Installing OpenShift Routes for cert-manager using CyberArk Certificate Manager Operator¶
Installing OpenShift Routes for cert-manager using CyberArk Certificate Manager Operator for Red Hat OpenShift (formerly known as Venafi Control Plane Operator) is the recommended method for installing this component.
CyberArk Certificate Manager Operator for Red Hat OpenShift is designed to assist users in installing, maintaining, and upgrading CyberArk cluster components.
Follow the steps below to deploy the default version of cert-manager and OpenShift Routes for cert-manager using the CyberArk Certificate Manager Operator.
Prerequisites¶
To install OpenShift Routes for cert-manager using the CyberArk Certificate Manager Operator you'll need the following:
- Access to the CyberArk OCI registry (or your own mirror).
- You have CyberArk Certificate Manager Operator already installed on your system.
- You have the Red Hat OpenShift CLI tool
ocinstalled on your system.
Step 1: Configure access to the CyberArk OCI registry¶
Important
Follow the instructions in Configuring access to the OCI registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.
For the example below, it's assumed that you created the following Kubernetes Secret:
- namespace:
venafi - name:
venafi-image-pull-secret
Step 2: Create and apply the manifest¶
-
Create a manifest
venafi-components.yaml. You can use one of the samples below as a base:venafi-components.yamlapiVersion: installer.venafi.com/v1alpha1 kind: VenafiInstall metadata: name: venafi-components spec: globals: enableDefaultApprover: false imagePullSecretNames: [venafi-image-pull-secret] namespace: venafi useFIPSImages: false vcpRegion: US region: US certManager: install: true openshiftRoutes: install: trueRegional registries
The example above uses the Venafi US registry parameters. If you want to use a different Venafi registry replace
vcpRegion: USandregion: USwith the relevant regional repository value:-
EU registry
venafi-components.yaml... spec: globals: ... vcpRegion: EU region: EU ... -
UK registry
venafi-components.yaml... spec: globals: ... vcpRegion: UK region: EU ... -
Australia registry
venafi-components.yaml... spec: globals: ... vcpRegion: AU region: US ... -
Canada registry
venafi-components.yaml... spec: globals: ... vcpRegion: CA region: US ... -
Singapore registry
venafi-components.yaml... spec: globals: ... vcpRegion: SG region: US ...
For more information on Venafi OCI registries, see Configuring access to a Venafi OCI Registry.
venafi-components.yamlapiVersion: installer.venafi.com/v1alpha1 kind: VenafiInstall metadata: name: venafi-components spec: globals: customChartRepository: oci://myregistry.example.com/charts customImageRegistry: myregistry.example.com enableDefaultApprover: false imagePullSecretNames: [venafi-image-pull-secret] namespace: venafi useFIPSImages: false certManager: install: true openshiftRoutes: install: trueNote
Set the
spec.certManager.skipparameter totrueand thespec.certManager.installparameter tofalseif you have already installed and configured cert-manager.Tip
For a complete list of CyberArk Certificate Manager Operator configuration parameters, refer to the CyberArk Certificate Manager Operator API reference.
-
-
Apply the manifest by running the following command:
oc apply -f venafi-components.yaml
Step 3: Verify the installation¶
-
Verify whether OpenShift Routes for cert-manager is successfully installed by running the following command:
oc get venafiinstall,podsSample output:
NAME STATUS LAST SYNC venafiinstall.installer.venafi.com/venafi-components Synced 4s NAME READY STATUS RESTARTS AGE pod/cert-manager-74665849cd-rc66t 1/1 Running 0 44s pod/cert-manager-cainjector-599d6c48b9-j6jf6 1/1 Running 0 44s pod/cert-manager-webhook-7546d64c9c-mtzfb 1/1 Running 0 44s pod/openshift-routes-6657989644-cdgzm 1/1 Running 0 19s pod/vcp-operator-6f76c5fb67-z2cm2 1/1 Running 0 5d10h