Skip to content

Venafi Control Plane Operator API reference

Configuring Venafi Control Plane Operator for Red Hat OpenShift is a simple procedure, and is done using VenafiInstall custom resources.

Sample VenafiInstall custom resource

The snippet below showcases a VenafiInstall custom resource with some useful parameters.

venafi-components.yaml
apiVersion: installer.venafi.com/v1alpha1
kind: VenafiInstall
metadata:
  name: venafi-components
spec:
  globals: # (1)!
    customChartRepository: oci://registry.venafi.cloud/charts # (2)!
    chartRepositoryAuthenticationSecretRef:
      name: venafi-helm-pull-secret # (3)!
    customImageRegistry: private-registry.venafi.cloud # (4)!
    enableDefaultApprover: false # (5)!
    imagePullSecretNames: [venafi-image-pull-secret] # (6)!
    namespace: venafi # (7)!
    useFIPSImages: false # (8)!
    vcpRegion: US # (9)!
    region: US # (10)!
  certManager: # (11)!
    install: true # (12)!
    chartRepository: oci://registry.venafi.cloud/charts # (13)!
    imageRegistry: private-registry.venafi.cloud/cert-manager # (14)!
    skip: false # (15)!
    values: # (16)!
      tolerations: # (17)!
      - key: node-role.kubernetes.io/infra
        operator: Exists
        effect: NoSchedule
      - key: node-role.kubernetes.io/private
        operator: Exists
        effect: NoSchedule
    version: v1.16.2 # (18)!
  approverPolicyEnterprise:
    install: false
  firefly:
    install: false
    acceptTOS: true # (19)!
    clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # (20)!
  trustManager:
    install: false
  venafiKubernetesAgent:
    install: false
    clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # (21)!
  venafiEnhancedIssuer:
    install: false
  certManagerCSIDriverSPIFFE:
    install: false
    trustDomain: my.trust.domain # (22)!
  certManagerIstioCSR:
    install: false
    trustDomain: example.com # (23)!
    runtimeConfigMapName: configmap-in-install-namespace # (24)!
  openshiftRoutes:
    install: false
  1. The global parameters.
  2. Override the default location for pulling Venafi component Helm charts. This setting applies to all components unless individually configured. Leaving it blank uses the default registry per component. The address must include a scheme (for example, oci://).
  3. Specify a secret that will be used for authentication with the Helm repository. The secret named here must be in the namespace specified under spec.globals.namespace. The default namespace is venafi.
  4. Override the default location for pulling Venafi component images. This setting applies to all components unless individually configured. Leaving it blank uses the default registry per component.
  5. Setting this to true enables cert-manager's built-in auto-approver for certificate requests. This bypasses the installing a more granular Approver Policy component, which is generally recommended for production environments.
  6. Specify a list of image pull secret names, separated by commas, that will be used to access the container images of the Venafi components. The default value is [venafi-image-pull-secret].
  7. Specify the namespace where all Venafi components will be installed. The default namespace is venafi.
  8. Setting this option to true will use FIPS-compliant container images for Venafi components that offer them. This mode enforces stricter cryptographic standards.
  9. Specify the region of your Venafi Control Plane tenant. This information will be used by components, such as the Venafi Kubernetes Agent, that interact with Venafi Control Plane. Valid options are: us and eu.
  10. The region to pull the container images from for all components. The default value is us.
  11. The Venafi components to be managed by Venafi Control Plane Operator.
  12. Override the default location for pulling the Helm chart of the current Venafi component. The address must include a scheme (for example, oci://)
  13. Override the default location for pulling the container image of the current Venafi component.
  14. Install the Venafi component and all the necessary dependencies it needs to run properly.
  15. Set to true to skip the installation of the dependencies of the current component.
  16. The Values parameter contains the configuration options for the current component. Refer to the individual Helm values of the Venafi component to understand more about the available options.
  17. Example configuration for pod's tolerations.
  18. The version of the Venafi component to install. This should be a semantic version starting with a v prefix. For example, v1.0.0..
  19. Accept the terms of service for Venafi Firefly. To view the terms of service, see the end user license agreement.
  20. Use this field to specify the client ID of the Venafi Control Plane service account for the Venafi Firefly. This is a required field when installing Venafi Firefly.
  21. Use this field to specify the client ID of the Venafi Control Plane service account for the Venafi Kubernetes Agent. This is a required field when installing Venafi Kubernetes Agent.
  22. Use this field to specify the CSI driver for SPIFFE trust domain. This is a required field when installing the CSI driver for SPIFFE.
  23. Provide the name of the trust domain here. This is a required field when installing Istio CSR.
  24. Add the name of the ConfigMap in the namespace where you installed the Operator.

