Access to enterprise components
Configure access to TLS Protect for Kubernetes Enterprise components
Introduction
TLS Protect for Kubernetes Enterprise components are distributed via a private OCI registry oci://eu.gcr.io/jetstack-secure-enterprise. Customers can use the registry to access container images, Helm charts and other artifacts.
Getting access to the registry
There are two ways to get credentials to access the registry, using the jsctl or the web UI.
🔰 Hint: If you're unfamiliar with the process, you might want to read about how to Pull an Image from a Private Registry and how to Add ImagePullSecrets to a service account in the Kubernetes documentation. This might help you understand how to use the credentials from the following steps.
Using the command line
If jsctl is not yet installed, the following script will install it for you. More info can be found on the releases page.
curl -fsSL https://raw.githubusercontent.com/jetstack/jsctl/main/install.sh | sh
On windows, the command looks as follows:
irm https://raw.githubusercontent.com/jetstack/jsctl/main/install.ps1 | iex
In order to get registry credentials, you first need to login:
jsctl auth login
Then, select an organization:
jsctl config set organization <name>
🔰 Hint: You can list the available organization with the command jsctl organizations list.
Next, you can use the CLI to fetch some credentials for you:
$ jsctl registry auth initChecking for existing credentials in ~/.jsctlauthenticated
Finally, you need to choose what format you want the credentials in dockerconfig or secret for a Kubernetes secret.
$ jsctl registry auth output --format=dockerconfig{"auths":{"eu.gcr.io":{ ...# or$ jsctl registry auth output --format=secretapiVersion: v1kind: Secret...
Using the UI
Sign in to TLS Protect for Kubernetes and navigate to TLS Protect for Kubernetes > Organization > Private Images. Then click "CREATE IMAGE PULL SECRET", insert a name to identify the key and click "CREATE IMAGE PULL SECRET".
That will generate a service account key that you can directly configure in your cluster following the instructions or download for advanced usage (see "DOWNLOAD DOCKERCFG" tab).
For the context of using TLS Protect for Kubernetes Enterprise components, we recommend to download the dockercfg JSON file locally, as you will likely need to use it in different namespaces and also with the helm command line to install Helm charts.
⚠️ Once you close the dialog after generating the credentials they won't be available for download anymore.
Install credentials to a namespace in your cluster
The service account key from the previous step can be installed in one or more namespaces in a Kubernetes or OpenShift cluster.
Take into account that only operations within that selected namespace can use the key. For instance: if you are installing a helm chart from the OCI registry in namespace example, the key must have been installed in the namespace example. The preferred namespace name is jetstack-secure. First create the namespace if it does not already exist:
kubectl create ns jetstack-secure
If you have downloaded the key file previously, you can install it in one namespace with this command:
# Fetch the key file for the JSS Enterprise Registry (alternative: download the file using the UI)jsctl registry auth output --format=dockerconfig > jss_enterprise_registry_docker_config.json# Create secret in jetstack-secure namespace with the credentials to access the enterprise registrykubectl create secret docker-registry jse-gcr-creds \--namespace jetstack-secure \--from-file .dockerconfigjson=jss_enterprise_registry_docker_config.json
You can use any name for the secret, but in the documentation we will use jse-gcr-creds for convenience.
Configuring Docker to pull GCR images
In some scenarios, you will be required to pull TLS Protect for Kubernetes enterprise images directly through docker pull or indirectly with tools like helm or skopeo. For instance, you might need to pull the isolated-issuer container image directly before running it as a docker service. In other cases you may be pulling and pushing to a different repository without leveraging the built-in mirroring capabilities of your registry.
To allow Docker authentication you would need to obtain the dockercfg file from the "Download DOCKERCFG" tab in the TLS Protect for Kubernetes private image screen. If you have not already downloaded this file, the steps to do so are explained in the above section "Get service account keys for OCI registry".
You may choose to merge this dockercfg file with your existing system wide configuration in ~/.docker/config. Alternatively, you may use the docker --config PATH_TO_DOCKERCFG for every command.
⚠️ This configuration flag might differ for other binaries like helm. We show this for helm in the below section "Using credentials to install Helm charts".
Once the authentication is configured, you may directly run:
# Fetch the key file for the JSS Enterprise Registry (alternative: download the file using the UI)jsctl registry auth output --format=dockerconfig > jss_enterprise_registry_docker_config.jsondocker --config jss_enterprise_registry_docker_config.json pull eu.gcr.io/jetstack-secure-enterprise/<JETSTACK-IMAGE>:<TAG># E.g. to pull the latest isolated-issuer imagedocker --config jss_enterprise_registry_docker_config.json pull eu.gcr.io/jetstack-secure-enterprise/isolated-issuer:latest
Configuring a pull-through remote mirroring repository (like Artifactory).
The general process for setting up any repository mirroring tool from GCR is to setup docker mirroring with:
Username: _json_keyPassword: REPLACE_WITH_GCR_SERVICE_ACCOUNT_KEY_JSON
The service account key can be obtained from the dockercfg file, the following command on the dockercfg file will extract it from the password field of the relevant section:
jq -r '.auths["eu.gcr.io"].password' PATH_TO_DOCKERCFG
This assumes you have the jq command line utility installed and dockercfg obtained from previous section.
Specifically for Artifactory, mirroring is explained in this guide.
The only difference for TLS Protect for Kubernetes Enterprise's registry is that you obtain the service account key differently through the above jq rather than generating it from our registry, and can hence skip step 2 in the linked guide.
If you're still having trouble, please contact us by raising a support request for assistance.
Using credentials to install Helm charts
Since Helm v3.8.0, you can install Helm charts from an OCI registry (see Helm docs).
Assuming you have downloaded the key file previously (from the JSS UI or using the jsctl command), you can use the --registry-config flag to let Helm authenticate with the enterprise registry when retrieving the Helm chart.
For example:
# Fetch the key file for the JSS Enterprise Registry (alternative: download the file using the UI)jsctl registry auth output --format=dockerconfig > jss_enterprise_registry_docker_config.jsonhelm template cert-discovery-venafi \oci://eu.gcr.io/jetstack-secure-enterprise/charts/cert-discovery-venafi \--registry-config jss_enterprise_registry_docker_config.json
Configuring the pull secret and Helm CLI
Most TLS Protect for Kubernetes charts will use container images that are in the enterprise registry as well. You will also need to follow the instructions in the previous section and install the credentials to the desired namespace in your cluster. The specific installation instructions of the chart will detail how to specify the specific flags that set the ImagePullSecret. This is a full example:
# Create secret in jetstack-secure namespace with the credentials to access the enterprise registrykubectl -n jetstack-secure apply -f <(jsctl registry auth output --format=secret)# Template the Helm chart using the previous secret as ImagePullSecrethelm template cert-discovery-venafi \oci://eu.gcr.io/jetstack-secure-enterprise/charts/cert-discovery-venafi \--registry-config <(jsctl registry auth output --format=dockerconfig) \--namespace jetstack-secure \--set 'global.imagePullSecrets[0].name=jse-gcr-creds'
Domain whitelist for obtaining Jetstack artifacts
If you're behind a corporate L7 proxy/firewall, these are the domains to whitelist in order to allow access:
- eu.gcr.io
- accounts.google.com
- oauth2.googleapis.com
- storage.googleapis.com
In case you need to open up an L4 firewall to google service IP addresses, here is the list that google supplies.