Skip to content

Deploying Firefly using Docker

Instructions are also available for deploying Firefly on Kubernetes.

Once your settings have been configured in the Venafi Control Plane, it's time to deploy your Firefly using Docker.

Before you begin

You will need a clientID to complete these steps. The clientID is a unique ID tied to the service account you created. When you created your service account, we suggested that you save the clientID in a place you could locate it, so you could use it during this part of the process. If you need help, go back to service accounts for info.

To deploy your Firefly, you need to log in to the Linux machine with the Venafi Firefly Docker image and create a configuration file.

  1. Make sure you have the latest Firefly Docker image. Run the following command to be sure.

    docker pull registry.venafi.cloud/public/venafi-images/firefly:v1.8.1

  2. In opt/firefly, create a config.yaml file. Use the following file as a reference, replacing with the correct values for your setup.

    Tip

    If you hover over the code sample, on the right side you will see a code copy button.

    ### Venafi Firefly sample config.yaml file for using Docker
###
### Required statements are not commented out.
### Optional sections ARE commented out.
### READ the instructions for each section.
###
### HOW TO USE THIS FILE:
###
### SAVE this file as config.yaml in your Docker container's /opt/Firefly folder

##### GENERAL CONFIGURATION
# REPLACE 'privateKeyFile' value with the path
#    to the private key used to create the
#    service account.
# REPLACE 'clientID' value with the value you
#     copied when you created the service account.
#     See note about 'clientID' at top of page.

bootstrap:
    vaas:
        auth:
            privateKeyFile: /etc/firefly/svc-acct.key
            clientID: fef042a3-567d-4f76-bd6b-7f5d054fb03e
        csr:
            instanceNaming: EC-Firefly

##### SERVER SETTINGS
# You MUST use at least ONE of the three server types,
#     but you can use any combination of API server
#     types that you want Firefly to support.
# REPLACE 'port' with the port used by that service, if different
# REPLACE 'dnsNames' URL value with the name to be
#     put into the server certificate for the Firefly CA.
# REPLACE 'ipAddress' with IP of the API server

server:
#    grpc:
#        port: 8081
#        tls:
#            dnsNames:
#            - firefly.venafi.example
#            ipAddress: 192.168.1.175

#    rest:
#        port: 8281
#        tls:
#            dnsNames:
#            - firefly.venafi.example
#            ipAddress: 172.168.1.175

  3. Review the Venafi End User License Agreement. In the next command, you will be accepting these Terms. By continuing, you agree to these Terms.

  4. From Docker, mount the volume and start Firefly.

    docker run "$(id -u):$(id -g)" -e ACCEPT_TERMS=Y -p 8081:8081 -p 8123:8123 -p 8281:8281 --cap-add=IPC_LOCK \
        -v /opt/firefly/config.yaml:/etc/firefly/config.yaml:ro \
        -v /opt/firefly/svc-acct.key:/etc/firefly/svc-acct.key:ro \
        registry.venafi.cloud/public/venafi-images/firefly:v1.8.1 run -c /etc/firefly/config.yaml

What's next?

That's it! You've configured Firefly and started a Firefly server. As Firefly issues certificates, you will see them on the Issuer Certificates dashboard.