Deploying Workload Identity Manager on Kubernetes using Helm¶

Instructions are also available for deploying using Docker.

Once your settings have been configured in the Certificate Manager - SaaS UI, it's time to deploy your Workload Identity Manager in a Kubernetes cluster using a Helm chart.

Before you begin

You will need a clientID to complete these steps. The clientID is a unique ID tied to the service account you created. When you created your service account, we suggested that you save the clientID in a place you could locate it, so you could use it during this part of the process. If you need help, go back to service accounts for info.
You need all the following packages installed on your local machine:
- helm
- kubectl
- cmctl
You need to install cert-manager in your cluster, because Workload Identity Manager operates as a cert-manager issuer and expects to be able to interact with cert-manager Custom Resources.

Create a Kubernetes namespace called venafi.
```
kubectl create ns venafi
```
Create a Secret containing the private key of your Workload Identity Manager Service Account
```
kubectl create secret generic venafi-credentials \
  --namespace venafi \
  --from-file=svc-acct.key=${PRIVATE_KEY_FILE}
```
Replace ${PRIVATE_KEY_FILE} with the path to the private key you created when setting up your Workload Identity Manager Service Account. For example: svc-acct-rsa-priv-key.pem
Review the CyberArk End User License Agreement. In the next step you will agree to abide by these Terms.
Create a Helm values.yaml file.

The values.yaml file allows you to Customize the Helm chart before installing. This is a minimal example containing only the required configuration values:
```
# values.yaml
acceptTerms: true
deployment:
  config:
    bootstrap:
      vaas:
        clientID: ${CLIENT_ID}
        url: https://api.venafi.cloud
crd:
  approver:
    subject:
      name: cert-manager
      namespace: cert-manager
```
Info

This example uses the API URL for the US region as a value for the deployment.config.bootstrap.vaas.url parameter. The following regional options are also available:
- EU region - https://api.eu.venafi.cloud
- UK region - https://api.uk.venafi.cloud
- Australia region - https://api.au.venafi.cloud
- Canada region - https://api.ca.venafi.cloud
- Singapore region - https://api.sg.venafi.cloud
Replace ${CLIENT_ID} with the Client ID that you copied when setting up your Workload Identity Manager Service Account. You can find it by logging in and checking the Settings > Service Accounts page. It is a UUID string of format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.

Learn more about the crd.approver.subject fields.

When you use Workload Identity Manager with cert-manager, Workload Identity Manager will sign CertificateRequest resources in a Kubernetes cluster, but the CertificateRequest resources need to be "approved" first by cert-manager or by an approver-policy app.

The crd.approver.subject fields allow you to choose the name and namespace of the ServiceAccount of cert-manager or an approver-policy app. The default values are designed to work with the open-source approver-policy app, installed in the cert-manager namespace.

In this example we are not using an approver-policy app; instead we are using cert-manager to approve CertificateRequests, so we change the ServiceAccount name to that of cert-manager, installed in the cert-manager namespace.

Read more about the concept of CertificateRequest approval, and approver-policy and approver-policy plugins.

Install the Helm chart.

Standard (STS)Long-term support (LTS)FIPS

To install the latest STS chart and deploy STS images:

helm upgrade prod oci://private-registry.venafi.cloud/charts/firefly \
  --install \
  --create-namespace \
  --namespace venafi \
  --values values.yaml \
  --version v1.10.0 \
  --set image.repository=private-registry.venafi.cloud/firefly/firefly \
  --set image.tag=v1.10.0

To use an LTS chart version and point to the Workload Identity Manager LTS image:

helm upgrade prod oci://private-registry.venafi.cloud/charts/firefly \
  --install \
  --create-namespace \
  --namespace venafi \
  --values values.yaml \
  --version v1.10.0 \
  --set deployment.image=private-registry.venafi.cloud/firefly-ent/firefly:v1.10.0 \
  --set deployment.imageDigest=$(crane digest private-registry.venafi.cloud/firefly-ent/firefly:v1.10.0)

To install a chart and point to a FIPS image:

helm upgrade prod oci://private-registry.venafi.cloud/charts/firefly \
  --install \
  --create-namespace \
  --namespace venafi \
  --values values.yaml \
  --version v1.10.0 \
  --set deployment.image=private-registry.venafi.cloud/firefly-ent/firefly-fips:v1.10.0 \
  --set deployment.imageDigest=$(crane digest private-registry.venafi.cloud/firefly-ent/firefly-fips:v1.10.0)

Do not omit --version. It is required.

"You may want to change the Helm release name." In the example above, replace the term prod with your preferred Helm release name, for example staging.

Tip

You can execute the following command to generate a starter Helm values file (with comments) for deploying Workload Identity Manager in a Kubernetes cluster:

helm show values oci://registry.venafi.cloud/public/venafi-images/helm/firefly --version v1.10.0 > firefly-values.yaml

Verify the installation using cmctl to create a test certificate.
1. First create a file called certificate.yaml containing your desired test certificate:
```
# certificate.yaml
kind: Certificate
apiVersion: cert-manager.io/v1
metadata:
  annotations:
    firefly.venafi.com/policy-name: ${POLICY_NAME}
spec:
  commonName: ${DOMAIN_NAME}
  issuerRef:
    name: firefly
    kind: Issuer
    group: firefly.venafi.com
```
  - Replace ${POLICY_NAME} with your Workload Identity Manager policy name, which you can find by logging in and selecting your policy in the Policies > Workload Issuance Policies page. Make sure you choose a policy which is associated with your Workload Identity Manager configuration.
  - Replace ${DOMAIN_NAME} with a domain which is allowed by your Workload Identity Manager policy, which you can find by logging in and selecting your policy in the Policies > Workload Issuance Policies page, and examining the Subject > Common Name field.
2. Use cmctl to create a cert-manager CertificateRequest and wait for the signed certificate:
```
cmctl create certificaterequest my-cr \
  --from-certificate-file certificate.yaml \
  --fetch-certificate
```
  If successful, cmctl will print the filename of a .key and a .crt file. You can examine the signed X.509 certificate using openssl, as follows:
```
openssl x509  -in my-cr.crt -noout -text
```
  And you will see metrics about your issued certificates by logging in and and checking on the Inventory > Issuer Certificates page.

What's next?¶

That's it! You've configured Workload Identity Manager and started an Workload Identity Manager server. As Workload Identity Manager issues certificates, you will see them on the Issuer Certificates dashboard.