Connecting a cluster using a Helm chart¶

Although installing the Venafi Kubernetes Agent using the Venafi CLI is handy for quick, one-off installations on a few clusters, using a Helm chart is the recommended method when you intend to integrate the installation process into your CI/CD pipelines.

The Helm chart is available from the following Venafi OCI registries:

oci://registry.venafi.cloud/charts/venafi-kubernetes-agent (public)
oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent (private, US)
oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent (private, EU)

Note

The instructions through this section assume that you are using the public registry.

To familiarize yourself with the Helm chart, use the following commands:

helm show readme oci://registry.venafi.cloud/charts/venafi-kubernetes-agent
helm show values oci://registry.venafi.cloud/charts/venafi-kubernetes-agent
helm template oci://registry.venafi.cloud/charts/venafi-kubernetes-agent

Authentication methods¶

There are two ways you can connect a cluster and authenticate to Venafi Control Plane:

(Recommended) Using workload identity federation
Using key pair authentication.

Workload identity federation allows Venafi Kubernetes components to authenticate with Venafi Control Plane securely without having to manage and secure long-lived credentials (like passwords or API keys). Instead, Kubernetes can function as an OIDC provider such that Venafi Control Plane can validate its service account tokens using JWT/OIDC authentication.

This is a secretless method for authenticating with Kubernetes. With this method, you don't require an access token or password.

This method also has the advantage of being a one-time setup, and no credentials need to be passed between your teams.

This option offers the best choice for managing authentication as there are no long-lived credentials at all.

Workload identity federation

For more general information on workload identity federation, see What is workload identity federation?.

Connecting a cluster using workload identity federation¶

Connecting a cluster using workload identity federation has four steps:

Install the Helm chart.
Obtaining the OIDC Issuer URL and JWKS URI.
Creating a service account in the Venafi Control Plane UI.
Configuring Kubernetes resources.

Step 1: Install the Helm chart¶

Install the agent Helm chart using the following command:

US RegionEU RegionOwn Registry

helm upgrade --install venafi-kubernetes-agent oci://registry.venafi.cloud/charts/venafi-kubernetes-agent \
--namespace "venafi" \
--set authentication.venafiConnection.enabled="true" \
--set config.clusterName="replace-with-your-cluster-name"

helm upgrade --install venafi-kubernetes-agent oci://registry.venafi.cloud/charts/venafi-kubernetes-agent \
--namespace "venafi" \
--set authentication.venafiConnection.enabled="true" \
--set config.clusterName="replace-with-your-cluster-name"

helm upgrade --install venafi-kubernetes-agent oci://myregistry.example.com/charts/venafi-kubernetes-agent \
--namespace "venafi" \
--set authentication.venafiConnection.enabled="true" \
--set config.clusterName="replace-with-your-cluster-name"

Note

The authentication.venafiConnection.enabled Helm value is set to false by default, and must be set to true to enable secretless authentication using workload identity federation.

Important

The Venafi Kubernetes Agent uses the VenafiConnection CRD. This CRD is also used by other Venafi components, such as Venafi Enhanced Issuer and Approver Policy Enterprise. If these components are already installed on your cluster, the VenafiConnection CRD should already be present. If the VenafiConnection CRD is not yet installed on your cluster, you can include it by adding the following flag:

--set crds.venafiConnection.include=true

Step 2: Obtain the OIDC Issuer URL and JWKS URI¶

Before creating a service account in Venafi Control Plane, you must complete the following tasks on your Kubernetes cluster.

Obtain the OIDC Issuer URL: To get the OIDC Issuer URL, run the command below

kubectl get --raw /.well-known/openid-configuration | jq -r '.issuer'

Obtain the OIDC JWKS URI: To get the OIDC JWKS URI, run the command below
```
ISSUER_URL=$(kubectl get --raw /.well-known/openid-configuration | jq -r '.issuer')
curl -fsSL "${ISSUER_URL}/.well-known/openid-configuration" | jq -r '.jwks_uri
```
IMPORTANT!

The JWKS URI must be a publicly accessible HTTPS endpoint, without authentication. This allows Venafi Control Plane to retrieve authentication information. If the JWKS URI isn't publicly accessible or if it is protected, you must establish an alternative location that is kept in constant synchronization with the original JWKS URI of your cluster.

