Notary service

The notary service is used to sign a trusted collection of content such as metadata.

Note: The Notary service is deprecated from IBM Cloud Pak® for Multicloud Management 2.3 Fix Pack 5, and will be removed in the next release.

Notary service is a combination of notary server and signer. The notary server stores and updates the signed The Update Framework (TUF) metadata. The notary signer stores private signing keys and conducts signing operations for a server.

Before you begin

An instance of the notary service is deployed in your hub cluster when you enable securityServices and ibm-management-notary in the installation YAML file for your IBM Cloud Pak® for Multicloud Management operand.

To install an instance of the notary service in your managed clusters, you must manually install the ibm-management-notary operator and create an operand in your managed clusters.

The notary service has a dependency on the MongoDB service. MongoDB secrets and service must be available in the management-security-services namespace for the notary service to be able to function.

Configuring the MongoDB service and secrets

Complete the following steps to install the MongoDB service and secrets.

1. Copy the MongoDB secrets from the ibm-common-services namespace to the management-security-services namespace.

   1. Copy the icp-mongodb-admin secret.

      kubectl get secret icp-mongodb-admin -n ibm-common-services -o yaml > outputfile.yaml
      

   2. Manually edit the file to delete all unneeded lines and update the namespace to management-security-services. The edited outputfile.yaml resembles the following sample:

      apiVersion: v1
      data:
        password: UVhScmtBUEdDZXRBbA==
        user: RTlnblRvMGo=
      kind: Secret
      metadata:
        labels:
          app: icp-mongodb
        name: icp-mongodb-admin
        namespace: management-security-services
      type: Opaque
      

   3. Apply the changes to the management-security-services namespace:

      kubectl apply -f outputfile.yaml -n management-security-services
      

   4. Copy the icp-mongodb-client-cert secret:

      kubectl get secret icp-mongodb-client-cert -n ibm-common-services -o yaml > outputfile2.yaml
      

   5. Manually edit the file to delete all unneeded lines and update the namespace to management-security-services. The edited outputfile2.yaml resembles the following sample:

