Venafi Control Plane Operator API reference¶
Configuring Venafi Control Plane Operator for Red Hat OpenShift is a simple procedure, and is done using VenafiInstall
custom resources.
Sample VenafiInstall
custom resource¶
The snippet below showcases a VenafiInstall
custom resource with some useful parameters.
venafi-components.yaml
apiVersion: installer.venafi.com/v1alpha1
kind: VenafiInstall
metadata:
name: venafi-components
spec:
globals: # (1)!
customChartRepository: oci://registry.venafi.cloud/charts # (2)!
chartRepositoryAuthenticationSecretRef:
name: venafi-helm-pull-secret # (3)!
customImageRegistry: private-registry.venafi.cloud # (4)!
enableDefaultApprover: false # (5)!
imagePullSecretNames: [venafi-image-pull-secret] # (6)!
namespace: venafi # (7)!
useFIPSImages: false # (8)!
vcpRegion: US # (9)!
region: US # (10)!
certManager: # (11)!
install: true # (12)!
chartRepository: oci://registry.venafi.cloud/charts # (13)!
imageRegistry: private-registry.venafi.cloud/cert-manager # (14)!
skip: false # (15)!
values: # (16)!
tolerations: # (17)!
- key: node-role.kubernetes.io/infra
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/private
operator: Exists
effect: NoSchedule
version: v1.16.2 # (18)!
approverPolicyEnterprise:
install: false
firefly:
install: false
acceptTOS: true # (19)!
clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # (20)!
trustManager:
install: false
venafiKubernetesAgent:
install: false
clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # (21)!
venafiEnhancedIssuer:
install: false
certManagerCSIDriverSPIFFE:
install: false
trustDomain: my.trust.domain # (22)!
certManagerIstioCSR:
install: false
trustDomain: example.com # (23)!
runtimeConfigMapName: configmap-in-install-namespace # (24)!
openshiftRoutes:
install: false
- The global parameters.
- Override the default location for pulling Venafi component Helm charts. This setting applies to all components unless individually configured. Leaving it blank uses the default registry per component. The address must include a scheme (for example,
oci://
). - Specify a secret that will be used for authentication with the Helm repository. The secret named here must be in the namespace specified under
spec.globals.namespace
. The default namespace isvenafi
. - Override the default location for pulling Venafi component images. This setting applies to all components unless individually configured. Leaving it blank uses the default registry per component.
- Setting this to
true
enables cert-manager's built-in auto-approver for certificate requests. This bypasses the installing a more granular Approver Policy component, which is generally recommended for production environments. - Specify a list of image pull secret names, separated by commas, that will be used to access the container images of the Venafi components. The default value is
[venafi-image-pull-secret]
. - Specify the namespace where all Venafi components will be installed. The default namespace is
venafi
. - Setting this option to
true
will use FIPS-compliant container images for Venafi components that offer them. This mode enforces stricter cryptographic standards. - Specify the region of your Venafi Control Plane tenant. This information will be used by components, such as the Venafi Kubernetes Agent, that interact with Venafi Control Plane. Valid options are:
us
andeu
. - The region to pull the container images from for all components. The default value is
us
. - The Venafi components to be managed by Venafi Control Plane Operator.
- Override the default location for pulling the Helm chart of the current Venafi component. The address must include a scheme (for example,
oci://
) - Override the default location for pulling the container image of the current Venafi component.
- Install the Venafi component and all the necessary dependencies it needs to run properly.
- Set to
true
to skip the installation of the dependencies of the current component. - The
Values
parameter contains the configuration options for the current component. Refer to the individual Helm values of the Venafi component to understand more about the available options. - Example configuration for pod's
tolerations
. - The version of the Venafi component to install. This should be a semantic version starting with a
v
prefix. For example,v1.0.0.
. - Accept the terms of service for Venafi Firefly. To view the terms of service, see the end user license agreement.