For example, on a Google GKE cluster, the public JWKS URI can be found in the public discovery document rather than the in-cluster discovery document:

https://container.googleapis.com/v1/projects/${PROJECT_ID}/locations/${LOCATION}/clusters/${CLUSTER_NAME}/.well-known/openid-configuration. Learn more

Step 3: Create a service account¶

Warning

When registering clusters with Venafi Control Plane, ensure that only one instance of the Venafi Kubernetes Agent is deployed. Additionally, each instance of the Venafi Kubernetes Agent must use a dedicated Venafi Control Plane service account. This practice allows Venafi Control Plane to accurately identify connected clusters. Using the same service account across multiple clusters is not supported.

Sign in to Venafi Control Plane.
Click Settings > Service Accounts.
Click New.
Select the Kubernetes Agent radio button in the Use Case list, and click Continue.
Enter a Name for your new service account.
Select an Owning Team. This team owns the machine you want to create the service account for.
Enter the Validity period in days for the service account.
Select Kubernetes Discovery for the Scope if not already selected.
Select Workload Identity Federation as the authentication method, and then click Continue.
Fill in the credentials with the specific information required for authentication, and then click Finish:
- Issuer URL: Enter the OIDC Issuer URL of the cluster obtained in the previous section.
  - Example: https://kubernetes.default.svc
- JWKS URI: Enter the OIDC JWKS URI of the cluster or the public location where the JSON Web Key Set (JWKS) data is replicated.
  - Example: https://www.example.com:6443/.well-known/jwks.json
- Subject Identifier: Enter the unique identifier for the subject within the issuing authority's namespace. Kubernetes uses the format system:serviceaccount:<NAMESPACE>:<SERVICE ACCOUNT NAME> for the Subject Identifier field.
  - Example: system:serviceaccount:venafi:venafi-components
- Audience: Enter the intended audience for the token, which is usually the API or resource that the token is intended to access.
  - Examples: https://api.venafi.cloud or https://api.venafi.eu
Create the venafi namespace in your cluster:
```
kubectl create namespace venafi
```
Retrieve your tenant ID in the Venafi Control Plane UI by navigating to Settings > Licensing. Your Tenant ID will be displayed under Account information on the Licensing page.

Create a Venafi Connection resource in YAML. For example:

US RegionEU Region

apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: venafi-components
  namespace: venafi
spec:
  vcp:
      url: https://api.venafi.cloud
      accessToken:
      - serviceAccountToken:
          name: venafi-components
          audiences: ["https://api.venafi.cloud"]
      - vcpOAuth:
          tenantID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # (1)!

Add the tenant ID here that you retrieved in the previous step.

apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: venafi-components
  namespace: venafi
spec:
  vcp:
      url: https://api.venafi.eu
      accessToken:
      - serviceAccountToken:
          name: venafi-components
          audiences: ["https://api.venafi.eu"]
      - vcpOAuth:
          tenantID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # (1)!

Add the tenant ID here that you retrieved in the previous step.

Step 4: Configure Kubernetes resources¶

Create a Kubernetes service account that the Venafi Connection can use to authenticate to Venafi Control Plane.
```
apiVersion: v1
kind: ServiceAccount
metadata:
  name: venafi-components
  namespace: venafi
```

Give the Venafi Connection the permission to acquire tokens for this service account:

Create a role that allows the creation of service account tokens for venafi-components:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: venafi-components-create-token
  namespace: venafi
rules:
- apiGroups: [ "" ]
  resources: [ "serviceaccounts/token" ]
  verbs: [ "create" ]
  resourceNames: [ "venafi-components" ]

Link the Venafi Connection service account (which is used by Venafi Kubernetes Agent for authentication) to the venafi-components-create-token role:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: venafi-components-create-token
  namespace: venafi
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: venafi-components-create-token
subjects:
- kind: ServiceAccount
  name: venafi-connection
  namespace: venafi

To connect a cluster using key pair authentication¶

Create a service account using the Venafi Control Plane UI or the Venafi CLI tool:

Warning

When registering clusters with Venafi Control Plane, ensure that only one instance of the Venafi Kubernetes Agent is deployed. Additionally, each instance of the Venafi Kubernetes Agent must use a dedicated Venafi Control Plane service account. This practice allows Venafi Control Plane to accurately identify connected clusters. Using the same service account across multiple clusters is not supported.

