Skip to content

Installing CSI driver using Helm

Installing CSI driver using Helm

Learn how to install cert-manager and the CSI driver component using Helm or the Venafi CLI tool.

Prerequisites

  • If you want to install the CSI driver using Helm, you'll need the following:

    • Your cluster must be running Kubernetes 1.19 or later.
    • You must have permission to install Helm charts on your Kubernetes cluster.
    • You must have kubectl installed on your system.
    • If using Helm, you must have Helm 3.8.0 or later installed on your system.

Step 1: Install cert-manager

The CSI driver component requires cert-manager to be installed.

  1. To install cert-manager in the venafi namespace, and configure it to use the pull-secret, create a file cert-manager.values.yaml containing the following content.

    A sample cert-manager.values.yaml for users of the US region OCI registry:

    cert-manager.values.yaml
    global:
  imagePullSecrets:
    - name: venafi-image-pull-secret

crds:
  enabled: true

image:
  repository: private-registry.venafi.cloud/cert-manager/cert-manager-controller

acmesolver:
  image:
    repository: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver

webhook:
  image:
    repository: private-registry.venafi.cloud/cert-manager/cert-manager-webhook

cainjector:
  image:
    repository: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector

startupapicheck:
  image:
    repository: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck

    A sample cert-manager.values.yaml for users of the EU region OCI registry:

    cert-manager.values.yaml
    global:
  imagePullSecrets:
    - name: venafi-image-pull-secret

crds:
  enabled: true

image:
  repository: private-registry.venafi.eu/cert-manager/cert-manager-controller

acmesolver:
  image:
    repository: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver

webhook:
  image:
    repository: private-registry.venafi.eu/cert-manager/cert-manager-webhook

cainjector:
  image:
    repository: private-registry.venafi.eu/cert-manager/cert-manager-cainjector

startupapicheck:
  image:
    repository: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck

    A sample cert-manager.values.yaml for users with their own OCI registry:

    cert-manager.values.yaml
    global:
  imagePullSecrets:
    - name: venafi-image-pull-secret

crds:
  enabled: true

image:
  repository: myregistry.example.com/cert-manager/cert-manager-controller

acmesolver:
  image:
    repository: myregistry.example.com/cert-manager/cert-manager-acmesolver

webhook:
  image:
    repository: myregistry.example.com/cert-manager/cert-manager-webhook

cainjector:
  image:
    repository: myregistry.example.com/cert-manager/cert-manager-cainjector

startupapicheck:
  image:
    repository: myregistry.example.com/cert-manager/cert-manager-startupapicheck

    Note

    As of cert-manager v1.15.0, the installCRDs value is deprecated in favor of crds.enabled.

  2. Use Helm to install the software and wait for it to be ready:

    helm upgrade cert-manager oci://registry.venafi.cloud/charts/cert-manager \
  --install \
  --wait \
  --create-namespace \
  --namespace venafi \
  --values cert-manager.values.yaml \
  --version v1.16.1

    Note

    For more information about Helm support for OCI package distribution, see the Helm documentation.

Step 2: Install CSI driver

  1. Use the Helm upgrade command to install the CSI driver:

    A sample command for users of the US region OCI registry:

    helm upgrade -i -n venafi cert-manager-csi-driver oci://private-registry.venafi.cloud/charts/cert-manager-csi-driver --wait \
  --set image.repository=private-registry.venafi.cloud/csi-driver/cert-manager-csi-driver \
  --set livenessProbeImage.repository=private-registry.venafi.cloud/csi-driver/livenessprobe \
  --set nodeDriverRegistrarImage.repository=private-registry.venafi.cloud/csi-driver/csi-node-driver-registrar \
  --version v0.10.1

    A sample command for users of the EU region OCI registry:

    helm upgrade -i -n venafi cert-manager-csi-driver oci://private-registry.venafi.eu/charts/cert-manager-csi-driver --wait \
  --set image.repository=private-registry.venafi.eu/csi-driver/cert-manager-csi-driver \
  --set livenessProbeImage.repository=private-registry.venafi.eu/csi-driver/livenessprobe \
  --set nodeDriverRegistrarImage.repository=private-registry.venafi.eu/csi-driver/csi-node-driver-registrar \
  --version v0.10.1

    A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    helm upgrade -i -n venafi cert-manager-csi-driver oci://myregistry.example.com/charts/cert-manager-csi-driver --wait \
  --set image.repository=myrepository.example.com/csi-driver/cert-manager-csi-driver \
  --set livenessProbeImage.repository=myrepository.example.com/csi-driver/livenessprobe \
  --set nodeDriverRegistrarImage.repository=myrepository.example.com/csi-driver/csi-node-driver-registrar \
  --version v0.10.1

Step 3: Verify the installation

You can verify the installation has completed correctly by checking the presence of the CSIDriver resource as well as a CSINode resource present for each node, referencing csi.cert-manager.io:

kubectl get csidrivers

Sample output:

NAME                     CREATED AT
csi.cert-manager.io   2019-09-06T16:55:19Z

Use the following command to check the CSINode resource:

kubectl get csinodes -o yaml

Sample output:

apiVersion: v1
items:
- apiVersion: storage.k8s.io/v1beta1
  kind: CSINode
  metadata:
    name: kind-control-plane
    ownerReferences:
    - apiVersion: v1
      kind: Node
      name: kind-control-plane
...
  spec:
    drivers:
    - name: csi.cert-manager.io
      nodeID: kind-control-plane
      topologyKeys: null
...