Skip to content

Acquiring Venafi OCI registry credentials

The Venafi OCI (Open Container Initiative) registries store container images, Helm charts, and other artifacts, ensuring secure and streamlined operation within your Kubernetes infrastructure.

There are two ways to acquire credentials to access the registry:

  • Using the Venafi Control Plane UI
  • Using the Venafi CLI tool

Using the Venafi Control Plane UI

Create a service account for accessing the Venafi OCI Registry and follow the instructions in the service account creation wizard.

Using the Venafi CLI tool

This procedure requires the jq tool to be installed.

  1. Download and install the relevant version of the Venafi CLI tool for your platform.

  2. Obtain your API key:

    1. Sign into Venafi Control Plane.
    2. Click your Account Icon on the top right of the UI, and go to Preferences > API to copy your API key.
  3. Fetch your credentials. Generate and choose the credentials' format:

    venctl iam service-accounts registry create --name "My Image Pull Secret" \
      --scopes enterprise-cert-manager,enterprise-venafi-issuer,enterprise-approver-policy \
      --credential-format dockerconfig \
      --credential-file credentials.json \
      --validity 365 \
      --api-key xyz
  4. Use the cat and jq commands to extract the credentials:

    cat credentials.json | jq -r .image_pull_secret > venafi_registry_docker_config.json


The default credentials format is json, but you can use the --credential-format flag to set it to secret or dockerconfig(as in the example above).

For more information see the Venafi CLI tool reference page.

Installing credentials to a namespace

  1. If it doesn't exist, create the venafi namespace:

    kubectl create ns venafi
  2. Use the credential file obtained earlier (venafi_registry_docker_config.json) to create a Kubernetes secret in the specified namespace:

    kubectl create secret docker-registry venafi-image-pull-secret --namespace venafi --from-file .dockerconfigjson=venafi_registry_docker_config.json


You can use any name for the secret, this documentation uses venafi-image-pull-secret throughout for convenience.

Next steps