Installing cert-manager using Helm and Venafi OCI registries¶

This section discusses installing cert-manager using Helm.

Step 1: Configure access to the Venafi OCI registry¶

Configure access to the Venafi OCI registry. Follow the instructions in Configuring access to the Venafi OCI Registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.

The sample file below, for example, assumes you created a Kubernetes Secret using venafi as the namespace and venafi-image-pull-secret as the name of the secret.

Step 2: (Optional) Configure custom CA bundles¶

If you are using the open-source Venafi issuer rather than Venafi Enhanced Issuer, there are two ways of setting up a custom CA bundle for use with TLS Protect Datacenter or Venafi Control Plane.

You can add the base64-encoded CA bundle directly into the Issuer or ClusterIssuer manifest:

apiVersion: cert-manager.io/v1
kind: Issuer
spec:
  venafi:
    tpp:
      caBundle: <base64 encoded string of caBundle PEM file>

Alternatively, you can load the CA bundle from a ConfigMap:

1. First, use kubectl to add the custom CA bundle to a ConfigMap:

   kubectl --namespace venafi create configmap ca-cert --from-file=ca-cert=<file-name>
   

2. Configure the volumes and volumeMounts in a cert-manager-ca-certificates.values.yaml file:

   cert-manager-ca-certificates.values.yaml

   volumes:
     - name: ca-cert
       configMap:
         name: ca-cert
   volumeMounts:
     - name: ca-cert
       mountPath: /etc/ssl/certs/ca-cert.crt
       subPath: ca-cert.crt
       readOnly: true
   

Step 3: Install cert-manager using Helm¶

1. To install cert-manager in the venafi namespace, and configure it to use the pull-secret, create a file cert-manager.values.yaml containing the following content.

   US RegionEU RegionOwn Registry

   A sample cert-manager.values.yaml for users of the US region OCI registry:

   cert-manager.values.yaml

   global:
     imagePullSecrets:
       - name: venafi-image-pull-secret
   
   crds:
     enabled: true
   
   image:
     repository: private-registry.venafi.cloud/cert-manager/cert-manager-controller
   
   acmesolver:
     image:
       repository: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver
   
   webhook:
     image:
       repository: private-registry.venafi.cloud/cert-manager/cert-manager-webhook
   
   cainjector:
     image:
       repository: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector
   
   startupapicheck:
     image:
       repository: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck
   

   A sample cert-manager.values.yaml for users of the EU region OCI registry:

   cert-manager.values.yaml

   global:
     imagePullSecrets:
       - name: venafi-image-pull-secret
   
   crds:
     enabled: true
   
   image:
     repository: private-registry.venafi.eu/cert-manager/cert-manager-controller
   
   acmesolver:
     image:
       repository: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver
   
   webhook:
     image:
       repository: private-registry.venafi.eu/cert-manager/cert-manager-webhook
   
   cainjector:
     image:
       repository: private-registry.venafi.eu/cert-manager/cert-manager-cainjector
   
   startupapicheck:
     image:
       repository: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck
   

   A sample cert-manager.values.yaml for users with their own OCI registry:

   cert-manager.values.yaml

   global:
     imagePullSecrets:
       - name: venafi-image-pull-secret
   
   crds:
     enabled: true
   
   image:
     repository: myregistry.example.com/cert-manager/cert-manager-controller
   
   acmesolver:
     image:
       repository: myregistry.example.com/cert-manager/cert-manager-acmesolver
   
   webhook:
     image:
       repository: myregistry.example.com/cert-manager/cert-manager-webhook
   
   cainjector:
     image:
       repository: myregistry.example.com/cert-manager/cert-manager-cainjector
   
   startupapicheck:
     image:
       repository: myregistry.example.com/cert-manager/cert-manager-startupapicheck
   

   Note

   As of cert-manager v1.15.0, the installCRDs value is deprecated in favor of crds.enabled.

2. Use Helm to install the software and wait for it to be ready:

   helm upgrade cert-manager oci://registry.venafi.cloud/charts/cert-manager \
     --install \
     --wait \
     --create-namespace \
     --namespace venafi \
     --values cert-manager.values.yaml \
     --version v1.16.1
   

   Note

   For more information about Helm support for OCI package distribution, see the Helm documentation.

   Deploying cert-manager with custom CA trust bundles

   If you want to deploy cert-manager with custom CA bundles (as shown in Step 2 above), replace the manifest generate command in step 3.2 with the following:

   helm upgrade cert-manager oci://registry.venafi.cloud/charts/cert-manager \
     --install \
     --wait \
     --create-namespace \
     --namespace venafi \
     --values cert-manager.values.yaml \
     --values cert-manager-ca-certificates.values.yaml \
     --version v1.16.1
   

Next Steps¶

• See Installing Venafi Enhanced Issuer to learn how to install the Venafi Enhanced Issuer.
• See Installing Approver Policy Enterprise to learn how to install the Approver Policy Enterprise.