ELMA365 On-Premises > ELMA365 Enterprise > Install add-on components for ELMA365 / Install Kyverno

Install Kyverno

Kyverno allows for the management of specific environmental configurations independently from resource configurations, applying advanced configuration methods for clusters, in particular by blocking or altering API requests.

In some cases, it is required to trust user CA certificates. Kyverno can automatically add a volume containing user CA certificates to containers with a specific label.

The installation consists of four steps:

  1. Prepare Secret with the root CA certificate.
  2. Download the helm chart and the configuration file.
  3. Fill in the configuration file.
  4. Install the Kyverno chart using helm in a Kubernetes cluster.

Step 1: Prepare Secret with the root CA certificate

Create a Secret with the root CA certificate in the namespace where the ELMA365 application is installed. If there are multiple instances of the ELMA365 application installed in the Kubernetes cluster, add the Secret only to the namespace of the required ELMA365 instances.

Create a Secret named elma365-onpremise-ca in the namespace where the ELMA365 application is installed by executing the command:

kubectl create secret generic elma365-onpremise-ca --from-file=elma365-onpremise-ca.pem=/etc/ssl/certs/rootCA.pem [-n namespace]

where --from-file specifies the path to your root CA certificate in .pem format.

Step 2: Download the helm chart and the configuration file

To install via the internet, obtain the configuration file values-kyverno.yaml by executing the command:

helm repo add elma365 https://charts.elma365.tech
helm repo update
helm show values elma365/kyverno > values-kyverno.yaml

Obtaining the configuration file for installation in a closed loop without internet access

Step 3: Fill in the configuration file

Fill in the configuration file values-kyverno.yaml for Kyverno installation.

For this, configure the policy to add user CA certificates to all containers. The policy is enabled by default: the parameter kyverno.injectСerts.enabled is set to true. In the parameter kyverno.injectСerts.secretCA, specify the name of the Secret created in step 1, in this article it's referred to as elma365-onpremise-ca. The policy adds a volume containing the CA certificate to all containers with the label tier=elma365.

 

If your Kubernetes cluster has multiple instances of the ELMA365 On-Premises application, but you need to add the user CA certificate only to some of the ELMA365 application instances, fill in the parameter kyverno.injectNamespace. In the parameter kyverno.injectNamespace, list the ELMA365 application instances for which the policy of adding certificates and the volume containing the CA certificate will be applied. Make sure that in step 1, the Secret with the root CA certificate was added to namespace listed in kyverno.injectNamespace.

 

Specify the name namespace for the Kyverno service, in this article it's referred to as kyverno. To ensure high availability, set the required number of replicas in the parameter kyverno.replicaCount.

## kyverno settings
kyverno:
  ## he policy adds a volume containing the CA certificate to all containers with the label  tier=elma365
  injectСerts:
    enabled: true
    ## he name of the secret with the root CA certificate for HTTPS operation with a self-signed certificate
    secretCA: elma365-onpremise-ca
    ## The list of namespaces where the policy will be applied
#    injectNamespace:
#      - elma365-dev
#      - elma365-prod
  ## Namespace for kyverno (need to be created before installation with kubectl create ns kyverno)
  namespace: kyverno
  ## The number of replicas for high availability
  replicaCount: 1
  ## Installation of crds (not required, added to the crds directory)
  installCRDs: false
...

Filling in the parameters to connect to a private registry for installation in a closed loop without internet access

Step 4: Install the Kyverno chart using helm in a Kubernetes cluster

Install the Kyverno chart in namespace, which was created in step 1 (in this article it's referred to as kyverno).

For online installation:

helm upgrade --install kyverno elma365/kyverno -f values-kyverno.yaml -n kyverno --create-namespace 

For offline installation without internet access:

helm upgrade --install kyverno ./kyverno -f values-kyverno.yaml -n kyverno --create-namespace

Начало внимание:

The installation of the Kyverno add-on component does not automatically attach the volume containing the CA certificate to the already running pods of the ELMA365 application.

After installing Kyverno, do not forget to restart the ELMA365 application services.

Конец внимание

Delete Kyverno chart usingс helm in a Kubernetes cluster

Начало внимание

Before deleting Kyverno, reconfigure the ELMA365 application to receive the CA certificate from other sources or disable TLS

Конец внимание

To delete the Kyverno chart in namespace kyverno, execute the command.

helm uninstall kyverno -n kyverno

Found a typo? Highlight the text, press ctrl + enter and notify us