller` -chart, you need to define other values specific for the subchart in an -air-gapped environment. See an example below: - -```shell -helm install --wait -n kubewarden kubewarden-controller kubewarden-controller.tgz \ - --set global.cattle.systemDefaultRegistry= \ - --set auditScanner.policyReporter=true \ - --set policy-reporter.image.registry= \ - --set policy-reporter.ui.image.registry= \ - --set policy-reporter.image.repository=kyverno/policy-reporter \ - --set policy-reporter.ui.image.repository=kyverno/policy-reporter-ui -``` - -It's necessary to define `auditScanner.policyReporter` to enable the subchart -and 4 more values to configure the registry and repository where you store the -Policy Reporter images. For more information about the policy report subchart -values, see [Policy Reporter -documentation](https://kyverno.github.io/policy-reporter-docs/getting-started/helm.html). - -::: - -```shell -helm install --wait -n kubewarden \ - kubewarden-defaults kubewarden-defaults.tgz \ - --set global.cattle.systemDefaultRegistry= -``` - -:::caution - -To download the recommended policies installed by the `kubewarden-defaults` -Helm Chart from a registry other than `global.cattle.systemDefaultRegistry`, -use the `recommendedPolicies.defaultPoliciesRegistry` configuration. -This configuration lets users specify a registry dedicated to pulling the OCI -artifacts of the policies. It's particularly useful when their container image -repository doesn't support OCI artifacts. - -To install and wait for the installation to complete, use the following -command: - -```console -helm install --wait -n kubewarden \ - kubewarden-defaults kubewarden-defaults.tgz \ - --set global.cattle.systemDefaultRegistry= \ - --set recommendedPolicies.defaultPoliciesRegistry= -``` - -If the `recommendedPolicies.defaultPoliciesRegistry` configuration isn't set, -you use `global.cattle.systemDefaultRegistry` as the default registry. - -::: - -Finally, you need to configure Policy Server to fetch policies from your -private registry. See the [using private -registry](../policy-servers/private-registry) section of the documentation. - -Now you can create Kubewarden policies in your cluster. Policies must be -available in your private registry. - -``` -kubectl apply -f - </kubewarden/policies/pod-privileged:v0.2.2 - rules: - - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - operations: - - CREATE - mutating: false -EOF -``` - -:::caution - -`PolicyServer` resources must use the image available in your private registry. -For example: - -```yaml -apiVersion: policies.kubewarden.io/v1 -kind: PolicyServer -metadata: - name: reserved-instance-for-tenant-a -spec: - image: /kubewarden/policy-server:v1.3.0 - replicas: 2 - serviceAccountName: sa -``` - -::: +After loading the images and policies into your private registry, continue with +[installing and configuring Kubewarden from the private +registry](./install-configure). diff --git a/versioned_docs/version-1.34/howtos/airgap/03-hauler.md b/versioned_docs/version-1.34/howtos/airgap/03-hauler.md index 82a1ccc9e1..a8e375a66d 100644 --- a/versioned_docs/version-1.34/howtos/airgap/03-hauler.md +++ b/versioned_docs/version-1.34/howtos/airgap/03-hauler.md @@ -125,91 +125,6 @@ This starts a registry at the `localhost:5000` address. From this point, you can use other commands like Skopeo to copy all the container images, policy modules and Helm charts used by Kubewarden into your private registry. -## Install Kubewarden - -Now that your private registry is complete, you can install Kubewarden. The -difference from a standard Kubewarden installation is that you need to change -the registry referenced in the container images and policies to be the private -registry. Additionally, the Helm charts must be installed from OCI artifacts. - -Install the Kubewarden stack: - -```shell -helm install --wait -n kubewarden kubewarden-crds --create-namespace \ - oci:///hauler/kubewarden-crds -helm install --wait -n kubewarden kubewarden-controller \ - --set "global.cattle.systemDefaultRegistry=" \ - oci:///hauler/kubewarden-controller -``` - -:::caution - -To use the PolicyReporter sub-chart available in the `kubewarden-controller` -chart you need to define other values specific for the sub-chart in an -air-gapped environment. See an example below: - -```shell -helm install --wait -n kubewarden kubewarden-controller oci:///hauler/kubewarden-controller \ - --set global.cattle.systemDefaultRegistry= \ - --set auditScanner.policyReporter=true \ - --set policy-reporter.image.registry= \ - --set policy-reporter.image.repository=kyverno/policy-reporter \ - --set policy-reporter.ui.image.registry= \ - --set policy-reporter.ui.image.repository=kyverno/policy-reporter-ui -``` - -It's necessary to define `auditScanner.policyReporter` and four other values to -enable the sub-chart and to configure the registry and repository with the -location of the Policy Reporter image store. For more information about the -policy report sub-chart values, refer to [Policy Reporter -documentation](https://kyverno.github.io/policy-reporter-docs/getting-started/helm.html). - -::: - -```shell -helm install --wait -n kubewarden \ - kubewarden-defaults oci:///hauler/kubewarden-defaults \ - --set global.cattle.systemDefaultRegistry= -``` - -Finally, configure each Policy Server to fetch policies from your private -registry. See the [using private registry](../policy-servers/private-registry) -section of the documentation. - -Now create Kubewarden policies in your cluster. Policies must be available in -your private registry. - -``` -kubectl apply -f - </kubewarden/policies/pod-privileged:v0.2.2 - rules: - - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - operations: - - CREATE - mutating: false -EOF -``` - -:::caution -`PolicyServer` resources must use the image available in your private registry. -For example: - -```yaml -apiVersion: policies.kubewarden.io/v1 -kind: PolicyServer -metadata: - name: reserved-instance-for-tenant-a -spec: - image: /kubewarden/policy-server:v1.3.0 - replicas: 2 - serviceAccountName: sa -``` - -::: +After copying the Hauler store into your private registry, continue with +[installing and configuring Kubewarden from the private +registry](./install-configure). diff --git a/versioned_docs/version-1.34/howtos/airgap/04-install-configure.md b/versioned_docs/version-1.34/howtos/airgap/04-install-configure.md new file mode 100644 index 0000000000..ad5d7c4528 --- /dev/null +++ b/versioned_docs/version-1.34/howtos/airgap/04-install-configure.md @@ -0,0 +1,192 @@ +--- +sidebar_label: Install and configure +title: Install and configure Kubewarden from a private registry +description: Install Kubewarden from a private registry and configure PolicyServers in air-gapped environments. +keywords: [kubewarden, kubernetes, air gap installation, policyserver] +doc-persona: [kubewarden-operator, kubewarden-integrator] +doc-type: [howto] +doc-topic: [operator-manual, air gap, installation, policyservers] +--- + + + + + +After you populate the private registry, install Kubewarden from the Helm +charts and artifacts that are available inside the air-gapped environment. + +The installation needs two registry-related settings: + +- `global.cattle.systemDefaultRegistry` points the Kubewarden charts to the + private registry that contains container images. +- `recommendedPolicies.defaultPoliciesRegistry` points `kubewarden-defaults` + to the registry that contains the recommended policy OCI artifacts. When + unset, `kubewarden-defaults` uses `global.cattle.systemDefaultRegistry`. + +If your private registry requires credentials or uses custom TLS settings, +configure the `default` PolicyServer with `kubewarden-defaults` Helm values. +For custom PolicyServers, configure the `PolicyServer` resource directly. + +## Install from chart archives + +Use this path when you copied `.tgz` chart archives into the air-gapped +environment