Venafi Control Plane UIVenafi CLI tool

Sign in to Venafi Control Plane.
Click Settings > Service Accounts.
Click New.
Choose the Kubernetes Agent option from the Use case list, and click Continue.

The use cases available for you to choose depend on which Venafi Control Plane components you have licenses for.
Enter a Name for your new service account.
Select an Owning Team. This team owns the machine you want to create the service account for.
(Conditional) Enter the number of days for which you want the account to remain valid in the Validity (days) field. You can select any number from 1 to 365 days. This step doesn't apply when creating a Custom API Integration service account.
Select the Kubernetes Discovery option from the Scope drop-down, and click Continue. Learn more
Select one of the following key generation options as required:

Click the Auto-generate a keypair and download the private key radio button, and click Create.

In the Credentials section, copy the public and private keys.

Important

Copy and store this private key securely as it cannot be recovered if lost. This is your only opportunity to copy this private key.

Store the private key as a venafi-agent-private-key.pem file, so it can be later imported to the cluster.

Or:

Click the Generate your own keypair and upload the public key radio button, and click Continue.

In the Credentials section, provide the public key corresponding to the private key that your service will use. For your public key to be valid, it must be in PEM format and no longer than 2000 characters. The supported key algorithms are:
```
- RSA in 2048, 3072, or 4096 key lengths
- ECDSA: P256, P384, or P521
- EDDSA: ED25519
```
Click Finish to create the service account and return to the Service Accounts page.
In the Service Account inventory page, locate the service account you just created. At the far right side of the screen, click the more icon, then click Copy Client ID.

Paste the client ID to a location where you will be able to access later as it will be required as part of the Helm install command.
Create the venafi namespace, and a Kubernetes secret containing the private key of the desired service account.
```
kubectl create namespace venafi
```

Import the private key you created and stored earlier in to the cluster:

kubectl create secret generic agent-credentials \
  --namespace=venafi \
  --from-file=privatekey.pem=venafi-agent-private-key.pem

Install the Helm Chart:

US RegionEU RegionOwn Registry

helm upgrade venafi-kubernetes-agent oci://registry.venafi.cloud/charts/venafi-kubernetes-agent \
  --install \
  --namespace "venafi" \
  --set config.clientId="replace-with-clientID" \
  --set config.clusterName="replace-with-your-cluster-name" \
  --set config.clusterDescription="replace-with-your-cluster-description"

helm upgrade venafi-kubernetes-agent oci://registry.venafi.cloud/charts/venafi-kubernetes-agent \
  --install \
  --namespace "venafi" \
  --set config.clientId="replace-with-clientID" \
  --set config.server="https://api.venafi.eu/" \
  --set config.clusterName="replace-with-your-cluster-name" \
  --set config.clusterDescription="replace-with-your-cluster-description"

Note

Specifying a cluster name and cluster description automatically creates a cluster resource in Venafi Control Plane

helm upgrade venafi-kubernetes-agent oci://myregistry.example.com/charts/venafi-kubernetes-agent \
  --install \
  --namespace "venafi" \
  --set image.repository="myregistry.example.com/venafi-agent/venafi-agent" \
  --set config.clientId="replace-with-clientID" \
  --set config.clusterName="replace-with-your-cluster-name" \
  --set config.clusterDescription="replace-with-your-cluster-description"

Note

Specifying a cluster name and cluster description automatically creates a cluster resource in Venafi Control Plane.

If your Venafi Control Plane tenant is based in Europe, update the Helm command by adding the --set config.server="https://api.venafi.eu/" value.

