Installing cert-manager using CyberArk Certificate Manager Operator¶
When using Red Hat OpenShift cluster, it is recommended to use the CyberArk Certificate Manager Operator for Red Hat OpenShift to deploy Venafi components, including the cert-manager.
Follow the steps below to deploy the default version of cert-manager. If the CyberArk Certificate Manager Operator has not been deployed to your OpenShift cluster yet, follow the instructions outlined in the Installing CyberArk Certificate Manager Operator page.
Step 1: Configure access to the Venafi OCI registry¶
Important
Follow the instructions in Configuring access to the Venafi OCI registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.
For the example below, it's assumed that you created the following Kubernetes Secret:
- namespace:
venafi - name:
venafi-image-pull-secret
Step 2: Create an instance of VenafiInstall to deploy cert-manager¶
-
Create a YAML file, for example,
venafi-components.yaml, with the following content:Use this version of
venafi-components.yamlas a basis if you are installing cert-manager from Venafi's US registry:venafi-components.yamlapiVersion: installer.venafi.com/v1alpha1 kind: VenafiInstall metadata: name: venafi-components spec: globals: customChartRepository: oci://registry.venafi.cloud/charts customImageRegistry: private-registry.venafi.cloud imagePullSecretNames: [venafi-image-pull-secret] namespace: venafi vpcRegion: US certManager: install: trueRegional registries
The example above uses the Venafi US registry parameters. If you want to use a different Venafi registry replace
vcpRegion: USandregion: USwith the relevant regional repository value:-
EU registry
venafi-components.yaml... spec: globals: ... vcpRegion: EU region: EU ... -
UK registry
venafi-components.yaml... spec: globals: ... vcpRegion: UK region: EU ... -
Australia registry
venafi-components.yaml... spec: globals: ... vcpRegion: AU region: US ... -
Canada registry
venafi-components.yaml... spec: globals: ... vcpRegion: CA region: US ... -
Singapore registry
venafi-components.yaml... spec: globals: ... vcpRegion: SG region: US ...
For more information on Venafi OCI registries, see Configuring access to a Venafi OCI Registry.
Use this version of
venafi-components.yamlas a basis if you are installing cert-manager from your own registry:venafi-components.yamlapiVersion: installer.venafi.com/v1alpha1 kind: VenafiInstall metadata: name: venafi-components spec: globals: customChartRepository: oci://my-registry.example.com/charts customImageRegistry: my-registry.example.com certManager: install: trueTip
For a complete list of CyberArk Certificate Manager Operator configuration parameters, refer to the CyberArk Certificate Manager Operator API reference.
-
-
Apply the manifest by running the following command:
oc apply -f venafi-components.yaml
Step 3: Verifying the configuration¶
Verify whether cert-manager is successfully installed by running the following command:
oc get pods -n venafi
Sample output:
NAME READY STATUS RESTARTS AGE
cert-manager-a317f649c4-dp632 1/1 Running 0 1m1s
cert-manager-cainjector-3125b8f897-g1adf 1/1 Running 0 1m7s
cert-manager-webhook-26228cbdd-f9121 1/1 Running 0 1m11s