centersl/portainer-docs
1
0
Fork 0
mirror of https://github.com/portainer/portainer-docs.git synced 2026-03-27 12:58:32 +07:00
Code Issues Packages Projects Releases Wiki Activity

GITBOOK-45: Explicitly define mTLS certs in examples

Browse Source
This commit is contained in:
James Carppe
2023-04-18 06:47:20 +00:00
committed by gitbook-bot
parent f3e5a89abc
commit 799cc96087
20 changed files with 28 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
.gitbook/assets/2.12.2-stacks-edit-editor-webhook (1).png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 65 KiB

BIN
.gitbook/assets/2.15-create_first_user (1) (1).png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 152 KiB

BIN
.gitbook/assets/2.15-custom-templates (1) (1).gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 431 KiB

BIN
.gitbook/assets/2.15-docker_api_more_settings (1) (1).png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 104 KiB

BIN
.gitbook/assets/2.15-docker_services_list (1) (1).png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 134 KiB

2
admin/environments/add/docker/edge-async.md
View File

@@ -37,7 +37,7 @@ Select **Docker Standalone** then click **Start Wizard**. Then select the **Edge
| Name | Enter a name for your environment. |
| Portainer API server URL | Enter the URL and port of your Portainer Server instance as it will be seen from your Edge environment. If using a FQDN, ensure that DNS is properly configured to provide this. |
<figure><img src="../../../../.gitbook/assets/2.18-environments-add-docker-edge-async-name (1).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../../.gitbook/assets/2.18-environments-add-docker-edge-async-name.png" alt=""><figcaption></figcaption></figure>
As an optional step you can expand the **More settings** section and adjust the **Ping**, **Snapshot** and **Command** intervals for the environment - this defines how often this Edge Agent will check in with the Portainer Server for status updates, snapshot updates and to see if there are new pending commands to run, respectively. The default for each is once a minute, but the defaults can be adjusted in the [Edge Compute settings](../../../settings/edge.md#async-check-in-intervals).&#x20;

2
admin/environments/add/kaas/civo.md
View File

@@ -6,7 +6,7 @@ Select the **Civo** option from the list of providers. If you haven't already pr
You can find more details on [setting up access to your Civo account](../../../settings/credentials/civo.md) in the [shared credentials documentation](../../../settings/credentials/).
{% endhint %}
<figure><img src="../../../../.gitbook/assets/2.15-kaas-civo-creds.png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../../.gitbook/assets/2.15-kaas-civo-creds (1).png" alt=""><figcaption></figcaption></figure>
Once you have added your credentials (or if you already had them set up) select your cluster options from the fields below.

2
admin/environments/add/kubernetes/edge-async.md
View File

@@ -37,7 +37,7 @@ Select **Kubernetes** then click **Start Wizard**. Then select the **Edge Agent
| Name | Enter a name for your environment. |
| Portainer API server URL | Enter the URL and port of your Portainer Server instance as it will be seen from your Edge environment. If using a FQDN, ensure that DNS is properly configured to provide this. |
<figure><img src="../../../../.gitbook/assets/2.18-environments-add-docker-edge-async-name.png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../../.gitbook/assets/2.18-environments-add-docker-edge-async-name (1).png" alt=""><figcaption></figcaption></figure>
As an optional step you can expand the **More settings** section and adjust the **Ping**, **Snapshot** and **Command** intervals for the environment - this defines how often this Edge Agent will check in with the Portainer Server for status updates, snapshot updates and to see if there are new pending commands to run, respectively. The default for each is once a minute, but the defaults can be adjusted in the [Edge Compute settings](../../../settings/edge.md#async-check-in-intervals).&#x20;