Using a custom CA bundle

If you want to employ a custom CA bundle, use kubectl to add it to a ConfigMap:

kubectl --namespace venafi create configmap ca-cert --from-file=ca-cert=<file-name>

Configure the volumes and volumeMounts in the venafi-kubernetes-agent.values.yaml file:

venafi-kubernetes-agent.values.yaml

volumes:
- name: ca-cert
    configMap:
    name: ca-cert
volumeMounts:
- name: ca-cert
    mountPath: /etc/ssl/certs/ca-cert.crt
    subPath: ca-cert.crt
    readOnly: true

Apply the values file using the Helm upgrade command. For example:

US RegionEU RegionOwn Registry

helm upgrade venafi-kubernetes-agent oci://registry.venafi.cloud/charts/venafi-kubernetes-agent \
    --install \
    --namespace "venafi" \
    --set config.clientId="replace-with-clientID" \
    --set config.clusterName="replace-with-your-cluster-name" \
    --set config.clusterDescription="replace-with-your-cluster-description" \
    --values venafi-kubernetes-agent.values.yaml

helm upgrade venafi-kubernetes-agent oci://registry.venafi.cloud/charts/venafi-kubernetes-agent \
    --install \
    --namespace "venafi" \
    --set config.clientId="replace-with-clientID" \
    --set config.server="https://api.venafi.eu/" \
    --set config.clusterName="replace-with-your-cluster-name" \
    --set config.clusterDescription="replace-with-your-cluster-description" \
    --values venafi-kubernetes-agent.values.yaml

Note

Specifying a cluster name and cluster description automatically creates a cluster resource in Venafi Control Plane

helm upgrade venafi-kubernetes-agent oci://myregistry.example.com/charts/venafi-kubernetes-agent \
    --install \
    --namespace "venafi" \
    --set config.clientId="replace-with-clientID" \
    --set config.clusterName="replace-with-your-cluster-name" \
    --set config.clusterDescription="replace-with-your-cluster-description" \
    --values venafi-kubernetes-agent.values.yaml

Note that this functionality is only available in release 0.1.49 or later.

US RegionEU RegionOwn registry

Create a service account if you have not already done so, for example:

You must have the Venafi CLI and jq tools installed to complete this procedure.

venctl iam service-account agent create --name sa-agent \
  --output secret \
  --output-file agent-credentials.json \
  --api-key xyz

export VENAFI_AGENT_CLIENT_ID=$(jq -r '.client_id' agent-credentials.json)
jq -r '.private_key' agent-credentials.json > venafi-agent-private-key-secret.yaml

Info

You can also create service accounts dynamically using a master service account. For more information on how to do this, see Creating service accounts dynamically.

Create the venafi namespace, and a Kubernetes secret containing the private key of the desired service account.

kubectl create namespace venafi

kubectl apply --namespace venafi -f venafi-agent-private-key-secret.yaml

Install the Helm chart:

helm upgrade venafi-kubernetes-agent oci://registry.venafi.cloud/charts/venafi-kubernetes-agent \
  --install \
  --namespace "venafi" \
  --set config.clientId="${VENAFI_AGENT_CLIENT_ID}" \
  --set config.clusterName="replace-with-your-cluster-name" \
  --set config.clusterDescription="replace-with-your-cluster-description"

Note

Specifying a cluster name and cluster description automatically creates a cluster resource in Venafi Control Plane.

Using a custom CA bundle

If you want to employ a custom CA bundle, use kubectl to add it to a ConfigMap:

kubectl --namespace venafi create configmap ca-cert --from-file=ca-cert=<file-name>

Configure the volumes and volumeMounts in the venafi-kubernetes-agent.values.yaml file:

venafi-kubernetes-agent.values.yaml

volumes:
- name: ca-cert
    configMap:
    name: ca-cert
volumeMounts:
- name: ca-cert
    mountPath: /etc/ssl/certs/ca-cert.crt
    subPath: ca-cert.crt
    readOnly: true

Apply the values file using the Helm upgrade command. For example:

helm upgrade venafi-kubernetes-agent oci://registry.venafi.cloud/charts/venafi-kubernetes-agent \
    --install \
    --namespace "venafi" \
    --set config.clientId="replace-with-clientID" \
    --set config.clusterName="replace-with-your-cluster-name" \
    --set config.clusterDescription="replace-with-your-cluster-description" \
    --values venafi-kubernetes-agent.values.yaml

Note that this functionality is only available in release 0.1.49 or later.

