Skip to content

Installing CSI driver for SPIFFE using the Venafi CLI tool

Learn how to install CSI driver for SPIFFE using the Venafi CLI tool.

Step 1: Configure access to the Venafi OCI registry

Configure access to the Venafi OCI registry. Follow the instructions in Configuring access to the Venafi OCI Registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace and create a Kubernetes image pull secret in the namespace as outlined.

You must create a docker-registry secret for Kubernetes to use when pulling container images in-cluster. This secret must be available in the installation namespace.

The default secret name isvenafi-image-pull-secret unless you configure a different name.

Step 2: Generate a manifest

The Venafi CLI tool offers the quickest and easiest method for installing cert-manager and CSI driver for SPIFFE.

  1. If not already installed, download and install the relevant version of the Venafi CLI tool for your platform.
  2. Initialize the Venafi Kubernetes Manifest tool:

    venctl components kubernetes manifest tool init
    
  3. Issue the following command to generate a Venafi Kubernetes manifest which, when applied, will install the default versions of cert-manager:

    A sample command for users of the US region OCI registry:

    venctl components kubernetes manifest generate --region us --cert-manager --csi-driver-spiffe > helmfile.yaml
    

    A sample command for users of the EU region OCI registry:

    venctl components kubernetes manifest generate --region eu --cert-manager --csi-driver-spiffe > helmfile.yaml
    

    A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    venctl components kubernetes manifest generate \
      --region custom \
      --cert-manager-custom-chart-repository oci://myregistry.example.com/charts/cert-manager \
      --cert-manager-custom-image-registry myregistry.example.com \
      --cert-manager \
      --csi-driver-spiffe > helmfile.yaml
    
  4. Define a variable to be set for the trust domain, and apply the manifest using the following command. Replace example.com in the following example with your trust domain:

    CSI_DRIVER_SPIFFE_TRUST_DOMAIN=example.com venctl components kubernetes manifest tool sync --file helmfile.yaml
    

    For more information and options on using the Venafi CLI tool to install CSI driver for SPIFFE, see the Venafi CLI tool reference page.

    Tip

    To find out the current default version of CSI driver SPIFFE (and all the Venafi Kubernetes components you can install with the Venafi CLI tool), use the venctl components kubernetes manifest print-versions command.

Step 3: Configure an Issuer or ClusterIssuer

If you wish to use a namespace-scoped issuer it must be created in every namespace that Pods will mount volumes from.

You must use an Issuer type which is compatible with signing certificates with a custom URI SAN. ACME issuers won't generally work, and the SelfSigned issuer is not appropriate.

  1. Install or configure an issuer to use for signing CertificateRequest resources in your Trust Domain. See the following example:

    clusterissuer.yaml
    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
      name: selfsigned
    spec:
      selfSigned: {}
    ---
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: csi-driver-spiffe-ca
      namespace: venafi
    spec:
      commonName: csi-driver-spiffe-ca
      secretName: csi-driver-spiffe-ca
      duration: 2160h
      isCA: true
      issuerRef:
        name: selfsigned
        kind: ClusterIssuer
        group: cert-manager.io
    ---
    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
      name: my-issuer-name
    spec:
      ca:
        secretName: csi-driver-spiffe-ca
    

    Use kubectl to apply the clusterissuer.yaml file:

    kubectl apply -f clusterissuer.yaml
    

    Note

    If you are using a configmap to configure an issuer at runtime, be sure to take note of the name, kind and group values you use in your issuer as they will be need to be passed to the configmap.

  2. You must also approve the CertificateRequest since the default approver is disabled. The following example uses cmctl to approve the CertificateRequest, since the default approver was disabled above:

    cmctl approve -n venafi \
      $(kubectl get cr -n venafi -ojsonpath='{.items[0].metadata.name}')
    

    Important

    This example demonstrates the use of a CA issuer with the private key stored on the cluster for simplicity. Venafi strongly advises against using this approach in production environments. For a more secure and manageable solution, organizations should use a Venafi Firefly issuer.

Step 4: Create a ConfigMap

As of release v0.6.0, you can specify an issuer at runtime using a ConfigMap.

Note

You can't install CSI driver for SPIFFE without runtime configuration using the Venafi CLI tool.

Configure a ConfigMap (which must be called csi-driver-spiffe-ca) in CSI driver for SPIFFE's installation namespace that specifies which issuer to use. Ensure the name, kind and group values you are passing to the ConfigMap are the same as those used when created an Issuer in the previous step.

kubectl create configmap csi-driver-spiffe-ca -n venafi \
    --from-literal=issuer-name=my-issuer-name \
    --from-literal=issuer-kind=ClusterIssuer \
    --from-literal=issuer-group=cert-manager.io

The logs for the CSI driver for SPIFFE DaemonSet pods should produce output like the following to show that the ConfigMap was picked up:

I0516 11:57:44.655854       1 driver.go:410] "Changed active issuerRef in response to runtime configuration ConfigMap" logger="csi.runtime-config-watcher" config-map-name="spiffe-issuer" config-map-namespace="venafi" issuer-name="my-issuer-name" issuer-kind="ClusterIssuer" issuer-group="cert-manager.io"