Skip to content

Venafi Kubernetes components installation


The information on this page provides general information about installing Venafi enterprise components for Kubernetes. For detailed information on installing individual Venafi Kubernetes components, follow the links in the Next Steps section.

Helm-based installation methods

All the Venafi enterprise components have Helm charts which you can install using the helm CLI or using tools like Flux CD, Argo CD, or Kustomize. Although a powerful tool, Helm has some limitations and you may find the following advice useful:

  • Be careful when uninstalling or upgrading Venafi Kubernetes component Helm charts

    Uninstalling the Helm chart removes the custom resource definitions (CRDs) which, in turn, will cause all the related custom resources (such as Certificate, Issuer, etc) to be deleted.

    Make sure you have a way of restoring all resources before you uninstall or upgrade (see Component backups and Component upgrades).

    Technical Details

    Venafi doesn't use the official Helm crd/ mechanism because it doesn't support upgrading CRD resources. For more information on this see the Helm documentation.

    Venafi's Helm charts work around this limitation by adding the CRD manifests to the templates/ directory of the chart. This allows the CRDs to be upgraded just like the other chart manifests. The disadvantage of this workaround is that Helm will not retain the CRDs when you uninstall the chart.

  • Use tools like Venafi CLI, Flux CD, or Argo CD to install the Venafi enterprise components for Kubernetes in the correct order
    Use the Venafi Kubernetes manifests from Venafi CLI or tools like Flux CD and Argo CD to correctly install interdependent Venafi enterprise components for Kubernetes. Note that a Helm umbrella chart can't be used to install the Venafi components.

    Technical Details

    The Helm subchart dependency system installs all subcharts in parallel, which causes the installation to fail. Some of the Venafi enterprise components for Kubernetes depend on CRDs and Webhooks defined in other Venafi enterprise components for Kubernetes, this kind of dependency can not be modeled using Helm subcharts.

    You can work around this limitation by using Helmfile which uses a DAG to determine the correct install order. Tools like Flux CD and Argo CD use a similar approach.

  • Use post-processing for fields that are not parameterized
    Use post-processing to configure settings for fields not supported as parameters in Venafi Helm charts.

    • For Helm, use the --post-renderer flag (see Helm docs).
    • For Flux CD, use the postRenderers field (see Flux CD docs).
    • For Argo CD, combine Helm and Kustomize (see this Argo CD example).
    • For Helmfile, use "Adhoc Kustomizations" (see Helmfile docs).
    Technical Details

    Not all requests to parameterize fields can be met, as the development team aims to avoid over-complicating Helm charts.

Obtaining Venafi enterprise components for Kubernetes images

The Venafi Kubernetes components are distributed as OCI (Open Container Initiative) images. The Venafi Container Registry also contains the FIPS-version of each image. The images can be obtained as follows:

  1. To access the Venafi images, organizations must authenticate with the Venafi Container Registry.

    Organizations can directly pull the images from the Venafi OCI registry, but Venafi recommends replicating the images to their own Container Registry for production use.

  2. Organizations can verify the integrity of the images by checking the image is signed by Venafi.

Next Steps