Skip to content

Deploying Firefly on OpenShift using the Venafi Control Plane Operator

Venafi Control Plane Operator for Red Hat OpenShift is designed to assist customers in installing, maintaining, and upgrading Venafi cluster components.

Installing Firefly requires that you also install cert-manager. Follow the steps below to deploy the default version of cert-manager and Firefly on OpenShift using the Venafi Control Plane Operator.

Prerequisites

To install Firefly using the Venafi Control Plane Operator you'll need the following:

  • Access to the Venafi OCI registry (or your own mirror).
  • You have Venafi Control Plane Operator already installed on your system.
  • You have the Red Hat OpenShift CLI tool oc installed on your system.
  • You will need a Firefly service account already created as you require a private key and clientID to complete these steps. The clientID is a unique ID tied to the service account you created. When you created your service account, we suggested that you save the clientID in a place you could locate it, so you could use it during this part of the process. If you need help, see Service Accounts for Firefly for more information.

Step 1: Configure access to the Venafi OCI registry

Important

Follow the instructions in Configuring access to the Venafi OCI registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.

For the example below, it's assumed that you created the following Kubernetes Secret:

  • namespace: venafi
  • name: venafi-image-pull-secret

Step 2: Create a secret

Create a secret containing the private key of your Firefly service account:

oc create secret generic venafi-credentials \
  --namespace venafi \
  --from-file=svc-acct.key=${PRIVATE_KEY_FILE}

Replace ${PRIVATE_KEY_FILE} with the path to the private key you created when setting up your Firefly Service Account. For example: svc-acct-rsa-priv-key.pem.

Step 3: Review Venafi End User License Agreement

  1. Review the Venafi End User License Agreement. In the next step, you will agree to abide by these terms.

Step 4: Create and apply the manifest

  1. Create a manifest venafi-components.yaml. You can use one of the samples below:

    venafi-components.yaml
    apiVersion: installer.venafi.com/v1alpha1
kind: VenafiInstall
metadata:
  name: venafi-components
spec:
  globals:
    enableDefaultApprover: true
    imagePullSecretNames: [venafi-image-pull-secret] 
    namespace: venafi 
    useFIPSImages: false 
    vcpRegion: US 
    region: US 
  certManager: 
    install: true
    skip: false
  firefly:
    install: true
    acceptTOS: true 
    clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    venafi-components.yaml
    apiVersion: installer.venafi.com/v1alpha1
kind: VenafiInstall
metadata:
  name: venafi-components
spec:
  globals:
    enableDefaultApprover: true
    imagePullSecretNames: [venafi-image-pull-secret] 
    namespace: venafi 
    useFIPSImages: false 
    vcpRegion: EU 
    region: EU 
  certManager: 
    install: true
    skip: false
  firefly:
    install: true
    acceptTOS: true 
    clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    venafi-components.yaml
    apiVersion: installer.venafi.com/v1alpha1
kind: VenafiInstall
metadata:
  name: venafi-components
spec:
  globals: 
    customChartRepository: oci://myregistry.example.com/charts
    customImageRegistry: myregistry.example.com
    enableDefaultApprover: true
    imagePullSecretNames: [venafi-image-pull-secret] 
    namespace: venafi 
    useFIPSImages: false 
    vcpRegion: US 
    region: US 
  certManager: 
    install: true
    skip: false
  firefly:
    install: true
    acceptTOS: true 
    clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

    Notes

    Set enableDefaultApprover to true as Firefly requires the cert-manager default approver unless you have Approver Policy Enterprise installed.

    Set the skip parameter to true if you have already installed and configured cert-manager.

    Use the acceptTOSfield to accept the terms of service for Venafi Firefly. To review the terms of service, see the end user license agreement.

    Use the clientID field to specify the client ID of the Venafi Control Plane service account for the Venafi Firefly. This is a required field when installing Venafi Firefly.

    Tip

    For a complete list of Venafi Control Plane Operator configuration parameters, refer to the Venafi Control Plane Operator API reference.

  2. Apply the manifest by running the following command:

    oc apply -f venafi-components.yaml

Step 5: Verify the installation

  1. Verify whether Firefly is successfully installed by running the following command:

    oc get venafiinstall,pods

    Sample output:

    NAME                                                   STATUS       LAST SYNC
venafiinstall.installer.venafi.com/venafi-components   Installing   1s

NAME                                           READY   STATUS    RESTARTS   AGE
pod/cert-manager-69bcb5cdd6-7jrpg              1/1     Running   0          8m30s
pod/cert-manager-cainjector-599d6c48b9-wl6b8   1/1     Running   0          8m30s
pod/cert-manager-webhook-7546d64c9c-s25hj      1/1     Running   0          8m30s
pod/firefly-588458dcbd-9x9gj                   1/1     Running   0          17s
pod/firefly-588458dcbd-smqdk                   1/1     Running   0          12s