Installing CSI driver for SPIFFE using the Venafi CLI tool¶

Learn how to install CSI driver for SPIFFE using the Venafi CLI tool.

Step 1: Configure access to the Venafi OCI registry¶

Configure access to the Venafi OCI registry. Follow the instructions in Configuring access to the Venafi OCI Registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace and create a Kubernetes image pull secret in the namespace as outlined.

You must create a docker-registry secret for Kubernetes to use when pulling container images in-cluster. This secret must be available in the installation namespace.

The default secret name is venafi-image-pull-secret unless you configure a different name.

Step 2: Generate the Venafi Kubernetes manifest¶

The Venafi CLI tool offers the quickest and easiest method for installing cert-manager and CSI driver for SPIFFE.

1. If not already installed, download and install the relevant version of the Venafi CLI tool for your platform.

2. Initialize the Venafi Kubernetes Manifest tool:

   venctl components kubernetes manifest tool init
   

   For more information on this command and its associated flags, see the venctl reference page.

3. Issue the following command to generate a Venafi Kubernetes manifest which, when applied, will install the default versions of cert-manager:

   US RegionEU RegionOwn registry

   A sample command for users of the US region OCI registry:

   venctl components kubernetes manifest generate --region us --cert-manager --csi-driver-spiffe > venafi-components.yaml
   

   A sample command for users of the EU region OCI registry:

   venctl components kubernetes manifest generate --region eu --cert-manager --csi-driver-spiffe > venafi-components.yaml
   

   A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

   venctl components kubernetes manifest generate \
     --region custom \
     --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
     --cert-manager-custom-image-registry myregistry.example.com \
     --cert-manager \
     --csi-driver-spiffe > venafi-components.yaml
   

4. Define a variable to be set for the trust domain, and apply the manifest using the following command. Replace example.com in the following example with your trust domain:

   CSI_DRIVER_SPIFFE_TRUST_DOMAIN=example.com venctl components kubernetes manifest tool sync --file venafi-components.yaml
   

   For more information and options on using the Venafi CLI tool to install CSI driver for SPIFFE, see the Venafi CLI tool reference page.

   Tip

   To find out the current default version of CSI driver SPIFFE (and all the Venafi Kubernetes components you can install with the Venafi CLI tool), use the venctl components kubernetes manifest print-versions command.

Step 3: Configure an Issuer or ClusterIssuer¶

If you wish to use a namespace-scoped issuer it must be created in every namespace that Pods will mount volumes from.

You must use an Issuer type which is compatible with signing certificates with a custom URI SAN. ACME issuers won't generally work, and the SelfSigned issuer is not appropriate.

1. Install or configure an issuer to use for signing CertificateRequest resources in your Trust Domain. See the following example:

   clusterissuer.yaml

   apiVersion: cert-manager.io/v1
   kind: ClusterIssuer
   metadata:
     name: selfsigned
   spec:
     selfSigned: {}
   ---
   apiVersion: cert-manager.io/v1
   kind: Certificate
   metadata:
     name: csi-driver-spiffe-ca
     namespace: venafi
   spec:
     commonName: csi-driver-spiffe-ca
     secretName: csi-driver-spiffe-ca
     duration: 2160h
     isCA: true
     issuerRef:
       name: selfsigned
       kind: ClusterIssuer
       group: cert-manager.io
   ---
   apiVersion: cert-manager.io/v1
   kind: ClusterIssuer
   metadata:
     name: my-issuer-name
   spec:
     ca:
       secretName: csi-driver-spiffe-ca
   

   Use kubectl to apply the clusterissuer.yaml file:

   kubectl apply -f clusterissuer.yaml
   

   Note

   If you are using a configmap to configure an issuer at runtime, be sure to take note of the name, kind and group values you use in your issuer as they will be need to be passed to the configmap.

2. You must also approve the CertificateRequest since the default approver is disabled. The following example uses cmctl to approve the CertificateRequest, since the default approver was disabled above:

   cmctl approve -n venafi \
     $(kubectl get cr -n venafi -ojsonpath='{.items[0].metadata.name}')
   

   Important

   This example demonstrates the use of a CA issuer with the private key stored on the cluster for simplicity. Venafi strongly advises against using this approach in production environments. For a more secure and manageable solution, organizations should use a Venafi Firefly issuer.

Step 4: Create a ConfigMap¶

As of release v0.6.0, you can specify an issuer at runtime using a ConfigMap.

Configure a ConfigMap (which must be called csi-driver-spiffe-ca) in CSI driver for SPIFFE's installation namespace that specifies which issuer to use. Ensure the name, kind and group values you are passing to the ConfigMap are the same as those used when created an Issuer in the previous step.

kubectl create configmap csi-driver-spiffe-ca -n venafi \
    --from-literal=issuer-name=my-issuer-name \
    --from-literal=issuer-kind=ClusterIssuer \
    --from-literal=issuer-group=cert-manager.io

The logs for the CSI driver for SPIFFE DaemonSet pods should produce output like the following to show that the ConfigMap was picked up:

I0516 11:57:44.655854       1 driver.go:410] "Changed active issuerRef in response to runtime configuration ConfigMap" logger="csi.runtime-config-watcher" config-map-name="spiffe-issuer" config-map-namespace="venafi" issuer-name="my-issuer-name" issuer-kind="ClusterIssuer" issuer-group="cert-manager.io"

Related links¶

• Reference: CSI driver for SPIFFE Helm values