- Use this field to specify the client ID of the Venafi Control Plane service account for the Venafi Firefly. This is a required field when installing Venafi Firefly.
- Use this field to specify the client ID of the Venafi Control Plane service account for the Venafi Kubernetes Agent. This is a required field when installing Venafi Kubernetes Agent.
- Use this field to specify the CSI driver for SPIFFE trust domain. This is a required field when installing the CSI driver for SPIFFE.
- Provide the name of the trust domain here. This is a required field when installing Istio CSR.
- Add the name of the ConfigMap in the namespace where you installed the Operator.
Global parameters¶
Parameter | Type | Description |
---|---|---|
customChartRepository | string | Override the default location for pulling Venafi component Helm charts. This setting applies to all components unless individually configured. Leaving it blank uses the default registry per component. The address must include a scheme (for example, oci:// ). |
chartRepositoryAuthenticationSecretRef | object | Specify a secret that will be used for authentication with the Helm repository. |
customImageRegistry | string | Override the default location for pulling Venafi component images. This setting applies to all components unless individually configured. Leaving it blank uses the default registry per component. |
enableDefaultApprover | boolean | Setting this to true enables cert-manager's built-in auto-approver for certificate requests. This bypasses installing a more granular Approver Policy component, which is generally recommended for production environments. |
imagePullSecretNames | strings | Specify a list of image pull secret names, separated by commas, that will be used to access the container images of the Venafi components. The default value is [venafi-image-pull-secret] . |
namespace | string | Specify the namespace where all Venafi components will be installed. The default namespace is venafi . |
region | string | The region to pull the container images from for all components. The default value is us . |
useFIPSImages | boolean | Setting this option to true will use FIPS-compliant container images for Venafi components that offer them. This mode enforces stricter cryptographic standards. |
vcpRegion | string | Specify the region of your Venafi Control Plane tenant. This is only applicable if you want to deploy Venafi Kubernetes Agent. Valid options are: us and eu . |
Component name parameters¶
The following component names are used in the Operator Helm file to indicate the Venafi Kubernetes component you want to install:
Parameter | Component |
---|---|
certManagerApproverPolicy | Approver Policy |
approverPolicyEnterprise | Approver Policy Enterprise |
awsPrivateCAIssuer | AWS Private CA Issuer |
certManager | cert-manager |
certManagerCSIDriver | CSI driver |
certManagerCSIDriverSPIFFE | CSI driver for SPIFFE |
firefly | Firefly |
trustManager | Trust Manager |
venafiKubernetesAgent | Venafi Kubernetes Agent |
venafiConnection | Venafi Connection |
venafiEnhancedIssuer | Venafi Enhanced Issuer |
Component install parameters¶
These are the parameters you can set for installing each component:
Parameter | Type | Description |
---|---|---|
acceptTOS | boolean | Accept the terms of service for Venafi Firefly. To view the terms of service, see the end user license agreement. This Firefly-specific parameter must be set to true to install Firefly. |
chartRepository | string | Override the default location for pulling the Helm chart of the current Venafi component. The address must include a scheme (for example, oci:// ). |
chartRepositoryAuthenticationSecretRef | object | Specify a secret that will be used for authentication with the Helm repository. |
clientID | string | The client ID for Venafi Firefly or Venafi Kubernetes Agent. This is a required field when installing Venafi Kubernetes Agent or Venafi Firefly. |
imageRegistry | string | Override the default location for pulling the container image of the current Venafi component. |
install | boolean | Install the Venafi component and all the necessary dependencies to run properly. |
skip | boolean | Set to true to skip the installation of the dependencies of the current component. |
trustDomain | string | The CSI driver for SPIFFE trust domain. This is a required field when installing the CSI driver for SPIFFE. |
values | object | The Values parameter contains the configuration options for the current component. Refer to the individual Helm values of the Venafi component to understand more about the available options. |
version | string | The version of the Venafi component to install. This should be a semantic version starting with a v prefix, for example v1.0.0. |