Skip to content

Deploy Firefly on Kubernetes using Helm

Instructions are also available for deploying using Docker.

Once your settings have been configured in the Venafi Control Plane, it's time to deploy your Firefly in a Kubernetes cluster using a Helm chart.

Before you begin

  1. You will need a clientID to complete these steps. The clientID is a unique ID tied to the service account you created. When you created your service account, we suggested that you save the clientID in a place you could locate it, so you could use it during this part of the process. If you need help, go back to service accounts for info.

  2. You need all the following packages installed on your local machine:

  3. You need to install cert-manager in your cluster, because Firefly operates as a cert-manager issuer and expects to be able to interact with cert-manager Custom Resources.
  1. Create a Kubernetes namespace called venafi.

    kubectl create ns venafi
  2. Create a Secret containing the private key of your Firefly Service Account

    kubectl create secret generic venafi-credentials \
      --namespace venafi \

    Replace ${PRIVATE_KEY_FILE} with the path to the private key you created when setting up your Firefly Service Account. For example: svc-acct-rsa-priv-key.pem

  3. Review the Venafi End User License Agreement. In the next step you will agree to abide by these Terms.

  4. Create a Helm values.yaml file.

    The values.yaml file allows you to Customize the Helm chart before installing. This is a minimal example containing only the required configuration values:

    # values.yaml
    acceptTerms: true
      venafiClientID: ${CLIENT_ID}
          name: cert-manager
          namespace: cert-manager

    Replace ${CLIENT_ID} with the Client ID that you copied when setting up your Firefly Service Account. You can find it on the Service Accounts page. It is a UUID string of format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.

    Learn more about the crd.approver.subject fields.

    When you use Firefly with cert-manager, Firefly will sign CertificateRequest resources in a Kubernetes cluster, but the CertificateRequest resources need to be "approved" first by cert-manager or by an approver-policy app.

    The crd.approver.subject fields allow you to choose the name and namespace of the ServiceAccount of cert-manager or an approver-policy app. The default values are designed to work with the open-source approver-policy app, installed in the cert-manager namespace.

    In this example we are not using an approver-policy app; instead we are using cert-manager to approve CertificateRequests, so we change the ServiceAccount name to that of cert-manager, installed in the cert-manager namespace.

    Read more about the concept of CertificateRequest approval, and approver-policy and approver-policy plugins.

  5. Install the Helm chart.

    helm upgrade prod oci:// \
      --install \
      --create-namespace \
      --namespace venafi \
      --values values.yaml \
      --version v1.2.1

    You may want to change the Helm release name.

    In the example above, replace the term prod with your preferred Helm release name, for example staging.

    Do not omit --version. It is required.

    1. Verify the installation using cmctl to create a test certificate.

    2. First create a file called certificate.yaml containing your desired test certificate:

      # certificate.yaml
      kind: Certificate
        commonName: ${DOMAIN_NAME}
          name: firefly
          kind: Issuer
      • Replace ${POLICY_NAME} with your Firefly policy name, which you can find on the Policies page. Make sure you choose a policy which is associated with your Firefly configuration.

      • Replace ${DOMAIN_NAME} with a domain which is allowed by your Firefly policy, which you can find by clicking on your policy in the Policies page, and examining the Subject > Common Name field.

    3. Use cmctl to create a cert-manager CertificateRequest and wait for the signed certificate:

      cmctl create certificaterequest my-cr \
        --from-certificate-file certificate.yaml \

      If successful, cmctl will print the filename of a .key and a .crt file. You can examine the signed X.509 certificate using openssl, as follows:

      openssl x509  -in my-cr.crt -noout -text

      And you will see metrics about your issued certificates on the Issuer Certificates page.

What's next?

That's it! You've configured Firefly and started a Firefly server. As Firefly issues certificates, you will see them on the Issuer Certificates dashboard.