with the manual process. + +```shell +helm install --wait -n kubewarden kubewarden-crds kubewarden-crds.tgz \ + --create-namespace +helm install --wait -n kubewarden kubewarden-controller kubewarden-controller.tgz \ + --set global.cattle.systemDefaultRegistry= +helm install --wait -n kubewarden kubewarden-defaults kubewarden-defaults.tgz \ + --set global.cattle.systemDefaultRegistry= +``` + +## Install from Hauler OCI artifacts + +Use this path when Hauler copied the Helm charts into your private registry as +OCI artifacts. + +```shell +helm install --wait -n kubewarden kubewarden-crds \ + oci:///hauler/kubewarden-crds \ + --create-namespace +helm install --wait -n kubewarden kubewarden-controller \ + oci:///hauler/kubewarden-controller \ + --set global.cattle.systemDefaultRegistry= +helm install --wait -n kubewarden kubewarden-defaults \ + oci:///hauler/kubewarden-defaults \ + --set global.cattle.systemDefaultRegistry= +``` + +In the commands below, replace `kubewarden-defaults.tgz` with the Hauler OCI +chart URL if you installed `kubewarden-defaults` from an OCI artifact. + +## Configure recommended policy registry + +If the recommended policy OCI artifacts are mirrored to a registry different +from `global.cattle.systemDefaultRegistry`, set +`recommendedPolicies.defaultPoliciesRegistry` on `kubewarden-defaults`: + +```shell +helm upgrade --install --wait -n kubewarden kubewarden-defaults kubewarden-defaults.tgz \ + --set global.cattle.systemDefaultRegistry= \ + --set recommendedPolicies.defaultPoliciesRegistry= +``` + +## Configure the default PolicyServer + +The `kubewarden-defaults` chart owns the `PolicyServer` named `default`. +Configure that PolicyServer by setting `policyServer.*` Helm values when you +install or upgrade `kubewarden-defaults`. + +For a private registry that requires credentials, create the image pull Secret +in the Kubewarden namespace and set `policyServer.imagePullSecret`: + +```shell +kubectl --namespace kubewarden create secret docker-registry secret-private-registry \ + --docker-username= \ + --docker-password= \ + --docker-server= + +helm upgrade --install --wait -n kubewarden kubewarden-defaults kubewarden-defaults.tgz \ + --set global.cattle.systemDefaultRegistry= \ + --set policyServer.imagePullSecret=secret-private-registry +``` + +For a private registry without TLS, set `policyServer.insecureSources`: + +```yaml +# values.yaml +global: + cattle: + systemDefaultRegistry: +policyServer: + insecureSources: + - +``` + +For a private registry that uses a custom CA, set +`policyServer.sourceAuthorities`: + +```yaml +# values.yaml +global: + cattle: + systemDefaultRegistry: +policyServer: + sourceAuthorities: + - uri: + certs: + - | + -----BEGIN CERTIFICATE----- + + -----END CERTIFICATE----- +``` + +Then install or upgrade the chart with the values file: + +```shell +helm upgrade --install --wait -n kubewarden kubewarden-defaults kubewarden-defaults.tgz \ + -f values.yaml +``` + +## Configure custom PolicyServers + +For a custom PolicyServer that you manage yourself, configure the +`PolicyServer` resource. The `image` field must reference the policy-server +image in your private registry. Add `imagePullSecret`, `insecureSources`, or +`sourceAuthorities` when your registry needs them. + +```yaml +apiVersion: policies.kubewarden.io/v1 +kind: PolicyServer +metadata: + name: reserved-instance-for-tenant-a +spec: + image: /kubewarden/policy-server:v1.34.2 + replicas: 2 + serviceAccountName: policy-server + imagePullSecret: secret-private-registry + insecureSources: + - +``` + +## Create policies + +After Kubewarden is installed and the target PolicyServer can reach your +private registry, create policies that reference policy modules from the same +registry: + +```yaml +apiVersion: policies.kubewarden.io/v1 +kind: ClusterAdmissionPolicy +metadata: + name: privileged-pods +spec: + module: registry:///kubewarden/policies/pod-privileged:v0.2.2 + rules: + - apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + