Skip to content

Installing cert-manager using CyberArk Certificate Manager Operator

When using Red Hat OpenShift cluster, it is recommended to use the CyberArk Certificate Manager Operator for Red Hat OpenShift to deploy Venafi components, including the cert-manager.

Follow the steps below to deploy the default version of cert-manager. If the CyberArk Certificate Manager Operator has not been deployed to your OpenShift cluster yet, follow the instructions outlined in the Installing CyberArk Certificate Manager Operator page.

Step 1: Configure access to the Venafi OCI registry

Important

Follow the instructions in Configuring access to the Venafi OCI registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.

For the example below, it's assumed that you created the following Kubernetes Secret:

  • namespace: venafi
  • name: venafi-image-pull-secret

Step 2: Create an instance of VenafiInstall to deploy cert-manager

  1. Create a YAML file, for example, venafi-components.yaml, with the following content:

    Use this version of venafi-components.yaml as a basis if you are installing cert-manager from Venafi's US registry:

    venafi-components.yaml
    apiVersion: installer.venafi.com/v1alpha1
    kind: VenafiInstall
    metadata:
      name: venafi-components
    spec:
      globals:
        customChartRepository: oci://registry.venafi.cloud/charts
        customImageRegistry: private-registry.venafi.cloud
        imagePullSecretNames: [venafi-image-pull-secret]
        namespace: venafi
        vpcRegion: US
      certManager:
        install: true
    

    Regional registries

    The example above uses the Venafi US registry parameters. If you want to use a different Venafi registry replace vcpRegion: US and region: US with the relevant regional repository value:

    • EU registry

      venafi-components.yaml
      ...
      spec:
        globals:
          ...
          vcpRegion: EU
          region: EU
          ...
      

    • UK registry

      venafi-components.yaml
      ...
      spec:
        globals:
          ...
          vcpRegion: UK
          region: EU
          ...
      

    • Australia registry

      venafi-components.yaml
      ...
      spec:
        globals:
          ...
          vcpRegion: AU
          region: US
          ...
      

    • Canada registry

      venafi-components.yaml
      ...
      spec:
        globals:
          ...
          vcpRegion: CA
          region: US
          ...
      

    • Singapore registry

      venafi-components.yaml
      ...
      spec:
        globals:
          ...
          vcpRegion: SG
          region: US
          ...
      

    For more information on Venafi OCI registries, see Configuring access to a Venafi OCI Registry.

    Use this version of venafi-components.yaml as a basis if you are installing cert-manager from your own registry:

    venafi-components.yaml
    apiVersion: installer.venafi.com/v1alpha1
    kind: VenafiInstall
    metadata:
      name: venafi-components
    spec:
      globals:
        customChartRepository: oci://my-registry.example.com/charts
        customImageRegistry: my-registry.example.com
      certManager:
        install: true
    

    Tip

    For a complete list of CyberArk Certificate Manager Operator configuration parameters, refer to the CyberArk Certificate Manager Operator API reference.

  2. Apply the manifest by running the following command:

    oc apply -f venafi-components.yaml
    

Step 3: Verifying the configuration

Verify whether cert-manager is successfully installed by running the following command:

oc get pods -n venafi

Sample output:

NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-a317f649c4-dp632              1/1     Running   0          1m1s
cert-manager-cainjector-3125b8f897-g1adf   1/1     Running   0          1m7s
cert-manager-webhook-26228cbdd-f9121       1/1     Running   0          1m11s