Skip to content

Deploying Workload Identity Manager on Kubernetes with Helm using OIDC

In this tutorial, you'll use Helm to deploy Workload Identity Manager on Kubernetes and connect it to Certificate Manager - SaaS, from which it will bootstrap its security settings.

You'll authenticate using Workload Identity Federation (OIDC). Certificate Manager - SaaS validates Kubernetes service account tokens with the cluster's public key—the private key never leaves the Kubernetes control plane.

Prerequisites

To deploy Workload Identity Manager, you'll need to complete Certificate Manager - SaaS setup, get the deployment details from your platform administrator, and prepare your own environment.

Complete Certificate Manager - SaaS setup

Before deploying Workload Identity Manager, your platform administrator must complete Step 1 through Step 6 in the Getting started guide.

This includes creating a CA account and subordinate CA, then adding a Certificate Manager - SaaS policy, team, and configuration. Finally, it requires creating a service account with Workload Identity Federation authentication.

Get deployment information

From your platform administrator, get the following:

  • Regional API URL: The Certificate Manager - SaaS REST API URL for your region, for example https://api.venafi.cloud.
  • Tenant ID: The tenantID for the Certificate Manager - SaaS tenant, located in Settings > License.
  • Naming pattern: The name of the instance; embedded in the subordinate CA certificate's common name. This pattern distinguishes multiple Workload Identity Manager instances.

Prepare your environment

To install Workload Identity Manager, you must have:

  • Kubernetes cluster: A cluster with an exposed endpoint for OIDC discovery, for use by unauthenticated clients.
  • Network configuration: A firewall configuration allowing egress to the Certificate Manager - SaaS REST API, as described in network requirements.
  • Required tools: helm, kubectl, and cmctl on your local machine.
  • cert-manager: cert-manager installed in your cluster, since Workload Identity Manager operates as a cert-manager issuer and interacts with its custom resources.

Step 1: Deploy Workload Identity Manager with a Helm chart

  1. Review and agree to the CyberArk End User License Agreement.

  2. Create a Kubernetes namespace called venafi.

    kubectl create ns venafi

  3. Check if the Connection for CyberArk Certificate Manager CRD is deployed. Workload Identity Manager uses this custom resource to authenticate with Certificate Manager - SaaS via OIDC. Other Venafi components like Enterprise Issuer for CyberArk Certificate Manager or Discovery Agent may have already installed it.

    kubectl get crd venaficonnections.jetstack.io

    If the CRD is deployed, details appear. If not deployed, an error indicates the CRD doesn't exist.

  4. If the CRD is not deployed, install it:

    helm install venafi-connection oci://registry.venafi.cloud/charts/venafi-connection \
  --namespace venafi \
  --version v0.6.0

  5. Create a firefly.values.yaml file.

    This example includes the minimum configuration. For more options see Local configuration reference.

    firefly.values.yaml
    acceptTerms: true
deployment:
  config:
    bootstrap:
      vaas:
        csr:
          instanceNaming: Instance1 Location1 # (1)!
        url: https://api.venafi.cloud # (2)!
        connection:
          create: true # (3)!
          name: connection-1
          serviceAccountToken: # (4)!
            enabled: true
            tenantID: your-tenant-id # (5)!
    controller:
      enabled: true # (6)!
      certManager:
        caRootChainPopulation: false # (7)!
        checkApproval: true # (8)!
    1. Naming pattern for the Workload Identity Manager instances.
    2. The Certificate Manager - SaaS regional API URL.
    3. If set to true, a Connection resource is created with the specified name and authentication method.
    4. OIDC authentication type.
    5. Get the tenantID from your platform administrator.
    6. Set to false if you don't want Workload Identity Manager to act as a Kubernetes controller and process cert-manager certificate resources.
    7. Set to true to automatically populate the status.ca field with the CA information.
    8. Set to false if you want Workload Identity Manager to process CertificateRequest resources without waiting for approval.

  6. Install the Helm chart using Standard (STS), Long-term support (LTS), or FIPS. The --version flag is required.

    About the release name

    prod is the Helm release name. Change it to match your environment, for example staging or dev.

    helm upgrade prod oci://private-registry.venafi.cloud/charts/firefly \
  --install \
  --create-namespace \
  --namespace venafi \
  --values firefly.values.yaml \
  --version v1.11.0 \
  --set deployment.image=private-registry.venafi.cloud/firefly/firefly:v1.11.0

    helm upgrade prod oci://private-registry.venafi.cloud/charts/firefly \
  --install \
  --create-namespace \
  --namespace venafi \
  --values firefly.values.yaml \
  --version v1.11.0 \
  --set deployment.image=private-registry.venafi.cloud/firefly-ent/firefly:v1.11.0 \
  --set deployment.imageDigest=sha256:79e4e0d5fd68cc2f255fdc71c35de7ad0a7145444477d32571edd2942a5a6ef3

    helm upgrade prod oci://private-registry.venafi.cloud/charts/firefly \
  --install \
  --create-namespace \
  --namespace venafi \
  --values firefly.values.yaml \
  --version v1.11.0 \
  --set deployment.image=private-registry.venafi.cloud/firefly-ent/firefly-fips:v1.11.0 \
  --set deployment.imageDigest=sha256:6187d6025e87536724cc519ed871f33ae83467b0119aa5d2bb94850b915b0d7f

Step 2: Verify the installation

Verify the installation using cmctl.

  1. Create certificate.yaml containing a test certificate:

    certificate.yaml
    kind: Certificate
apiVersion: cert-manager.io/v1
metadata:
  annotations:
    firefly.venafi.com/policy-name: Policy # (1)!
spec:
  commonName: example.com # (2)!
  issuerRef:
    name: firefly
    kind: Issuer
    group: firefly.venafi.com
    1. Must match the policy name defined in the security configuration.
    2. Must comply with the subject.commonName.allowedValues of the policy.

  2. Use cmctl to create a cert-manager CertificateRequest and wait for the signed certificate:

    cmctl create certificaterequest my-cr \
  --from-certificate-file certificate.yaml \
  --fetch-certificate

    If successful, cmctl prints the names of a .key and a .crt file.

  3. Confirm the signed X.509 certificate with OpenSSL:

    openssl x509  -in my-cr.crt -noout -text

What's next?

Workload Identity Manager is now installed and configured to issue and manage certificates in your cluster using Certificate Manager - SaaS policies. Your organization's root CAs sign and trust all certificates.

Review certificates on the Issuer Certificates dashboard.