search string side menu

ELMA365 On-Premises > ELMA365 On-Premises Enterprise > Install add-on components for ELMA365 / Install Kyverno

Install Kyverno

Kyverno allows for the management of specific environmental configurations independently from resource configurations, applying advanced configuration methods for clusters, in particular by blocking or altering API requests.

In some cases, it is required to trust user CA certificates. Kyverno can automatically add a volume containing user CA certificates to containers with a specific label.

The installation consists of four steps:

  1. Prepare Secret with the root CA certificate.
  2. Download the helm chart and the configuration file.
  3. Fill in the configuration file.
  4. Install the Kyverno chart using helm in a Kubernetes cluster.

Step 1: Prepare Secret with the root CA certificate

Create a Secret with the root CA certificate in the namespace where the ELMA365 application is installed. If there are multiple instances of the ELMA365 application installed in the Kubernetes cluster, add the Secret only to the namespace of the required ELMA365 instances.

Create a Secret named elma365-onpremise-ca in the namespace where the ELMA365 application is installed by executing the command:

kubectl create secret generic elma365-onpremise-ca --from-file=elma365-onpremise-ca.pem=/etc/ssl/certs/rootCA.pem [-n namespace]

where --from-file specifies the path to your root CA certificate in .pem format.

Step 2: Download the helm chart and the configuration file

To install via the internet, obtain the configuration file values-kyverno.yaml by executing the command:

helm repo add elma365 https://charts.elma365.tech
helm repo update
helm show values elma365/kyverno > values-kyverno.yaml

Obtaining the configuration file for installation in a closed loop without internet access

  1. On a computer with internet access, download the ELMA365 images and upload them to the local image registry by executing the following command:

helm repo add elma365 https://charts.elma365.tech
helm repo update
helm pull elma365/kyverno

For more details, see Download ELMA365 images.

  1. Copy the obtained chart archive kyverno-X.Y.Z.tgz to the server where the installation will be carried out.
  1. Unpack this chart and copy the default configuration file values.yaml to values-kyverno.yaml:

tar -xf kyverno-X.Y.Z.tgz
cp kyverno/values.yaml values-kyverno.yaml

Step 3: Fill in the configuration file

Fill in the configuration file values-kyverno.yaml for Kyverno installation.

For this, configure the policy to add user CA certificates to all containers. The policy is enabled by default: the parameter kyverno.injectСerts.enabled is set to true. In the parameter kyverno.injectСerts.secretCA, specify the name of the Secret created in step 1, in this article it's referred to as elma365-onpremise-ca. The policy adds a volume containing the CA certificate to all containers with the label tier=elma365.

 

If your Kubernetes cluster has multiple instances of the ELMA365 On-Premises application, but you need to add the user CA certificate only to some of the ELMA365 application instances, fill in the parameter kyverno.injectNamespace. In the parameter kyverno.injectNamespace, list the ELMA365 application instances for which the policy of adding certificates and the volume containing the CA certificate will be applied. Make sure that in step 1, the Secret with the root CA certificate was added to namespace listed in kyverno.injectNamespace.

 

Specify the name namespace for the Kyverno service, in this article it's referred to as kyverno. To ensure high availability, set the required number of replicas in the parameter kyverno.replicaCount.

## kyverno settings
kyverno:
  ## he policy adds a volume containing the CA certificate to all containers with the label  tier=elma365
  injectСerts:
    enabled: true
    ## he name of the secret with the root CA certificate for HTTPS operation with a self-signed certificate
    secretCA: elma365-onpremise-ca
    ## The list of namespaces where the policy will be applied
#    injectNamespace:
#      - elma365-dev
#      - elma365-prod
  ## Namespace for kyverno (need to be created before installation with kubectl create ns kyverno)
  namespace: kyverno
  ## The number of replicas for high availability
  replicaCount: 1
  ## Installation of crds (not required, added to the crds directory)
  installCRDs: false
...

Filling in the parameters to connect to a private registry for installation in a closed loop without internet access

To connect to a private registry, you need to:

  1. Download ELMA365 images and upload them to the local image registry. For more details, see Download ELMA365 images.
  2. Set address and path for parameters kyverno.image.repository, kyverno.initImage.repository and kyverno.cleanupController.image.repository.
  1. Specify the name of the secret with access rights to the private registry in parameters kyverno.image.pullSecrets and kyverno.cleanupController.image.pullSecrets. The secret must be created manually and encrypted in Base64.

## kyverno settings
kyverno:
...
  ## Connection parameters to the private registry
  image:
## Address and path for the private registry
    repository: registry.example.com/kyverno/kyverno
    tag: v1.9.0
## secret with access rights for the private registry must be created manually, encrypted
in Base64
    pullSecrets:
      - myRegistryKeySecretName
  initImage:
## Address and path for the private registry
    repository: registry.example.com/kyverno/kyvernopre
    tag: v1.9.0
  cleanupController:
    image:
## Address and path for the private registry
      repository: registry.example.com/kyverno/cleanup-controller
      tag: v1.9.0
## secret with access rights for the private registry must be created manually, encrypted in Base64
      pullSecrets:
        - myRegistryKeySecretName

where the format for kyverno.image.repository is as follows:

  • address is registry.example.com;
  • path is /kyverno/kyverno; kyverno.initImage.repository;
  • address is registry.example.com;
  • path is/kyverno/kyvernopre; kyverno.cleanupController.repository;
  • address is registry.example.com;
  • path is /kyverno/cleanup-controller.

 

Step 4: Install the Kyverno chart using helm in a Kubernetes cluster

Install the Kyverno chart in namespace, which was created in step 1 (in this article it's referred to as kyverno).

For online installation:

helm upgrade --install kyverno elma365/kyverno -f values-kyverno.yaml -n kyverno --create-namespace 

For offline installation without internet access:

helm upgrade --install kyverno ./kyverno -f values-kyverno.yaml -n kyverno --create-namespace

Начало внимание:

The installation of the Kyverno add-on component does not automatically attach the volume containing the CA certificate to the already running pods of the ELMA365 application.

After installing Kyverno, do not forget to restart the ELMA365 application services.

Конец внимание

Delete Kyverno chart usingс helm in a Kubernetes cluster

Начало внимание

Before deleting Kyverno, reconfigure the ELMA365 application to receive the CA certificate from other sources or disable TLS

Конец внимание

To delete the Kyverno chart in namespace kyverno, execute the command.

helm uninstall kyverno -n kyverno

install-keda.html install-linkerd.html

Found a typo? Highlight the text, press ctrl + enter and notify us