Create a service account if you have not already done so, for example:

You must have the Venafi CLI and jq tools installed to complete this procedure.

venctl iam service-account agent create --name sa-agent \
  --output secret \
  --output-file agent-credentials.json \
  --vcp-region eu \
  --api-key xyz

export VENAFI_AGENT_CLIENT_ID=$(jq -r '.client_id' agent-credentials.json)
jq -r '.private_key' agent-credentials.json > venafi-agent-private-key-secret.yaml

Info

You can also create service accounts dynamically using a master service account. For more information on how to do this, see Creating service accounts dynamically.

Create the venafi namespace, and a Kubernetes secret containing the private key of the desired service account.

kubectl create namespace venafi

kubectl apply --namespace venafi -f venafi-agent-private-key-secret.yaml

Install the Helm chart:

helm upgrade venafi-kubernetes-agent oci://registry.venafi.cloud/charts/venafi-kubernetes-agent \
  --install \
  --namespace "venafi" \
  --set config.clientId="${VENAFI_AGENT_CLIENT_ID}" \
  --set config.server="https://api.venafi.eu/" \
  --set config.clusterName="replace-with-your-cluster-name" \
  --set config.clusterDescription="replace-with-your-cluster-description"

Note

Specifying a cluster name and cluster description automatically creates a cluster resource in Venafi Control Plane.

Using a custom CA bundle

If you want to employ a custom CA bundle, use kubectl to add it to a ConfigMap:

kubectl --namespace venafi create configmap ca-cert --from-file=ca-cert=<file-name>

Configure the volumes and volumeMounts in the venafi-kubernetes-agent.values.yaml file:

venafi-kubernetes-agent.values.yaml

volumes:
- name: ca-cert
    configMap:
    name: ca-cert
volumeMounts:
- name: ca-cert
    mountPath: /etc/ssl/certs/ca-cert.crt
    subPath: ca-cert.crt
    readOnly: true

Apply the values file using the Helm upgrade command. For example:

helm upgrade venafi-kubernetes-agent oci://registry.venafi.cloud/charts/venafi-kubernetes-agent \
    --install \
    --namespace "venafi" \
    --set config.clientId="replace-with-clientID" \
    --set config.server="https://api.venafi.eu/" \
    --set config.clusterName="replace-with-your-cluster-name" \
    --set config.clusterDescription="replace-with-your-cluster-description" \
    --values venafi-kubernetes-agent.values.yaml

Note that this functionality is only available in release 0.1.49 or later.

Create a service account if you have not already done so, for example:

You must have the Venafi CLI and jq tools installed to complete this procedure.

venctl iam service-account agent create --name sa-agent \
  --output secret \
  --output-file agent-credentials.json \
  --vcp-region "set to us or eu as necessary" \
  --api-key xyz

export VENAFI_AGENT_CLIENT_ID=$(jq -r '.client_id' agent-credentials.json)
jq -r '.private_key' agent-credentials.json > venafi-agent-private-key-secret.yaml

Info

You can also create service accounts dynamically using a master service account. For more information on how to do this, see Creating service accounts dynamically.

Create the venafi namespace, and a Kubernetes secret containing the private key of the desired service account.

kubectl create namespace venafi

kubectl apply --namespace venafi -f venafi-agent-private-key-secret.yaml

Install the Helm chart:

helm upgrade venafi-kubernetes-agent oci://myregistry.example.com/charts/venafi-kubernetes-agent \
  --install \
  --namespace "venafi" \
  --set config.clientId="${VENAFI_AGENT_CLIENT_ID}" \
  --set config.clusterName="replace-with-your-cluster-name" \
  --set config.clusterDescription="replace-with-your-cluster-description"

Note

Specifying a cluster name and cluster description automatically creates a cluster resource in Venafi Control Plane.

If your Venafi Control Plane tenant is based in Europe, update the Helm command by adding the --set config.server="https://api.venafi.eu/" value.

