Skip to content

Installing cert-manager using Helm and Venafi OCI registries

Note

For information about different installation options, see the cert-manager open-source documentation Installing cert-manager with Helm.

This section discusses installing cert-manager using Helm.

Step 1: Configure access to the Venafi OCI registry

Configure access to the Venafi OCI registry. Follow the instructions in Configuring access to the Venafi OCI Registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.

The sample file below, for example, assumes you created a Kubernetes Secret using venafi as the namespace and venafi-image-pull-secret as the name of the secret.

Step 2: Install cert-manager using Helm

  1. To install cert-manager in the venafi namespace, and configure it to use the pull-secret, create a file cert-manager.values.yaml containing the following content.

    A sample cert-manager.values.yaml for users of the US region OCI registry:

    cert-manager.values.yaml
    global:
  imagePullSecrets:
    - name: venafi-image-pull-secret

crds:
  enabled: true

image:
  repository: private-registry.venafi.cloud/cert-manager/cert-manager-controller

acmesolver:
  image:
    repository: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver

webhook:
  image:
    repository: private-registry.venafi.cloud/cert-manager/cert-manager-webhook

cainjector:
  image:
    repository: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector

startupapicheck:
  image:
    repository: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck

    A sample cert-manager.values.yaml for users of the EU region OCI registry:

    cert-manager.values.yaml
    global:
  imagePullSecrets:
    - name: venafi-image-pull-secret

crds:
  enabled: true

image:
  repository: private-registry.venafi.eu/cert-manager/cert-manager-controller

acmesolver:
  image:
    repository: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver

webhook:
  image:
    repository: private-registry.venafi.eu/cert-manager/cert-manager-webhook

cainjector:
  image:
    repository: private-registry.venafi.eu/cert-manager/cert-manager-cainjector

startupapicheck:
  image:
    repository: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck

    A sample cert-manager.values.yaml for users with their own OCI registry:

    cert-manager.values.yaml
    global:
  imagePullSecrets:
    - name: venafi-image-pull-secret

crds:
  enabled: true

image:
  repository: myregistry.example.com/cert-manager/cert-manager-controller

acmesolver:
  image:
    repository: myregistry.example.com/cert-manager/cert-manager-acmesolver

webhook:
  image:
    repository: myregistry.example.com/cert-manager/cert-manager-webhook

cainjector:
  image:
    repository: myregistry.example.com/cert-manager/cert-manager-cainjector

startupapicheck:
  image:
    repository: myregistry.example.com/cert-manager/cert-manager-startupapicheck

    Note

    As of cert-manager v1.15.0, the installCRDs value is deprecated in favor of crds.enabled.

  2. Use Helm to install the software and wait for it to be ready:

    helm upgrade cert-manager oci://registry.venafi.cloud/charts/cert-manager \
--install \
--wait \
--create-namespace \
--namespace venafi \
--values cert-manager.values.yaml \
--version v1.15.1

    Note

    For more information about Helm support for OCI package distribution, see the Helm documentation.

Next Steps