Skip to content

Configuring Enterprise Issuer for Next-Gen Trust Security

Once Enterprise Issuer is installed, configure it to issue certificates by creating a VenafiIssuer or VenafiClusterIssuer resource in your cluster.

Installing VenafiConnection

Before proceeding, make sure that you've created a VenafiConnection resource to authenticate with Next-Gen Trust Security. VenafiConnection is included in the Enterprise Issuer Helm chart by default. To install it separately, see Installing Connection for Next-Gen Trust Security.

The two resource types differ in scope:

  • VenafiClusterIssuer is a cluster-scoped resource with no namespace. Any Connection for Next-Gen Trust Security custom resource referenced by a VenafiClusterIssuer must be in the same namespace as Enterprise Issuer.
  • VenafiIssuer is a namespaced resource. Any Connection for Next-Gen Trust Security custom resource referenced by a VenafiIssuer must be in the same namespace as the VenafiIssuer resource or be in a namespace explicitly allowed in the Connection for Next-Gen Trust Security resource definition.

The custom resource definitions for VenafiIssuer and VenafiClusterIssuer are added to your Kubernetes API server when you install Enterprise Issuer.

Configuring how Enterprise Issuer connects to Next-Gen Trust Security

Enterprise Issuer uses the Connection for Next-Gen Trust Security custom resource to connect to Next-Gen Trust Security. To set up a connection using a Built-In Account, see Authenticate to Next-Gen Trust Security with a Built-In Account.

VenafiClusterIssuer

The example below assumes a Connection resource named application-team-1-connection is in the venafi namespace.

apiVersion: jetstack.io/v1alpha1
kind: VenafiClusterIssuer
metadata:
  name: application-team-1-ingress-certs
spec:
  venafiConnectionName: application-team-1-connection
  zone: "Issuing Template Name"

VenafiIssuer - same namespace

The example below assumes a Connection resource named application-team-1-connection is in the application-team-1 namespace.

apiVersion: jetstack.io/v1alpha1
kind: VenafiIssuer
metadata:
  name: ingress-certs
  namespace: application-team-1
spec:
  venafiConnectionName: application-team-1-connection
  zone: "Issuing Template Name"

VenafiIssuer - cross namespace

The example below assumes a Connection resource named application-team-1-connection in the venafi namespace.

You must configure the allowReferencesFrom field of this Connection resource to allow VenafiIssuer resources in the application-team-1 namespace to use it.

apiVersion: jetstack.io/v1alpha1
kind: VenafiIssuer
metadata:
  name: ingress-certs
  namespace: application-team-1
spec:
  venafiConnectionName: application-team-1-connection
  venafiConnectionNamespace: venafi
  zone: "Issuing Template Name"