CyberArk Certificate Manager Kubernetes components overview¶
CyberArk Certificate Manager supports the following Kubernetes components to manage certificates and machine identities in your Kubernetes clusters.
Approver Policy¶
Approver Policy is a cert-manager approver that approves or denies certificate requests based on policies defined in the certificate request policy custom resource.
Latest release: v0.24.0 — 9 March, 2026
cert-manager¶
cert-manager is an enterprise distribution of cert-manager. The component adds certificates and certificate issuers as resource types in Kubernetes clusters and simplifies obtaining, renewing, and using certificates.
Latest release: v1.20.0 — 9 March, 2026
CSI Driver¶
CSI Driver is a storage plugin you deploy into your Kubernetes cluster to honor volume requests specified on Pods.
Latest release: v0.14.0 — 9 March, 2026
CSI Driver for SPIFFE¶
CSI Driver for SPIFFE is a Container Storage Interface (CSI) driver plugin for Kubernetes, designed to work alongside cert-manager to deliver SPIFFE SVIDs (Verifiable Identity Documents), in the form of X.509 certificate key pairs, to mounting Kubernetes Pods.
Latest release: v0.12.0 — 9 March, 2026
Connection for CyberArk Certificate Manager¶
Connection for CyberArk Certificate Manager ensures proper authentication between your Kubernetes clusters and Certificate Manager - SaaS. The component offers flexible authentication mechanisms such as bearer tokens or OIDC.
Latest release: v0.6.0 — 30 April, 2026
CyberArk Workload Identity Manager¶
CyberArk Workload Identity Manager, formerly known as Firefly, is a high-performing, lightweight microservice that quickly issues machine identities with no dependencies, fits in globally distributed application architectures, and provides high-speed/high-volume certificate issuance capacity with enterprise trust and policy enforcement.
Latest release: v1.11.0 — 17 December, 2025
Discovery Agent¶
Discovery Agent, formerly known as Venafi Kubernetes Agent, gathers data for machine identities and other Kubernetes resources, such as ingresses, from Kubernetes clusters connected to Certificate Manager - SaaS. The agent regularly connects to Certificate Manager - SaaS to transmit the collected data for evaluation. After the evaluation, you can view the current status of certificates, ingresses, and cert-manager components in Certificate Manager - SaaS.
Latest release: 1.10.0 — 7 May, 2026
Enterprise Approver Policy for CyberArk Certificate Manager¶
Enterprise Approver Policy for CyberArk Certificate Manager is the enterprise version of Approver Policy, which enables you to apply certificate policies by connecting your Kubernetes cluster to Certificate Manager - SaaS.
Latest release: v0.24.1 — 16 March, 2026
Enterprise Issuer for CyberArk Certificate Manager¶
Enterprise Issuer for CyberArk Certificate Manager is a cert-manager issuer that can be either cluster-wide or per namespace. This component enables your clusters to issue certificates from Certificate Manager - SaaS.
Latest release: v0.19.1 — 8 May, 2026
Istio CSR¶
Istio CSR is an agent that allows you to secure Istio workload and control plane components using cert-manager.
Latest release: v0.16.0 — 9 March, 2026
Manifest tool for CyberArk Certificate Manager¶
Manifest tool for CyberArk Certificate Manager is a feature in the CLI tool for CyberArk Certificate Manager that is a powerful command-line utility that streamlines the installation of CyberArk Kubernetes components in clusters. The Manifest tool for CyberArk Certificate Manager is released in concert with, and installed as part of, the CLI tool for CyberArk Certificate Manager tool.
Latest release: v1.28.0 — 10 March, 2026
OpenShift Routes for cert-manager¶
OpenShift Routes for cert-manager provides route support for cert-manager by automatically provisioning certificates for OpenShift routes from any cert-manager issuer, similar to annotating an Ingress or Gateway resource in Kubernetes.
Latest release: v0.9.0 — 9 March, 2026
Trust Manager¶
Trust Manager is a Kubernetes operator that manages TLS trust bundles in Kubernetes and OpenShift clusters.
Latest release: v0.22.0 — 9 March, 2026
Workload Identity Manager¶
Workload Identity Manager is a lightweight certificate issuer that operates in Kubernetes, OpenShift, and other cloud-native environments to deliver X.509 certificates over gRPC or REST with no external dependencies. Workload Identity Manager is formerly known as Firefly.
Latest release: v1.11.0 — 8 May, 2026