Skip to content

Configuring the Kubernetes integration

The interface between a cert-manager instance and TLS Protect Cloud is configured via a cert-manager issuer. The issuer contains a reference to a Kubernetes secret that contains your TLS Protect Cloud API key as well as the zone that will be used by the cert-manager plugin to request certificates. The ‘cloudsecret’ field contains the name of the Kubernetes secret that contains your API key. The ‘zone’ field contains the name of the zone (in the example that follows for an application called "my-app").

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: cloud-venafi-issuer
  namespace: <NAMESPACE WHERE CERTIFICATES ARE NEEDED>
spec:
  venafi:
   zone: "my-app\\Default"
   cloud:
     apiTokenSecretRef:
       name: cloud-secret
       key: apikey

To discover the correct zone for your application:

  1. Navigate to Applications, and click the your application name.
  2. In the side panel that opens, click the DevOps Tools tab, and select an option from the Issuing Templates drop-down list.
  3. Select from the Integration drop-down list. You'll see the zone value for that Application and Issuing Template in the second command codeblock that appears.

Note

Your Parameters displays the policies that must be conformed to when certificates are requested from the zone.

Additional information and examples of setting up the issuer with TLS Protect Cloud and other Venafi solutions can be found in Venafi's Github page.