Venafi Control Plane Operator API reference¶

Configuring Venafi Control Plane Operator for Red Hat OpenShift is a simple procedure, and is done using VenafiInstall custom resources.

Sample VenafiInstall custom resource¶

The snippet below showcases a VenafiInstall custom resource with some useful parameters.

apiVersion: installer.venafi.com/v1alpha1
kind: VenafiInstall
metadata:
  name: venafi-components
spec:
  globals: # (1)!
    customChartRepository: oci://registry.venafi.cloud/charts # (2)!
    chartRepositoryAuthenticationSecretRef:
      name: venafi-helm-pull-secret # (3)!
    customImageRegistry: private-registry.venafi.cloud # (4)!
    enableDefaultApprover: false # (5)!
    imagePullSecretNames: [venafi-image-pull-secret] # (6)!
    namespace: venafi # (7)!
    useFIPSImages: false # (8)!
    vcpRegion: US # (9)!
    region: US # (10)!
  certManager: # (11)!
    install: true # (12)!
    chartRepository: oci://registry.venafi.cloud/charts # (13)!
    imageRegistry: private-registry.venafi.cloud/cert-manager # (14)!
    skip: false # (15)!
    values: # (16)!
      tolerations: # (17)!
      - key: node-role.kubernetes.io/infra
        operator: Exists
        effect: NoSchedule
      - key: node-role.kubernetes.io/private
        operator: Exists
        effect: NoSchedule
    version: v1.16.1 # (18)!
  approverPolicyEnterprise:
    install: false
  firefly:
    install: false
    acceptTOS: true # (19)!
    clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # (20)!
  trustManager:
    install: false
  venafiKubernetesAgent:
    install: false
    clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # (21)!
  venafiEnhancedIssuer:
    install: false
  certManagerCSIDriverSPIFFE:
    install: false
    trustDomain: my.trust.domain # (22)!
  certManagerIstioCSR:
    install: false
    trustDomain: example.com # (23)!
    runtimeConfigMapName: configmap-in-install-namespace # (24)!
  openshiftRoutes:
    install: false

1. The global parameters.
2. Override the default location for pulling Venafi component Helm charts. This setting applies to all components unless individually configured. Leaving it blank uses the default registry per component. The address must include a scheme (for example, oci://).
3. Specify a secret that will be used for authentication with the Helm repository. The secret named here must be in the namespace specified under spec.globals.namespace. The default namespace is venafi.
4. Override the default location for pulling Venafi component images. This setting applies to all components unless individually configured. Leaving it blank uses the default registry per component.
5. Setting this to true enables cert-manager's built-in auto-approver for certificate requests. This bypasses the installing a more granular Approver Policy component, which is generally recommended for production environments.
6. Specify a list of image pull secret names, separated by commas, that will be used to access the container images of the Venafi components. The default value is [venafi-image-pull-secret].
7. Specify the namespace where all Venafi components will be installed. The default namespace is venafi.
8. Setting this option to true will use FIPS-compliant container images for Venafi components that offer them. This mode enforces stricter cryptographic standards.
9. Specify the region of your Venafi Control Plane tenant. This information will be used by components, such as the Venafi Kubernetes Agent, that interact with Venafi Control Plane. Valid options are: us and eu.
10. The region to pull the container images from for all components. The default value is us.
11. The Venafi components to be managed by Venafi Control Plane Operator.
12. Override the default location for pulling the Helm chart of the current Venafi component. The address must include a scheme (for example, oci://)
13. Override the default location for pulling the container image of the current Venafi component.
14. Install the Venafi component and all the necessary dependencies it needs to run properly.
15. Set to true to skip the installation of the dependencies of the current component.
16. The Values parameter contains the configuration options for the current component. Refer to the individual Helm values of the Venafi component to understand more about the available options.
17. Example configuration for pod's tolerations.
18. The version of the Venafi component to install. This should be a semantic version starting with a v prefix. For example, v1.0.0..
19. Accept the terms of service for Venafi Firefly. To view the terms of service, see the end user license agreement.
20. Use this field to specify the client ID of the Venafi Control Plane service account for the Venafi Firefly. This is a required field when installing Venafi Firefly.
21. Use this field to specify the client ID of the Venafi Control Plane service account for the Venafi Kubernetes Agent. This is a required field when installing Venafi Kubernetes Agent.
22. Use this field to specify the CSI driver for SPIFFE trust domain. This is a required field when installing the CSI driver for SPIFFE.
23. Provide the name of the trust domain here. This is a required field when installing Istio CSR.
24. Add the name of the ConfigMap in the namespace where you installed the Operator.

Global parameters¶

Component name parameters¶

The following component names are used in the Operator Helm file to indicate the Venafi Kubernetes component you want to install:

Component install parameters¶

These are the parameters you can set for installing each component:

Related links¶

• Venafi Control Plane Operator overview
• Installing Venafi Control Plane Operator
• Venafi Control Plane Operator releases