Configuring CA Certificate

To scan your container registries, CloudGuard uses a bundle of public Certificate Authorities (CA) for authentication. The CloudGuard scanning agents accept certificates signed only by these trusted CAs. If you use a self-hosted registry, the CA that signs your registry certificate can be absent in the bundle of the trusted CAs. Follow the steps below to provide the CA to CloudGuard.

Certificate for Kubernetes Scanner

To configure the Kubernetes cluster:

1. Obtain a registry CA certificate in Base64 format

   Use one of the available methods; for example, download the certificate with your web browser from the registry's website.

2. Create a configmap registry registry-ca-bundle in the CloudGuard namespace (by default, checkpoint). Use the registry.cer file as the key. Use the value as the CA certificate file content.

   kubectl create configmap registry-ca-bundle --from-file=registry.cer=<certificate_file_path> --namespace <cloudguard_namespace>

Notes: For clusters that scan multiple registries with different CA certificates, the certificate file must contain a bundle of certificates of all your registries. You can add CA bundles of all the relevant CAs. If the registry CA is replaced, update the configmap and restart the Imagescan pods.

Certificate for AWS ECS Scanner

Configuring the certificate includes two stages:

1. Prepare a file that contains a bundle of CA certificates and store its content as a secret.

2. Add the secret to the CloudFormation stack of the scanner.

Note - For AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. ECS Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. scanners that scan multiple registries with different CA certificates, the certificate file must contain a bundle of certificates of all your registries. You can add CA bundles of all the relevant CAs to your secret's content.

To configure a secret:

1. Open the AWS Secrets Manager, go to Secrets, and click Store a new secret to create it:

   • Secret type: Other type of secret

   • In Key/value pairs, select Plaintext.

   • Paste the contents of one or more certificates in text format as in the example below:

     JFrog Registry CA ================================== -----BEGIN CERTIFICATE----- <PEM-Encoded-Certificate-Content> -----END CERTIFICATE----- Harbor Registry CA ================================== -----BEGIN CERTIFICATE----- <PEM-Encoded-Certificate-Content> -----END CERTIFICATE-----

2. Configure the rest of the parameters based on your preferences and click Store.

3. Open the new secret and copy Secret ARN from Secret details. You need this ARN Amazon Resource Names (ARNs) uniquely identify AWS resources. They are required to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls. for the next stage.

To add the secret to the stack in AWS CFT:

1. Edit the stack used for the ECS scanner.

2. In the Specify stack details, go to Parameters > AWS > Optional - Custom CA Certificate ARN.

3. Paste the Secret ARN you copied in the previous stage.

For more information about the stack creation, see Step 3 - AWS Configurations in the onboarding wizard for your container registry.