operations: + - CREATE + mutating: false +``` + +## Policy Reporter subchart + +If you enable the Policy Reporter subchart in `kubewarden-controller`, configure +its image registry and repository values for the air-gapped registry: + +```shell +helm upgrade --install --wait -n kubewarden kubewarden-controller kubewarden-controller.tgz \ + --set global.cattle.systemDefaultRegistry= \ + --set auditScanner.policyReporter=true \ + --set policy-reporter.image.registry= \ + --set policy-reporter.image.repository=kyverno/policy-reporter \ + --set policy-reporter.ui.image.registry= \ + --set policy-reporter.ui.image.repository=kyverno/policy-reporter-ui +``` + +For more information about Policy Reporter chart values, see the +[Policy Reporter documentation](https://kyverno.github.io/policy-reporter-docs/getting-started/helm.html). diff --git a/versioned_docs/version-1.34/howtos/policy-servers/01-custom-cas.md b/versioned_docs/version-1.34/howtos/policy-servers/01-custom-cas.md index efaaf4a780..5f8c1cf802 100644 --- a/versioned_docs/version-1.34/howtos/policy-servers/01-custom-cas.md +++ b/versioned_docs/version-1.34/howtos/policy-servers/01-custom-cas.md @@ -78,3 +78,40 @@ spec: See the [Custom Certificate Authorities](../custom-certificate-authorities.md) documentation for more information on how the `policy-server` executable treats them. + +## Default PolicyServer managed by Helm + +The `kubewarden-defaults` Helm chart owns the `PolicyServer` named `default`. +If you use that default PolicyServer, configure custom source settings with +`policyServer.*` Helm values instead of editing the generated resource +directly. + +For registries without TLS, set `policyServer.insecureSources`: + +```yaml +# values.yaml +policyServer: + insecureSources: + - registry-pre.example.com:5000 +``` + +For a registry that uses a custom CA, set `policyServer.sourceAuthorities`: + +```yaml +# values.yaml +policyServer: + sourceAuthorities: + - uri: registry-pre2.example.com:5500 + certs: + - | + -----BEGIN CERTIFICATE----- + ca-pre2 PEM cert + -----END CERTIFICATE----- +``` + +Apply those values when installing or upgrading `kubewarden-defaults`: + +```shell +helm upgrade --install --wait -n kubewarden kubewarden-defaults kubewarden/kubewarden-defaults \ + -f values.yaml +``` diff --git a/versioned_docs/version-1.34/howtos/policy-servers/02-private-registry.md b/versioned_docs/version-1.34/howtos/policy-servers/02-private-registry.md index fc523b8a39..dd07ae86fd 100644 --- a/versioned_docs/version-1.34/howtos/policy-servers/02-private-registry.md +++ b/versioned_docs/version-1.34/howtos/policy-servers/02-private-registry.md @@ -50,7 +50,7 @@ kubectl --namespace kubewarden create secret docker-registry secret-ghcr-docker :::tip Label the Secret as specified -[here](../rancher-backup-operator.md#User-secrets) for it to be part of +[here](../rancher-backup-operator.md#user-secrets) for it to be part of backups done by Rancher Backup Operator ::: @@ -76,17 +76,22 @@ spec: imagePullSecret: "secret-ghcr-docker" ``` -## Consuming the Secret in Helm charts +## Default PolicyServer managed by Helm -When deployed from the `kubewarden-defaults` Helm chart, you can set the -`policyServer.imagePullSecret` value to the Secret name. Then, -the created default policy server is able to download policies from your -private registry as well: +The `kubewarden-defaults` Helm chart owns the `PolicyServer` named `default`. +If you use that default PolicyServer, set `policyServer.imagePullSecret` to +the Secret name. Then, the default PolicyServer can download policies from your +private registry: ```yaml -# values file example +# values.yaml policyServer: - telemetry: - enabled: False imagePullSecret: secret-ghcr-docker ``` + +Apply those values when installing or upgrading `kubewarden-defaults`: + +```shell +helm upgrade --install --wait -n kubewarden kubewarden-defaults kubewarden/kubewarden-defaults \ + -f values.yaml +```