Skip to content

Installing cert-manager using the Venafi CLI tool

The Venafi CLI tool offers the quickest and easiest method for installing cert-manager.

Step 1: Configure access to the Venafi OCI registry

If installing the component from a Venafi OCI registry, follow the instructions in Configuring access to the Venafi OCI Registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.

Step 2: (Optional) Configure custom CA bundles

If you are using the open-source Venafi issuer rather than Venafi Enhanced Issuer, there are two ways of setting up a custom CA bundle for use with TLS Protect Datacenter or Venafi Control Plane.

You can add the base64-encoded CA bundle directly into the Issuer or ClusterIssuer manifest:

apiVersion: cert-manager.io/v1
kind: Issuer
spec:
  venafi:
    tpp:
      caBundle: <base64 encoded string of caBundle PEM file>

Alternatively, you can load the CA bundle from a ConfigMap:

  1. First, use kubectl to add the custom CA bundle to a ConfigMap:

    kubectl --namespace venafi create configmap ca-cert --from-file=ca-cert=<file-name>

  2. Configure the volumes and volumeMounts in a cert-manager-ca-certificates.values.yaml file:

    cert-manager-ca-certificates.values.yaml
    volumes:
  - name: ca-cert
    configMap:
      name: ca-cert
volumeMounts:
  - name: ca-cert
    mountPath: /etc/ssl/certs/ca-cert.crt
    subPath: ca-cert.crt
    readOnly: true

Step 3: Generate the Venafi Kubernetes manifest

  1. If not already installed, download and install the relevant version of the Venafi CLI tool for your platform.

  2. Initialize the Venafi Kubernetes Manifest tool:

    venctl components kubernetes manifest tool init

    For more information on this command and its associated flags, see the venctl reference page.

  3. Issue the following command to generate a Venafi Kubernetes manifest which, when applied, installs the default version of cert-manager to the venafi namespace:

    A sample command for users of the US region OCI registry:

    venctl components kubernetes manifest generate \
  --region us \
  --cert-manager > venafi-components.yaml

    A sample command for users of the EU region OCI registry:

    venctl components kubernetes manifest generate \
  --region eu \
  --cert-manager > venafi-components.yaml

    A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    venctl components kubernetes manifest generate \
  --region custom \
  --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
  --cert-manager-custom-image-registry myregistry.example.com \
  --cert-manager > venafi-components.yaml

    Note

    When you install cert-manager using the Venafi CLI tool, cert-manager's own approver is disabled by default. If you want to enable it, set the --default-approver flag to true in the venctl components kubernetes manifest generate command.

    If you intend to use Approver Policy or Approver Policy Enterprise with cert-manager, the cert-manager default approver must be disabled.

    Deploying cert-manager with custom CA bundles

    If you want to generate the manifest to include the cert-manager-ca-certificates.values.yaml file shown in step 2, replace the command in step 3.3 with the following:

    A sample command for users of the US region OCI registry:

    venctl components kubernetes manifest generate \
  --region us \
  --cert-manager-values-files cert-manager-ca-certificates.values.yaml \
  --cert-manager > venafi-components.yaml

    A sample command for users of the EU region OCI registry:

    venctl components kubernetes manifest generate \
  --region eu \
  --cert-manager-values-files cert-manager-ca-certificates.values.yaml \
  --cert-manager > venafi-components.yaml

    A sample command for users with their own organizational OCI registry. Be sure to update this command with the URI of your own company's registry:

    venctl components kubernetes manifest generate \
  --region custom \
  --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
  --cert-manager-custom-image-registry myregistry.example.com \
  --cert-manager-values-files cert-manager-ca-certificates..values.yaml \
  --cert-manager > venafi-components.yaml

  4. To apply the manifest, use the following command:

    venctl components kubernetes manifest tool sync --file venafi-components.yaml

    For more information and options on using the Venafi CLI tool to install this component, see the Venafi CLI tool reference page.

Tip

You can also use the venctl components kubernetes apply command to install this component on a Kubernetes cluster quickly and easily for test purposes. Note that this command is not recommended for use in production environments.

See venctl components kubernetes apply for more information on how to use the command with this component.

Working with Custom CA bundles

If you are using the open-source Venafi issuer rather than Venafi Enhanced Issuer, there are two ways of setting up a custom CA bundle for use with TLS Protect Datacenter or Venafi Control Plane.

You can add the base64-encoded CA bundle directly into the Issuer or ClusterIssuer manifest:

apiVersion: cert-manager.io/v1
kind: Issuer
spec:
  venafi:
    tpp:
      caBundle: <base64 encoded string of caBundle PEM file>

Alternatively, you can load the CA bundle from a ConfigMap:

  1. First, use kubectl to add the custom CA bundle to a ConfigMap:

    kubectl --namespace venafi create configmap ca-cert --from-file=ca-cert=<file-name>

  2. Configure the volumes and volumeMounts in a cert-manager-ca-certificates.values.yaml file:

    cert-manager-ca-certificates.values.yaml
    volumes:
  - name: ca-cert
    configMap:
      name: ca-cert
volumeMounts:
  - name: ca-cert
    mountPath: /etc/ssl/certs/ca-cert.crt
    subPath: ca-cert.crt
    readOnly: true

  3. Apply the values file using the Venafi CLI tool. For example:

    A sample command for users of the US region OCI registry:

    venctl components kubernetes manifest generate \
  --region us \
  --cert-manager-values-files cert-manager-ca-certificates.values.yaml \
  --cert-manager > venafi-components.yaml

    A sample command for users of the EU region OCI registry:

    venctl components kubernetes manifest generate \
  --region eu \
  --cert-manager-values-files cert-manager-ca-certificates.values.yaml \
  --cert-manager > venafi-components.yaml

    A sample command for users with their own organizational OCI registry. Be sure to update this command with the URI of your own company's registry:

    venctl components kubernetes manifest generate \
  --region custom \
  --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
  --cert-manager-custom-image-registry myregistry.example.com \
  --cert-manager-values-files cert-manager-ca-certificates..values.yaml \
  --cert-manager > venafi-components.yaml

  4. To apply the manifest, use the following command:

    venctl components kubernetes manifest tool sync --file venafi-components.yaml

    For more information and options on using the Venafi CLI tool to install this component, see the Venafi CLI tool reference page.