Access to enterprise components

Configure access to TLS Protect for Kubernetes Enterprise components

Introduction

TLS Protect for Kubernetes Enterprise components are distributed via a private OCI registry oci://eu.gcr.io/jetstack-secure-enterprise. Customers can use the registry to access container images, Helm charts and other artifacts.

Getting access to the registry

There are two ways to get credentials to access the registry, using the jsctl or the web UI.

Using the command line

If jsctl is not yet installed, the following script will install it for you. More info can be found on the releases page.

curl -fsSL https://raw.githubusercontent.com/jetstack/jsctl/main/install.sh | sh

On windows, the command looks as follows:

irm https://raw.githubusercontent.com/jetstack/jsctl/main/install.ps1 | iex

In order to get registry credentials, you first need to login:

jsctl auth login

Then, select an organization:

jsctl config set organization <name>

Next, you can use the CLI to fetch some credentials for you:

$ jsctl registry auth init
Checking for existing credentials in ~/.jsctl
authenticated

Finally, you need to choose what format you want the credentials in dockerconfig or secret for a Kubernetes secret.

$ jsctl registry auth output --format=dockerconfig
{"auths":{"eu.gcr.io":{ ...

# or

$ jsctl registry auth output --format=secret
apiVersion: v1
kind: Secret
...

Using the UI

Sign in to TLS Protect for Kubernetes and navigate to TLS Protect for Kubernetes > Organization > Private Images. Then click "CREATE IMAGE PULL SECRET", insert a name to identify the key and click "CREATE IMAGE PULL SECRET".

That will generate a service account key that you can directly configure in your cluster following the instructions or download for advanced usage (see "DOWNLOAD DOCKERCFG" tab).

For the context of using TLS Protect for Kubernetes Enterprise components, we recommend to download the dockercfg JSON file locally, as you will likely need to use it in different namespaces and also with the helm command line to install Helm charts.

Install credentials to a namespace in your cluster

The service account key from the previous step can be installed in one or more namespaces in a Kubernetes or OpenShift cluster.

Take into account that only operations within that selected namespace can use the key. For instance: if you are installing a helm chart from the OCI registry in namespace example, the key must have been installed in the namespace example. The preferred namespace name is jetstack-secure. First create the namespace if it does not already exist:

kubectl create ns jetstack-secure

If you have downloaded the key file previously, you can install it in one namespace with this command:

# Fetch the key file for the JSS Enterprise Registry (alternative: download the file using the UI)
jsctl registry auth output --format=dockerconfig > jss_enterprise_registry_docker_config.json

# Create secret in jetstack-secure namespace with the credentials to access the enterprise registry
kubectl create secret docker-registry jse-gcr-creds \
    --namespace jetstack-secure \
    --from-file .dockerconfigjson=jss_enterprise_registry_docker_config.json

Configuring Docker to pull GCR images

In some scenarios, you will be required to pull TLS Protect for Kubernetes enterprise images directly through docker pull or indirectly with tools like helm or skopeo. For instance, you might need to pull the isolated-issuer container image directly before running it as a docker service. In other cases you may be pulling and pushing to a different repository without leveraging the built-in mirroring capabilities of your registry.

To allow Docker authentication you would need to obtain the dockercfg file from the "Download DOCKERCFG" tab in the TLS Protect for Kubernetes private image screen. If you have not already downloaded this file, the steps to do so are explained in the above section "Get service account keys for OCI registry".

You may choose to merge this dockercfg file with your existing system wide configuration in ~/.docker/config. Alternatively, you may use the docker --config PATH_TO_DOCKERCFG for every command.

Once the authentication is configured, you may directly run:

# Fetch the key file for the JSS Enterprise Registry (alternative: download the file using the UI)
jsctl registry auth output --format=dockerconfig > jss_enterprise_registry_docker_config.json

docker --config jss_enterprise_registry_docker_config.json pull eu.gcr.io/jetstack-secure-enterprise/<JETSTACK-IMAGE>:<TAG>

# E.g. to pull the latest isolated-issuer image
docker --config jss_enterprise_registry_docker_config.json pull eu.gcr.io/jetstack-secure-enterprise/isolated-issuer:latest

Configuring a pull-through remote mirroring repository (like Artifactory).

The general process for setting up any repository mirroring tool from GCR is to setup docker mirroring with:

Username: _json_key
Password: REPLACE_WITH_GCR_SERVICE_ACCOUNT_KEY_JSON

The service account key can be obtained from the dockercfg file, the following command on the dockercfg file will extract it from the password field of the relevant section:

jq -r '.auths["eu.gcr.io"].password' PATH_TO_DOCKERCFG

Specifically for Artifactory, mirroring is explained in this guide.
The only difference for TLS Protect for Kubernetes Enterprise's registry is that you obtain the service account key differently through the above jq rather than generating it from our registry, and can hence skip step 2 in the linked guide.

If you're still having trouble, please contact us by raising a support request for assistance.

Using credentials to install Helm charts

Since Helm v3.8.0, you can install Helm charts from an OCI registry (see Helm docs).

Assuming you have downloaded the key file previously (from the JSS UI or using the jsctl command), you can use the --registry-config flag to let Helm authenticate with the enterprise registry when retrieving the Helm chart.

For example:

# Fetch the key file for the JSS Enterprise Registry (alternative: download the file using the UI)
jsctl registry auth output --format=dockerconfig > jss_enterprise_registry_docker_config.json

helm template cert-discovery-venafi \
  oci://eu.gcr.io/jetstack-secure-enterprise/charts/cert-discovery-venafi \
  --registry-config jss_enterprise_registry_docker_config.json

Configuring the pull secret and Helm CLI

Most TLS Protect for Kubernetes charts will use container images that are in the enterprise registry as well. You will also need to follow the instructions in the previous section and install the credentials to the desired namespace in your cluster. The specific installation instructions of the chart will detail how to specify the specific flags that set the ImagePullSecret. This is a full example:

# Create secret in jetstack-secure namespace with the credentials to access the enterprise registry
kubectl -n jetstack-secure apply -f <(jsctl registry auth output --format=secret)

# Template the Helm chart using the previous secret as ImagePullSecret
helm template cert-discovery-venafi \
  oci://eu.gcr.io/jetstack-secure-enterprise/charts/cert-discovery-venafi \
  --registry-config <(jsctl registry auth output --format=dockerconfig) \
  --namespace jetstack-secure \
  --set 'global.imagePullSecrets[0].name=jse-gcr-creds'

Domain whitelist for obtaining Jetstack artifacts

If you're behind a corporate L7 proxy/firewall, these are the domains to whitelist in order to allow access:

• eu.gcr.io
• accounts.google.com
• oauth2.googleapis.com
• storage.googleapis.com

In case you need to open up an L4 firewall to google service IP addresses, here is the list that google supplies.