Venafi Control Plane Operator API reference¶
Configuring Venafi Control Plane Operator for Red Hat OpenShift is a simple procedure, and is done using VenafiInstall custom resources.
Sample VenafiInstall custom resource¶
The snippet below showcases a VenafiInstall custom resource with some useful parameters.
venafi-components.yaml
apiVersion: installer.venafi.com/v1alpha1
kind: VenafiInstall
metadata:
name: venafi-components
spec:
globals:
customChartRepository: oci://registry.venafi.cloud/charts
chartRepositoryAuthenticationSecretRef:
name: venafi-helm-pull-secret
customImageRegistry: private-registry.venafi.cloud
enableDefaultApprover: false
imagePullSecretNames: [venafi-image-pull-secret]
namespace: venafi
useFIPSImages: false
vcpRegion: US
region: US
certManager:
install: true
chartRepository: oci://registry.venafi.cloud/charts
imageRegistry: private-registry.venafi.cloud/cert-manager
skip: false
values:
tolerations:
- key: node-role.kubernetes.io/infra
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/private
operator: Exists
effect: NoSchedule
version: v1.17.1
approverPolicyEnterprise:
install: false
firefly:
install: false
acceptTOS: true
clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
trustManager:
install: false
venafiKubernetesAgent:
install: false
clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
venafiEnhancedIssuer:
install: false
certManagerCSIDriverSPIFFE:
install: false
trustDomain: my.trust.domain
certManagerIstioCSR:
install: false
trustDomain: example.com
runtimeConfigMapName: configmap-in-install-namespace
openshiftRoutes:
install: false
Global parameters¶
| Parameter | Type | Description |
|---|---|---|
customChartRepository | string | Override the default location for pulling Venafi component Helm charts. This setting applies to all components unless individually configured. Leaving it blank uses the default registry per component. The address must include a scheme (for example, oci://). |
chartRepositoryAuthenticationSecretRef | object | Specify a secret that will be used for authentication with the Helm repository. |
customImageRegistry | string | Override the default location for pulling Venafi component images. This setting applies to all components unless individually configured. Leaving it blank uses the default registry per component. |
enableDefaultApprover | boolean | Setting this to true enables cert-manager's built-in auto-approver for certificate requests. This bypasses installing a more granular Approver Policy component, which is generally recommended for production environments. |
imagePullSecretNames | strings | Specify a list of image pull secret names, separated by commas, that will be used to access the container images of the Venafi components. The default value is [venafi-image-pull-secret]. |
namespace | string | Specify the namespace where all Venafi components will be installed. The default namespace is venafi. |
region | string | The region to pull the container images from for all components. The default value is us. |
useFIPSImages | boolean | Setting this option to true will use FIPS-compliant container images for Venafi components that offer them. This mode enforces stricter cryptographic standards. |
vcpRegion | string | Specify the region of your Venafi Control Plane tenant. This is only applicable if you want to deploy Venafi Kubernetes Agent. Valid options are: us and eu. |
Component name parameters¶
The following component names are used in the Operator Helm file to indicate the Venafi Kubernetes component you want to install:
| Parameter | Component |
|---|---|
certManagerApproverPolicy | Approver Policy |
approverPolicyEnterprise | Approver Policy Enterprise |
awsPrivateCAIssuer | AWS Private CA Issuer |
certManager | cert-manager |
certManagerCSIDriver | CSI driver |
certManagerCSIDriverSPIFFE | CSI driver for SPIFFE |
firefly | Firefly |
trustManager | Trust Manager |
venafiKubernetesAgent | Venafi Kubernetes Agent |
venafiConnection | Venafi Connection |
venafiEnhancedIssuer | Venafi Enhanced Issuer |
Component install parameters¶
These are the parameters you can set for installing each component:
| Parameter | Type | Description |
|---|---|---|
acceptTOS | boolean | Accept the terms of service for Venafi Firefly. To view the terms of service, see the end user license agreement. This Firefly-specific parameter must be set to true to install Firefly. |
chartRepository | string | Override the default location for pulling the Helm chart of the current Venafi component. The address must include a scheme (for example, oci://). |
chartRepositoryAuthenticationSecretRef | object | Specify a secret that will be used for authentication with the Helm repository. |
clientID | string | The client ID for Venafi Firefly or Venafi Kubernetes Agent. This is a required field when installing Venafi Kubernetes Agent or Venafi Firefly. |
imageRegistry | string | Override the default location for pulling the container image of the current Venafi component. |
install | boolean | Install the Venafi component and all the necessary dependencies to run properly. |
skip | boolean | Set to true to skip the installation of the dependencies of the current component. |
trustDomain | string | The CSI driver for SPIFFE trust domain. This is a required field when installing the CSI driver for SPIFFE. |
values | object | The Values parameter contains the configuration options for the current component. Refer to the individual Helm values of the Venafi component to understand more about the available options. |
version | string | The version of the Venafi component to install. This should be a semantic version starting with a v prefix, for example v1.0.0. |