Using a custom CA bundle

If you want to employ a custom CA bundle, use kubectl to add it to a ConfigMap:

kubectl --namespace venafi create configmap ca-cert --from-file=ca-cert=<file-name>

Configure the volumes and volumeMounts in the venafi-kubernetes-agent.values.yaml file:

venafi-kubernetes-agent.values.yaml

volumes:
- name: ca-cert
    configMap:
    name: ca-cert
volumeMounts:
- name: ca-cert
    mountPath: /etc/ssl/certs/ca-cert.crt
    subPath: ca-cert.crt
    readOnly: true

Apply the values file using the Helm upgrade command. For example:

helm upgrade venafi-kubernetes-agent oci://myregistry.example.com/charts/venafi-kubernetes-agent \
    --install \
    --namespace "venafi" \
    --set config.clientId="replace-with-clientID" \
    --set config.clusterName="replace-with-your-cluster-name" \
    --set config.clusterDescription="replace-with-your-cluster-description" \
    --values venafi-kubernetes-agent.values.yaml

Note that this functionality is only available in release 0.1.49 or later.

Using a proxy server¶

Some Kubernetes clusters are configured to only allow Internet connections via a HTTP(S) proxy. If that applies to you:

Add api.venafi.cloud to the allowed domain list of your egress proxy.
If using a Helm chart to install Venafi Kubernetes Agent, you can use of the following Helm values.
HTTP ProxyHTTPS ProxyNo Proxy
Configures the HTTP_PROXY environment variable where a HTTP proxy is required. For example:
http_proxy: "http://<proxy server>:<port>"
Configure the HTTPS_PROXY environment variable where a HTTP proxy is required. For example:
https_proxy: "https://<proxy server>:<port>"
Configure the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded. For example:
no_proxy: 127.0.0.1,localhost,kubernetes.default.svc,kubernetes.default.svc.cluster.local

For more information about proxy server Helm values for Venafi Kubernetes Agent, see the Venafi Kubernetes Agent Helm values reference page.

Also, when the Venafi Kubernetes Agent requires a proxy for outbound connections, and the proxy uses a certificate issued by a private certificate authority, you can now add the certificate authority to a custom CA bundle that the agent will trust. The Helm chart supports specifying volumes and volume mounts to streamline this process. For more information, see the Venafi Kubernetes Agent Helm values reference page.

Verifying the deployment¶

To verify the deployment:

In the Venafi Control Plane UI, click Installations > Kubernetes Clusters and verify the following for your cluster:
- Status: Active
- Last Check In: ... seconds ago

Click Settings > Event Log, and check that the following events are present for your service account:

Service account access token granted
Login succeeded

Tip

To troubleshoot any issues, use the following command to check the agent logs:

kubectl logs -n venafi -l app.kubernetes.io/instance=venafi-kubernetes-agent --tail -1 | grep -A 5 "Running Agent"

You should see something similar to the following:

2023/01/01 01:01:01 Running Agent...
2023/01/01 01:01:02 Posting data to: https://api.venafi.cloud/ or https://api.venafi.eu/
2023/01/01 01:01:03 Data sent successfully.

Disconnecting a cluster and uninstalling Venafi Kubernetes Agent¶

To disconnect a cluster completely from Venafi Control Plane, you must:

Disconnect the cluster using the Venafi Control Plane UI.
Uninstall the Venafi Kubernetes Agent from the cluster.

Disconnecting a cluster using the Venafi Control Plane web interface¶

To disconnect a cluster using the Venafi Control Plane web interface, follow the instructions below:

In the Venafi Control Plane UI, go to Installations > Kubernetes Clusters.
Click the checkbox on the row assigned to your cluster, and click Disconnect.
Next, go to Settings > Service Accounts.
Click the checkbox on the row assigned to the service account you created when installing Venafi Kubernetes Agent, and click Delete.

Uninstalling the Venafi Kubernetes Agent¶

To uninstall the Venafi Kubernetes Agent using kubectl, issue the following command:

kubectl delete -n venafi deployment agent

Next steps¶

Configuring Venafi Kubernetes Agent

Connecting a cluster using a Helm chart¶

Authentication methods¶

Connecting a cluster using workload identity federation¶

Step 1: Install the Helm chart¶

Step 2: Obtain the OIDC Issuer URL and JWKS URI¶

Step 3: Create a service account¶

Step 4: Configure Kubernetes resources¶

To connect a cluster using key pair authentication¶

Using a proxy server¶

Verifying the deployment¶

Disconnecting a cluster and uninstalling Venafi Kubernetes Agent¶

Disconnecting a cluster using the Venafi Control Plane web interface¶

Uninstalling the Venafi Kubernetes Agent¶

Next steps¶

Related links¶