Acquiring Venafi OCI registry credentials¶

The Venafi OCI (Open Container Initiative) registries store container images, Helm charts, and other artifacts, ensuring secure and streamlined operation within your Kubernetes infrastructure.

There are two ways to acquire credentials to access the registry:

• Using the Venafi Control Plane UI
• Using the Venafi CLI tool

Using the Venafi Control Plane UI¶

Create a service account for accessing the Venafi OCI Registry and follow the instructions in the service account creation wizard.

Using the Venafi CLI tool¶

This procedure requires the jq tool to be installed.

1. Download and install the relevant version of the Venafi CLI tool for your platform.

2. Obtain your API key:

   1. Sign into Venafi Control Plane.
   2. Click your Account Icon on the top right of the UI, and go to Preferences > API to copy your API key.

3. Fetch your credentials. Generate and choose the credentials' format:

   venctl iam service-accounts registry create --name "My Image Pull Secret" \
     --scopes enterprise-cert-manager,enterprise-venafi-issuer,enterprise-approver-policy \
     --credential-format dockerconfig \
     --credential-file credentials.json \
     --validity 365 \
     --api-key xyz
   

4. Use the cat and jq commands to extract the credentials:

   cat credentials.json | jq -r .image_pull_secret > venafi_registry_docker_config.json
   

Installing credentials to a namespace¶

1. If it doesn't exist, create the venafi namespace:

   kubectl create ns venafi
   

2. Use the credential file obtained earlier (venafi_registry_docker_config.json) to create a Kubernetes secret in the specified namespace:

   kubectl create secret docker-registry venafi-image-pull-secret --namespace venafi --from-file .dockerconfigjson=venafi_registry_docker_config.json
   

Next steps¶

• Configuring access to Venafi OCI Registry