      apiVersion: v1
      data:
        ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lRRkdsOEFCUlEvbWVaekFBb2NpcktEakFOQmdrcWhraUc5dzBCQVFzRkFEQXAKTVJVd0V3WURWUVFLRXd4alpYSjBMVzFoYm1GblpYSXhFREFPQmdOVkJBTVRCMjF2Ym1kdlpHSXdIaGNOTWpBdwpPVE13TURreU5UTXhXaGNOTWpJd09UTXdNRGt5TlRNeFdqQXBNUlV3RXdZRFZRUUtFd3hqWlhKMExXMWhibUZuClpYSXhFREFPQmdOVkJBTVRCMjF2Ym1kdlpHSXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUsKQW9JQkFRQ2c3aUJFNjY0NUFlMGt4cEJIUlc4bzFOT0Q0bVU2MENFTWprVFN3MVVvRU9ZWS9rU1NMdm00NWpnVApsTU44eDgyOUZpemZBQW1GbHd5d3pUalR6cjdaNksvQ25UdWlvcmt2RkZKMmRkSlJpMGNuV0IxQkpBeTNIa2s4Cjd4aEZva3ZDSEthaHI1V2FIQ2dUVW5jVEFwU1hyUlMxUU95VDB0b0lWdm1xVHgxemNvNlpFK1lUcHJGNElkRUwKSFBhVm8yY1piMjRoeHZVbCttTkMrVEFRaDgzV09VUElLVEhlbWIwT1ZWaFBBNkJhenEwZnhibUQ2YzBaZXlJNApQMW1pNmlNemJmK05OYnBiMXBQUnVhZnpVaURqS3Mwa1NvVm10dmtEamc3cUIzWWRpWkZ2MzRWM3Rwdkd0Qmx1CkM1VlpmcytVdlloUjNBTUZSaGhHN0ljRlRHQ1BBZ01CQUFHalJUQkRNQTRHQTFVZER3RUIvd1FFQXdJQ3BEQVAKQmdOVkhSTUJBZjhFQlRBREFRSC9NQ0FHQTFVZEVRUVpNQmVDQjIxdmJtZHZaR0tDREcxdmJtZHZaR0l1Y205dgpkREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBQXh3VDl4c3pOVU5KaHQ2MFo0cXN6TU9teERYclVoWGJqUU03ClhLdmp0OTFZVlBVWUtneDg3Yk5WQkwrWDVpZWQ0R0RlMnlXUWMwLzVvYk1iTkZheThsR0ozWnROK0tiWWJFeTIKMFkwRWNzekRFVkc1UmhySTErcUl3L0VOWmMrT2lMTXBDN3ZsSEVzMUtDUVEwMlppR0d1UUFGdXFGMjVuVnY3Zgo4dnhyamZuUkY1ZzhjZ0FDTmdSVmxIMExjV3VBdTB4L0JtRkFxUXRhcHRvZFNvVjdIcXZZcmZkclpwYXZ1N21nCjB4cG00Yk1kQTFPWHFXVjdhcU1xNlVneHRNdGxEYjJZbkh1aE5xbS83L082QjZBeWZLWUhEMGpRZWozK1YwTkgKdzd3Uy9Jd29nM1dOZWVDY3ZaYlBsQ1FLYUI5SmJQTkU0STFjOTF3Q2s4QkFTLzQyK1E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
        tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLakNDQWhLZ0F3SUJBZ0lSQUx4WWQ3bWhFMnk4bytCMFJOblM1WHN3RFFZSktvWklodmNOQVFFTEJRQXcKS1RFVk1CTUdBMVVFQ2hNTVkyVnlkQzF0WVc1aFoyVnlNUkF3RGdZRFZRUURFd2R0YjI1bmIyUmlNQjRYRFRJdwpNRGt6TURBNU1qVXpNVm9YRFRJeU1Ea3pNREE1TWpVek1Wb3dNVEVWTUJNR0ExVUVDaE1NWTJWeWRDMXRZVzVoCloyVnlNUmd3RmdZRFZRUURFdzl0YjI1bmIyUmlMWE5sY25acFkyVXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUEKQTRJQkR3QXdnZ0VLQW9JQkFRREczNEtPT3hQa0R2RDhLWDFnUVk2QVZsbHYrbUloTFhJb2VqL2dSellEZGV1UwpxcEh1RlF3VmhLb2gzNVBpSHRzbGVIaTRUakwzek5ZYUdocFg4Y0x0N0RaSmdIUDVrUXRVWEpwbmJEQlVVOXdiCnV6UXZOME1BazZPYVJSYmI0b0I2c2R0LzN2ajdlMVhlaUlRejU4elFzY1JaVVJWK09tejM1aWdkZnhFNm5rRnUKOHB2RkFYK29EdHZ1WkNGcUs4WWtOdlZadTAyVE9ZZStBNC9rTy9CaXBUZDJzMjRBQWFOMkx6WmdlZFk3SVNyYwo1YnRyUjZwRExUZjJIaDFsSnZWeU5HMFdkWkM4aFdncjUwWjdoVEMwSlJraW8wRklybzZ3RE9JTGkwV1pqbnVXCk0vMmhhMUhzcVVMaDI1TDZlT3VLQzdNb3FSWGl4ZHYyb1oralgvSEpBZ01CQUFHalJUQkRNQTRHQTFVZER3RUIKL3dRRUF3SUZvREFNQmdOVkhSTUJBZjhFQWpBQU1DTUdBMVVkRVFRY01CcUNEMjF2Ym1kdlpHSXRjMlZ5ZG1sagpaWUlIYlc5dVoyOWtZakFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBaklEc2NmRlNRZUFkSmpxSSthSXUySis2Cjk3SGlrcU5YYityNEdkRkxNUHBnRnM4aVkwOXg1UjhWb3p6STF0ZGpobEQ2YUhkcjNnYnJlbnRMcnZzN295S2EKZ1hPU2d6eW45OVNSS0srS3RIc1FpRy9QOHVzM1hhdytGSXRmVUxaQmZTM2FVMVdDTmxpM1R6Ky9qUDZ5ekIragpJYzRkOTJNVmtLL3FHRjZrWGROSG1YU1lveUE1WWRLbFlaQ28yM0FmSEtQQ0NXTGEwNHBGQlE5cVVkOFNEVjhXCndXWTgwK2xaRS9nRkJJeGJlQjIwMkNzU2MrOWQwby9QdEhkNlZRU1VFd0ZkT1pFckg2RnBLeVQyeldQV1VtcDAKT0lFTW1Xa2p0S1hPWjVWZk9jQXNlbnR1bzFyajJQUmZ6d3N6Zk5sRkE4R3NVaXAyRlE4SUF2OUNidUNMRXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
        tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBeHQrQ2pqc1Q1QTd3L0NsOVlFR09nRlpaYi9waUlTMXlLSG8vNEVjMkEzWHJrcXFSCjdoVU1GWVNxSWQrVDRoN2JKWGg0dUU0eTk4eldHaG9hVi9IQzdldzJTWUJ6K1pFTFZGeWFaMnd3VkZQY0c3czAKTHpkREFKT2pta1VXMitLQWVySGJmOTc0KzN0VjNvaUVNK2ZNMExIRVdWRVZmanBzOStZb0hYOFJPcDVCYnZLYgp4UUYvcUE3YjdtUWhhaXZHSkRiMVdidE5rem1IdmdPUDVEdndZcVUzZHJOdUFBR2pkaTgyWUhuV095RXEzT1c3CmEwZXFReTAzOWg0ZFpTYjFjalJ0Rm5XUXZJVm9LK2RHZTRVd3RDVVpJcU5CU0s2T3NBemlDNHRGbVk1N2xqUDkKb1d0UjdLbEM0ZHVTK25qcmlndXpLS2tWNHNYYjlxR2ZvMS94eVFJREFRQUJBb0lCQUU3T2J6dlJhVlpzSFU2dgpXa0YwZVBXZVFoNi9oM2RDUFFTUlBSS3c1VlNGdSs0SXJYODgwK2NMQlNnYklzenVFVVZOOGZpRzlHZUJ3aTNoCnZpS3ZhT0ZEUTFmcEVRd0tVQVVFRlNONm1jUXczdjRXTnQybTltUWFIVENheEM0cUdXT0ZhMGZHb2I5MTVsY2kKbmRDN3dFdkt4ZFhtN2E5eGs1REFvWkRlczRNWVZDMXA1djdaNlBvRGFBSGwrU1hiVGNidFRlUnk4TWs0amVtSQpKUllZYkFoSkcwM3BORWFpUHc0dTVaaXJUWFduNFdmWXFWSzNFTzNvam1HMkcyc0MxODIzMElqMVZJOG1kY0w1CmpNRlI0VmtWSFJpUm9jdlVjNzJIa0xCaktOYlU2em5wNVZ0MUVDanA0QTM5SHZWcEhzZXNDaTBTRVVnZHhyOUsKQlQwVTFVa0NnWUVBN0V1Y2F3eHNrR3JKZzNwUjFqMGpoK05Xc2E2VTcwMk42cXJpWk1yYU1rdnNuL0NxL2U4RQpZY2w5RHZlS0JCLzlkaVB2WVh4VjNRcTBmdTJWc1EzUEMzMUx4SE9ET1VwYXV3RDNlUFhVYXJhZHo0c0dOWlRICkdlSU1uK0VWM1FMMkZLSnpwcWtYSDNlNm12dFVFSFFRb2ZKVGZiOUhSak5GV0tPc3VVNnY2bXNDZ1lFQTEzVUQKNzJDK0Jid25PSUNOSUxzblVWWFhtZkd1b0dVVlBGVUVSNXJRNVE3Mk9hWndndjZSL1cvQjFGL1czRFhjSVR5agpkU3AvK0cwbndBeWI3aE12bHF5OFcwUmE2ajFSLzcxdEoxLzRKN0JNejVReUVYY0FlcG5obVhIalJMb0drYjdPCktzdURMbzJzbnQ5U1hsS3Nuak90WXZaU2xuaDhqN3ZwZXNFdHlac0NnWUJmckRHVjZqN2VyazRQRE95cnFLK0YKS3BnRWN5SmNUZk5qQzNPRXlkbFV1Z2NCcnlrY2piVWhmcnBDNEJraW1HMUFjMFpPRzFDTW9mUDQzR3RhZDdQWAovQkE4WjJTL1FvcS80cUZRZVlCYkFMdWV0N1I