Skip to content

Install using Helm

Installing CSI Driver using Helm

Learn how to install cert-manager and the CSI Driver component using Helm or the CLI tool for CyberArk Certificate Manager.

Prerequisites

  • If you want to install the CSI Driver using Helm, you'll need the following:

    • Your cluster must be running Kubernetes 1.19 or later.
    • You must have permission to install Helm charts on your Kubernetes cluster.
    • You must have kubectl installed on your system.
    • If using Helm, you must have Helm 3.8.0 or later installed on your system.

Step 1: Install cert-manager

The CSI Driver component requires cert-manager to be installed.

  1. To install cert-manager in the venafi namespace and configure it to use a pull secret, create cert-manager.values.yaml.

    If using your own registry, uncomment and set imageRegistry and imageNamespace for the Helm chart to resolve image references.

    cert-manager.values.yaml
    global:
  imagePullSecrets:
    - name: venafi-image-pull-secret

crds:
  enabled: true

# Add the following only if using your own registry
# imageRegistry: myregistry.example.com
# imageNamespace: cert-manager

  2. Use Helm to install cert-manager and wait for it to be ready.

    • Registry URL: In the Helm command, replace registry-example.com with either the CyberArk OCI registry URL for your region or your own registry URL.
    helm upgrade cert-manager oci://registry-example.com/charts/cert-manager \
  --install \
  --wait \
  --create-namespace \
  --namespace venafi \
  --values cert-manager.values.yaml \
  --version v1.20.0

Prior to cert-manager v1.20, you specify the full image repository path for each component in the values file and enter a registry URL.

  1. To install cert-manager in the venafi namespace and configure it to use a pull secret, create `cert-manager.values.yaml.

    In the following example, replace each instance of <registry-url.com> with either the CyberArk OCI registry URL for your region or your own registry URL.

    cert-manager.values.yaml
    global:
  imagePullSecrets:
    - name: venafi-image-pull-secret

crds:
  enabled: true

image:
  repository: <registry-url.com>/cert-manager/cert-manager-controller

acmesolver:
  image:
    repository: <registry-url.com>/cert-manager/cert-manager-acmesolver

webhook:
  image:
    repository: <registry-url.com>/cert-manager/cert-manager-webhook

cainjector:
  image:
    repository: <registry-url.com>/cert-manager/cert-manager-cainjector

startupapicheck:
  image:
    repository: <registry-url.com>/cert-manager/cert-manager-startupapicheck

  2. Use Helm to install cert-manager and wait for it to be ready:

    helm upgrade cert-manager oci://<registry-url.com>/charts/cert-manager \
  --install \
  --wait \
  --create-namespace \
  --namespace venafi \
  --values cert-manager.values.yaml \
  --version v1.19.4

Step 2: Install CSI Driver

  1. Use the Helm upgrade command to install the CSI Driver:

    A sample command for users of the US region OCI registry:

    helm upgrade -i -n venafi cert-manager-csi-driver oci://private-registry.venafi.cloud/charts/cert-manager-csi-driver --wait \
  --set image.repository=private-registry.venafi.cloud/csi-driver/cert-manager-csi-driver \
  --set livenessProbeImage.repository=private-registry.venafi.cloud/csi-driver/livenessprobe \
  --set nodeDriverRegistrarImage.repository=private-registry.venafi.cloud/csi-driver/csi-node-driver-registrar \
  --version v0.13.0

    Regional registries

    The example above uses the US-based OCI registry. Tenants in the following Certificate Manager - SaaS regions—US, Canada, Australia, and Singapore must use this registry. Tenants in the EU and UK must use the EU registry: private-registry.venafi.eu.

    For more information on Venafi OCI registries, see Configuring access to a CyberArk OCI Registry.

    A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    helm upgrade -i -n venafi cert-manager-csi-driver oci://myregistry.example.com/charts/cert-manager-csi-driver --wait \
  --set image.repository=myrepository.example.com/csi-driver/cert-manager-csi-driver \
  --set livenessProbeImage.repository=myrepository.example.com/csi-driver/livenessprobe \
  --set nodeDriverRegistrarImage.repository=myrepository.example.com/csi-driver/csi-node-driver-registrar \
  --version v0.13.0

Step 3: Verify the installation

You can verify the installation has completed correctly by checking the presence of the CSIDriver resource as well as a CSINode resource present for each node, referencing csi.cert-manager.io:

kubectl get csidrivers

Sample output:

NAME                     CREATED AT
csi.cert-manager.io   2019-09-06T16:55:19Z

Use the following command to check the CSINode resource:

kubectl get csinodes -o yaml

Sample output:

apiVersion: v1
items:
- apiVersion: storage.k8s.io/v1beta1
  kind: CSINode
  metadata:
    name: kind-control-plane
    ownerReferences:
    - apiVersion: v1
      kind: Node
      name: kind-control-plane
...
  spec:
    drivers:
    - name: csi.cert-manager.io
      nodeID: kind-control-plane
      topologyKeys: null
...