Global parameters

Parameter Type Description
customChartRepository string Override the default location for pulling Venafi component Helm charts. This setting applies to all components unless individually configured. Leaving it blank uses the default registry per component. The address must include a scheme (for example, oci://).
chartRepositoryAuthenticationSecretRef object Specify a secret that will be used for authentication with the Helm repository.
customImageRegistry string Override the default location for pulling Venafi component images. This setting applies to all components unless individually configured. Leaving it blank uses the default registry per component.
enableDefaultApprover boolean Setting this to true enables cert-manager's built-in auto-approver for certificate requests. This bypasses installing a more granular Approver Policy component, which is generally recommended for production environments.
imagePullSecretNames strings Specify a list of image pull secret names, separated by commas, that will be used to access the container images of the Venafi components. The default value is [venafi-image-pull-secret].
namespace string Specify the namespace where all Venafi components will be installed. The default namespace is venafi.
region string The region to pull the container images from for all components. The default value is us.
useFIPSImages boolean Setting this option to true will use FIPS-compliant container images for Venafi components that offer them. This mode enforces stricter cryptographic standards.
vcpRegion string Specify the region of your Venafi Control Plane tenant. This is only applicable if you want to deploy Venafi Kubernetes Agent. Valid options are: us and eu.

Component name parameters

The following component names are used in the Operator Helm file to indicate the Venafi Kubernetes component you want to install:

Parameter Component
certManagerApproverPolicy Approver Policy
approverPolicyEnterprise Approver Policy Enterprise
awsPrivateCAIssuer AWS Private CA Issuer
certManager cert-manager
certManagerCSIDriver CSI driver
certManagerCSIDriverSPIFFE CSI driver for SPIFFE
firefly Firefly
trustManager Trust Manager
venafiKubernetesAgent Venafi Kubernetes Agent
venafiConnection Venafi Connection
venafiEnhancedIssuer Venafi Enhanced Issuer

Component install parameters

These are the parameters you can set for installing each component:

Parameter Type Description
acceptTOS boolean Accept the terms of service for Venafi Firefly. To view the terms of service, see the end user license agreement. This Firefly-specific parameter must be set to true to install Firefly.
chartRepository string Override the default location for pulling the Helm chart of the current Venafi component. The address must include a scheme (for example, oci://).
chartRepositoryAuthenticationSecretRef object Specify a secret that will be used for authentication with the Helm repository.
clientID string The client ID for Venafi Firefly or Venafi Kubernetes Agent. This is a required field when installing Venafi Kubernetes Agent or Venafi Firefly.
imageRegistry string Override the default location for pulling the container image of the current Venafi component.
install boolean Install the Venafi component and all the necessary dependencies to run properly.
skip boolean Set to true to skip the installation of the dependencies of the current component.
trustDomain string The CSI driver for SPIFFE trust domain. This is a required field when installing the CSI driver for SPIFFE.
values object The Values parameter contains the configuration options for the current component. Refer to the individual Helm values of the Venafi component to understand more about the available options.
version string The version of the Venafi component to install. This should be a semantic version starting with a v prefix, for example v1.0.0.