0NTFkQjlKT1YvRVdrNmJrSEc4dGx0RnJuWTh2TFNtMThCL0pnCkQ4U2NTbUVxWEVIOHBMQ2ZpdXVSSndLQmdRQ0dMT1FYZGVyQWpZenJQZnNsY0Flck9rYzdJbXc2ak5pdHF0QXcKZTNRdHdhU0xBR0MrNHlRdGJTU0xTbWYyMlQvT0h3STRYQkEzdUZweDJpaGRHZXVmN05DY0ViU0FmVkdNYnY0RAo4RnNNOUZqUlNKdnBqbTlvNmwyNC9saW5HeVl1SzJJZStvQW1SS3BFZ2hTOGtzWFcrNTIxckdxQU5HWjE2SE1kCk5DSjhrd0tCZ1FEQmVKN3V1R3BnaGNLdHk5MnZwS1o0Z25ENmsyTU1YTXRVSE4zdWpTNnRaREFxbGZ2T0J0dE0Kc1hva25RWk9pdURPOTQydEJsMUR3SDV5QnBUaW5jcVFyVkwzQVZMNzdENVcwQ3orNmFtOVIwTm1ZSWloS0pBVApxK1N3dW1JcnZXa0d1TXVveE1vdEwwV0QxZFJnSEJ3NWlYR3VJR3AzWXZqY1FoeHRLQ0JMVkE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
      kind: Secret
      metadata:
        annotations:
          certmanager.k8s.io/alt-names: mongodb-service,mongodb
          certmanager.k8s.io/certificate-name: icp-mongodb-client-cert
          certmanager.k8s.io/common-name: mongodb-service
          certmanager.k8s.io/ip-sans: ""
          certmanager.k8s.io/issuer-kind: Issuer
          certmanager.k8s.io/issuer-name: mongodb-root-ca-issuer
        labels:
          certmanager.k8s.io/certificate-name: icp-mongodb-client-cert
        name: icp-mongodb-client-cert
        namespace: management-security-services
      type: kubernetes.io/tls
      

   6. Apply the changes to management-security-services namespace:

      kubectl apply -f outputfile2.yaml -n management-security-services
      

2. Create the external name service to point to the MongoDB common service:

   1. Create file named external-service-file.yaml with the following content:

      kind: Service
      apiVersion: v1
      metadata:
       name: mongodb
      spec:
       type: ExternalName
       externalName: mongodb.ibm-common-services.svc.cluster.local
      

   2. Create the external name service:

      oc create -f external-service-file.yaml -n management-security-services
      

3. If a notary instance is already running, delete the notary pods to reflect the changes.

Deploying Notary from your OpenShift Container Platform console

Complete the following steps to deploy the notary operand instance.

1. Log in to your OpenShift® cluster console.
2. From management-security-services, select IBM Management Notary operator.
3. In the Provided APIs section, click Create Instance. The default custom resource definition opens in the current window.
4. Click Create.

For information about using the notary service, see Using a notary service for image signing.