2
admin/environments/add/swarm/edge-async.md
View File

@@ -37,7 +37,7 @@ Select **Docker Swarm** then click **Start Wizard**. Then select the **Edge Agen
| Name | Enter a name for your environment. |
| Portainer API server URL | Enter the URL and port of your Portainer Server instance as it will be seen from your Edge environment. If using a FQDN, ensure that DNS is properly configured to provide this. |
<figure><img src="../../../../.gitbook/assets/2.18-environments-add-docker-edge-async-name.png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../../.gitbook/assets/2.18-environments-add-docker-edge-async-name (1).png" alt=""><figcaption></figcaption></figure>
As an optional step you can expand the **More settings** section and adjust the **Ping**, **Snapshot** and **Command** intervals for the environment - this defines how often this Edge Agent will check in with the Portainer Server for status updates, snapshot updates and to see if there are new pending commands to run, respectively. The default for each is once a minute, but the defaults can be adjusted in the [Edge Compute settings](../../../settings/edge.md#async-check-in-intervals).&#x20;

2
admin/users/password.md
View File

@@ -6,4 +6,4 @@ From the menu select **Users** then select the user whose password you want to r
Enter a new strong password, re-enter the password to confirm it then click **Update password**.
<figure><img src="../../.gitbook/assets/2.15-settings-users-changepw.png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../.gitbook/assets/2.15-settings-users-changepw (1).png" alt=""><figcaption></figcaption></figure>

