Configuring Venafi Kubernetes Manifest tool¶
The Venafi Kubernetes Manifest utility generates a manifest with the configuration required to install Venafi components in a Kubernetes cluster.
You can add a component to the generated manifest by using the corresponding flag. The Venafi Kubernetes Manifest tool installs dependencies for any requested components by default.
The following example generates a manifest with cert-manager and Venafi Enhanced Issuer:
venctl components kubernetes manifest generate --venafi-enhanced-issuer
In this case, cert-manager is included because Venafi Enhanced Issuer depends on it.
To disable dependencies, use the
--ignore-dependencies flag but be careful as this could lead to an broken installation if you haven't already set up required components in the correct namespace beforehand.
The generated manifest specifies everything about your installation, allowing you to inspect what is applied to the Kubernetes cluster later on.
The Venafi Kubernetes Manifest tool supports different regions for pulling images: "US" and "EU".
The default region is US but you can choose a region using the
venctl components kubernetes manifest generate --region eu --cert-manager
Platform operators can specify exact versions of Venafi Kubernetes components charts if desired. If no version is specified, an installed component uses the default version specified when the Venafi Kubernetes Manifest binary was built.
If you upgrade to a newer version of the tool, the default versions it installs may change (as new versions of components are released).
# Pin the venafi-enhanced-issuer to v0.8.0
venctl components kubernetes manifest generate --venafi-enhanced-issuer --venafi-enhanced-issuer-version v0.8.0
All default versions can be viewed with
venctl components kubernetes manifest print-versions
Air-gapped environments and custom registries¶
The Venafi Kubernetes Manifest utility supports pulling images and charts from self-hosted registries, which can be air-gapped if needed.
Both Helm chart repositories and container image registries can be replaced. Both can be done on a per-component or cluster-wide basis.
To change the default Helm chart repository for all components use
To change the Helm chart repository for a specific component, use
The Venafi Kubernetes Manifest tool uses a URI scheme to work out how to pull charts. Setting a custom chart repository requires you to specify a scheme of either "https", "http" or "oci".
venctl components kubernetes manifest generate \
--custom-chart-repository oci://reg.example.com/charts \
In this example, the Venafi Kubernetes Manifest tool pulls cert-manager's chart from an OCI registry at
oci://reg.example.com/chart/cert-manager, and approver-policy's chart from an HTTPS Helm repository at
Setting custom chart repositories changes environment variables which you need to pass into the Venafi CLI for authentication when pulling charts.
The manifest generated from the example above contains two repositories:
custom, which is the new global default, and
custom-cert-manager-approver-policy for the approver-policy-specific repository.
To specify authentication details for these repositories, use the following environment variables:
Container image registries¶
To change the default container registry for pulling images for all components in-cluster, use
To change the registry for a specific component, use
venctl components kubernetes manifest generate \
--custom-image-registry reg.example.com/venafi-images \
In this example, the Venafi Kubernetes Manifest tool pulls cert-manager images from
reg.example.com/venafi-images/cert-manager-controller, among others). It pulls Images for Venafi Enhanced Issuer from
You must ensure that you have the appropriate image pull secrets configured in your cluster before you apply your generated manifest.
Your generated manifest has some Helm values set, such as updated image pull locations and best practices. The actual Helm charts you are installing may also have many other options available which you can configure through
Each component can have its own values files added. These files are loaded when the manifest is applied to a cluster, and so the path to the file must be relative to the manifest.
You can add custom values files by passing a comma-separated list of files in a flag like
--<component-name>-values-files a.yaml,folder/b.yaml. For example:
# Set the number of trust-manager replicas to 2
venctl components kubernetes manifest generate --approver-policy --trust-manager --trust-manager-values-files a.yaml
Venafi provide FIPS-compliant builds of most enterprise Kubernetes components. If you run in an environment which requires FIPS compliance, you can request FIPS versions of components using the Venafi Kubernetes Manifest generator.
venctl components kubernetes manifest generate --cert-manager --approver-policy-enterprise --trust-manager --use-fips-images
By default all modules are installed to the
venafi namespace. To change the target namespace, generate the manifest with the
venctl components kubernetes manifest generate --venafi-enhanced-issuer --namespace mynamespace
Custom image pull secret names¶
By default, the Venafi Kubernetes Manifest tool expects an image pull secret called
venafi-image-pull-secret to be present in the install namespace.
If you want to use a custom name for that secret, or if you need to pass multiple secrets, do this when generating your manifest:
# Pass a single image pull secret to override the default
venctl components kubernetes manifest generate --image-pull-secret-names mysecret
# Pass multiple image pull secrets in a comma separated list - all secrets will be used
venctl components kubernetes manifest generate --image-pull-secret-names mysecret,someothersecret