Skip to content

Configuring Venafi Kubernetes Manifest tool

Choosing components

The Venafi Kubernetes Manifest utility generates a manifest with the configuration required to install Venafi components in a Kubernetes cluster.

You can add a component to the generated manifest by using the corresponding flag. The Venafi Kubernetes Manifest tool installs dependencies for any requested components by default.

The following example generates a manifest with cert-manager and Venafi Enhanced Issuer:

venctl components kubernetes manifest generate --venafi-enhanced-issuer

In this case, cert-manager is included because Venafi Enhanced Issuer depends on it.

To disable dependencies, use the --ignore-dependencies flag but be careful as this could lead to an broken installation if you haven't already set up required components in the correct namespace beforehand.

The generated manifest specifies everything about your installation, allowing you to inspect what is applied to the Kubernetes cluster later on.

Regions

The Venafi Kubernetes Manifest tool supports different regions for pulling images: "US" and "EU".

The default region is US but you can choose a region using the --region flag:

venctl components kubernetes manifest generate --region eu --cert-manager

Version pinning

Platform operators can specify exact versions of Venafi Kubernetes components charts if desired. If no version is specified, an installed component uses the default version specified when the Venafi Kubernetes Manifest binary was built.

If you upgrade to a newer version of the tool, the default versions it installs may change (as new versions of components are released).

# Pin the venafi-enhanced-issuer to v0.8.0
venctl components kubernetes manifest generate --venafi-enhanced-issuer --venafi-enhanced-issuer-version v0.8.0

All default versions can be viewed with venctl components kubernetes manifest print-versions

Air-gapped environments and custom registries

The Venafi Kubernetes Manifest utility supports pulling images and charts from self-hosted registries, which can be air-gapped if needed.

Both Helm chart repositories and container image registries can be replaced. Both can be done on a per-component or cluster-wide basis.

Helm repositories

To change the default Helm chart repository for all components use --custom-chart-repository.

To change the Helm chart repository for a specific component, use --<name>-custom-chart-repository.

The Venafi Kubernetes Manifest tool uses a URI scheme to work out how to pull charts. Setting a custom chart repository requires you to specify a scheme of either "https", "http" or "oci".

For example:

venctl components kubernetes manifest generate \
  --custom-chart-repository oci://reg.example.com/charts \
  --cert-manager \
  --approver-policy-custom-chart-repository https://my-charts.example.com/

In this example, the Venafi Kubernetes Manifest tool pulls cert-manager's chart from an OCI registry at oci://reg.example.com/chart/cert-manager, and approver-policy's chart from an HTTPS Helm repository at https://my-charts.example.com/approver-policy.

Note

Setting custom chart repositories changes environment variables which you need to pass into the Venafi CLI for authentication when pulling charts.

The manifest generated from the example above contains two repositories: custom, which is the new global default, and custom-cert-manager-approver-policy for the approver-policy-specific repository.

To specify authentication details for these repositories, use the following environment variables:

CUSTOM_USERNAME=xxx
CUSTOM_PASSWORD=yyy

CUSTOM_CERT_MANAGER_APPROVER_POLICY_USERNAME=aaa
CUSTOM_CERT_MANAGER_APPROVER_POLICY_PASSWORD=bbb

Container image registries

To change the default container registry for pulling images for all components in-cluster, use --custom-image-registry.

To change the registry for a specific component, use --<name>-custom-image-registry.

For example:

venctl components kubernetes manifest generate \
  --custom-image-registry reg.example.com/venafi-images \
  --cert-manager \
  --venafi-enhanced-issuer-custom-image-registry reg2.example.net/vei

In this example, the Venafi Kubernetes Manifest tool pulls cert-manager images from reg.example.com/venafi-images/ (e.g. reg.example.com/venafi-images/cert-manager-controller, among others). It pulls Images for Venafi Enhanced Issuer from reg2.example.net/vei.

You must ensure that you have the appropriate image pull secrets configured in your cluster before you apply your generated manifest.

Custom values.yaml files

Your generated manifest has some Helm values set, such as updated image pull locations and best practices. The actual Helm charts you are installing may also have many other options available which you can configure through values.yaml files.

Each component can have its own values files added. These files are loaded when the manifest is applied to a cluster, and so the path to the file must be relative to the manifest.

You can add custom values files by passing a comma-separated list of files in a flag like --<component-name>-values-files a.yaml,folder/b.yaml. For example:

# a.yaml
# Set the number of trust-manager replicas to 2
replicaCount: 2
venctl components kubernetes manifest generate --approver-policy --trust-manager --trust-manager-values-files a.yaml

FIPS Images

Venafi provide FIPS-compliant builds of most enterprise Kubernetes components. If you run in an environment which requires FIPS compliance, you can request FIPS versions of components using the Venafi Kubernetes Manifest generator.

venctl components kubernetes manifest generate --cert-manager --approver-policy-enterprise --trust-manager --use-fips-images

Custom namespaces

By default all modules are installed to the venafi namespace. To change the target namespace, generate the manifest with the --namespace option:

venctl components kubernetes manifest generate --venafi-enhanced-issuer --namespace mynamespace

Custom image pull secret names

By default, the Venafi Kubernetes Manifest tool expects an image pull secret called venafi-image-pull-secret to be present in the install namespace.

If you want to use a custom name for that secret, or if you need to pass multiple secrets, do this when generating your manifest:

# Pass a single image pull secret to override the default
venctl components kubernetes manifest generate --image-pull-secret-names mysecret

# Pass multiple image pull secrets in a comma separated list - all secrets will be used
venctl components kubernetes manifest generate --image-pull-secret-names mysecret,someothersecret