28
advanced/mtls.md
View File

@@ -14,9 +14,9 @@ In order to configure Portainer with mTLS support, you will need the following:
* A Portainer Server and a Portainer Edge Agent.
* A certificate authority (CA). You can use your own corporate CA or a CA for which you completely control the certificate issuance policy.
* The CA certificate for your certificate authority, in PEM format (`ca.crt`).
* The CA certificate for your certificate authority, in PEM format (`mtlsca.crt`).
* A domain (or subdomain) you can point to your Portainer Server instance to be specifically used for mTLS. This will be the domain the server certificate is issued for.
* A server certificate (`server.crt`) and corresponding key (`server.key`) issued by your CA for the Portainer Server, in PEM format. Ensure these are issued with `serverAuth` selected for `extendedKeyUsage`. This certificate should have the domain (or subdomain) that will be used for mTLS as the Subject Alternative Name (SAN).
* A server certificate (`mtlserver.crt`) and corresponding key (`mtlserver.key`) issued by your CA for the Portainer Server, in PEM format. Ensure these are issued with `serverAuth` selected for `extendedKeyUsage`. This certificate should have the domain (or subdomain) that will be used for mTLS as the Subject Alternative Name (SAN).
* A client certificate (`client.crt`) and corresponding key (`client.key`) issued by your CA for the Edge Agent, in PEM format. Ensure these are issued with `clientAuth` selected for `extendedKeyUsage`.
## Configuring the Portainer Server
@@ -29,7 +29,7 @@ When deploying your Portainer Server, you will need to make the CA certificate,
#### Docker Standalone
On your Docker host, upload your CA certificate (`ca.crt`), server certificate (`server.crt`) and server key (`server.key`) into a directory that will be bind mounted into the Portainer container. In this example we assume your certificates are located at `/root/certs`.
On your Docker host, upload your CA certificate (`mtlsca.crt`), server certificate (`mtlsserver.crt`) and server key (`mtlserver.key`) into a directory that will be bind mounted into the Portainer container. In this example we assume your certificates are located at `/root/certs`.
Modify your `docker run` command to mount the `/root/certs` directory to `/certs` and add the `--mtlscacert`, `--mtlscert`, and `--mtlskey` options:
@@ -39,9 +39,9 @@ docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always \
-v portainer_data:/data \
-v /root/certs:/certs
portainer/portainer-ee:latest \
--mtlscacert /certs/ca.crt \
--mtlscert /certs/server.crt \
--mtlskey /certs/server.key
--mtlscacert /certs/mtlsca.crt \
--mtlscert /certs/mtlsserver.crt \
--mtlskey /certs/mtlsserver.key
```
@@ -51,12 +51,12 @@ This will start Portainer using your provided CA and certificates.
To add mTLS certificates to Portainer Server on Docker Swarm during installation, we recommend adding the necessary files as secrets and then referencing those secrets within the YAML used to deploy Portainer.&#x20;
First, upload your CA certificate (`ca.crt`), server certificate (`server.crt`) and server key (`server.key`) into a directory that will be referenced by the secret creation. In this example we assume your certificates are located at `/root/certs`. Once you have uploaded the files, create your secrets as follows:
First, upload your CA certificate (`mtlsca.crt`), server certificate (`mtlserver.crt`) and server key (`mtlserver.key`) into a directory that will be referenced by the secret creation. In this example we assume your certificates are located at `/root/certs`. Once you have uploaded the files, create your secrets as follows:
```
docker secret create portainer.mtlscacert /root/certs/ca.crt
docker secret create portainer.mtlscert /root/certs/server.crt
docker secret create portainer.mtlskey /root/certs/server.key
docker secret create portainer.mtlscacert /root/certs/mtlsca.crt
docker secret create portainer.mtlscert /root/certs/mtlsserver.crt
docker secret create portainer.mtlskey /root/certs/mtlsserver.key
```
Modify your Portainer YAML file to attach the secrets and add the `--mtlscacert`, `--mtlscert` and `--mtlskey` options:
@@ -154,7 +154,7 @@ When deploying an Edge Agent you will be provided with a command to run by the P
### Docker Standalone
On your Docker host, upload your CA certificate (`ca.crt`), client certificate (`client.crt`) and client key (`client.key`) into a directory that will be bind mounted into the Edge Agent container. In this example we assume your certificates are located at `/root/certs`.
On your Docker host, upload your CA certificate (`mtlsca.crt`), client certificate (`client.crt`) and client key (`client.key`) into a directory that will be bind mounted into the Edge Agent container. In this example we assume your certificates are located at `/root/certs`.
Once the certificates are in place and the secrets created, you can begin to set up your Edge Agent within the Portainer UI.&#x20;
@@ -178,7 +178,7 @@ docker run -d \
-e EDGE_INSECURE_POLL=0 \
--name portainer_edge_agent \
portainer/agent:latest \
--mtlscacert /certs/ca.crt \
--mtlscacert /certs/mtlsca.crt \
--mtlscert /certs/client.crt \
--mtlskey /certs/client.key
```
@@ -189,10 +189,10 @@ Run the command to deploy your Edge Agent with mTLS support.
To add mTLS certificates to the Edge Agent, we recommend adding the necessary files as secrets and then referencing those secrets within the YAML used to deploy Portainer.&#x20;
First, upload your CA certificate (`ca.crt`), client certificate (`client.crt`) and client key (`client.key`) into a directory that will be referenced by the secret creation. In this example we assume your certificates are located at `/root/certs`. Once you have uploaded the files, create your secrets as follows:
First, upload your CA certificate (`mtlsca.crt`), client certificate (`client.crt`) and client key (`client.key`) into a directory that will be referenced by the secret creation. In this example we assume your certificates are located at `/root/certs`. Once you have uploaded the files, create your secrets as follows:
```
docker secret create portainer.mtlscacert /root/certs/ca.crt
docker secret create portainer.mtlscacert /root/certs/mtlsca.crt
docker secret create portainer.mtlscert /root/certs/client.crt
docker secret create portainer.mtlskey /root/certs/client.key
```

2
user/docker/host/setup.md
View File

@@ -42,7 +42,7 @@ This setting allows you to specify a window within which [automatic updates](../
If this setting is enabled and an update is made to an application outside of this window, it will not be applied.
{% endhint %}
<figure><img src="../../../.gitbook/assets/2.15-docker_hosts_change_windows_settings.png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../.gitbook/assets/2.15-docker_hosts_change_windows_settings (1).png" alt=""><figcaption></figcaption></figure>
## Docker Security Settings

2
user/docker/images/pull.md
View File

@@ -12,7 +12,7 @@ This method lets you pull images from Docker Hub or from another registry that y
From the menu select **Images**. Select the registry to use then enter the name of the image. On a multi-node environment, select the node to deploy to.
<figure><img src="../../../.gitbook/assets/2.15-docker_images_pull_images.png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../.gitbook/assets/2.15-docker_images_pull_images (1).png" alt=""><figcaption></figcaption></figure>
When you're ready, click **Pull the image**.

2
user/docker/services/README.md
View File

@@ -6,7 +6,7 @@ The **Services** menu is only available to Docker Swarm endpoints.
A service consists of an image definition and container configuration as well as instructions on how those containers will be deployed across a Swarm cluster.
<figure><img src="../../../.gitbook/assets/2.15-docker_services_list.png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../.gitbook/assets/2.15-docker_services_list (1).png" alt=""><figcaption></figcaption></figure>
When the [new image notification](../swarm/setup.md#other) feature is enabled, the circle next to the image name indicates whether the local image is up to date, with a green circle indicating it is up to date and a red circle indicating that there is a newer version of the image available at the remote registry. A grey circle indicates Portainer was unable to determine whether there is an update available for the image.

2
user/docker/services/configure.md
View File

@@ -14,7 +14,7 @@ In this section you can:
* View the [service logs](logs.md).
* Update, [roll back](rollback.md) or delete the service.
<figure><img src="../../../.gitbook/assets/2.15-docker_services_service_details.png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../.gitbook/assets/2.15-docker_services_service_details (1).png" alt=""><figcaption></figcaption></figure>
## Container specification configuration options

2
user/docker/stacks/add.md
View File

@@ -83,7 +83,7 @@ env_file:
Note the compose file is not changed when environment variables are used - this allows variables to be updated within Portainer without editing the compose file itself which would take it out of sync with your local copy. You will still see the `${MY_ENVIRONMENT_VARIABLE}` style entry in the compose file.
{% endhint %}
<figure><img src="../../../.gitbook/assets/2.15-docker_add_stack_upload_env_var (1).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../.gitbook/assets/2.15-docker_add_stack_upload_env_var.png" alt=""><figcaption></figcaption></figure>
When you're ready click **Deploy the stack**.

2
user/docker/swarm/setup.md
View File

@@ -29,7 +29,7 @@ This setting allows you to specify a window within which [automatic updates](../
If this setting is enabled and an update is made to an application outside of this window, it will not be applied.
{% endhint %}
<figure><img src="../../../.gitbook/assets/2.15-docker_hosts_change_windows_settings.png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../.gitbook/assets/2.15-docker_hosts_change_windows_settings (1).png" alt=""><figcaption></figcaption></figure>
## Docker Security Settings

2
user/docker/templates/custom.md
View File

@@ -10,7 +10,7 @@ You can also [create a template from an existing deployed stack](../stacks/templ
To view a list of custom templates, from the menu select **App Templates** then select **Custom Templates**.
<figure><img src="../../../.gitbook/assets/2.15-custom-templates (2).gif" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../.gitbook/assets/2.15-custom-templates (1) (1).gif" alt=""><figcaption></figcaption></figure>
## Creating a new custom template

2
user/kubernetes/applications/detach-volume.md
View File

@@ -2,7 +2,7 @@
From the menu select **Applications**, select the application then click **Edit this application**.
<figure><img src="../../../.gitbook/assets/2.15-k8s_kubernetes_applications_edit_app (1).gif" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../.gitbook/assets/2.15-k8s_kubernetes_applications_edit_app.gif" alt=""><figcaption></figcaption></figure>
Scroll down to the **Persisting data** section and click the trash can icon to the right of the volume. Scroll down and click **Update application**. When the confirmation message appears, click **Update**.

2
user/kubernetes/applications/edit.md
View File

@@ -2,7 +2,7 @@
From the menu select **Applications**, select the application you want to edit, then click **Edit this application**.
<figure><img src="../../../.gitbook/assets/2.15-k8s_kubernetes_applications_edit_app.gif" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../.gitbook/assets/2.15-k8s_kubernetes_applications_edit_app (1).gif" alt=""><figcaption></figcaption></figure>
Your editing options will depend on how the application was deployed initially.