Skip to content

Installing Trust Manager using Helm

The Helm install comes with a publicly trusted certificate bundle package (for theuseDefaultCAs source) derived from Debian containers.

Important

If you use your own registry, which replicates the Venafi images, replace the address of your own registry in any of the relevant commands given on this page.

Step 1: Configure access to the Venafi OCI registry

Configure access to the Venafi OCI registry. Follow the instructions in Configuring access to the Venafi OCI Registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.

The sample file below, for example, assumes you created a Kubernetes Secret using venafi as the namespace and venafi-image-pull-secret as the name of the secret.

Step 2: Install cert-manager using Helm

If you are running Trust Manager in a production environment, it is highly recommended that you also install cert-manager, as it will handle the rotation of the certificates used by Trust Manager.

Note

As of release v.0.12.0, it is possible to install Trust Manager without cert-manager thanks to Helm's inbuilt support for generating certificates. However, this is not recommended for production environments. If you want to install stand-alone Trust Manager you can omit this step. Learn more

  1. To install cert-manager in the venafi namespace, and configure it to use the pull-secret, create a file cert-manager.values.yaml containing the following content.

    A sample cert-manager.values.yaml for users of the US region OCI registry:

    cert-manager.values.yaml
    global:
  imagePullSecrets:
    - name: venafi-image-pull-secret

crds:
  enabled: true

image:
  repository: private-registry.venafi.cloud/cert-manager/cert-manager-controller

acmesolver:
  image:
    repository: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver

webhook:
  image:
    repository: private-registry.venafi.cloud/cert-manager/cert-manager-webhook

cainjector:
  image:
    repository: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector

startupapicheck:
  image:
    repository: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck

    A sample cert-manager.values.yaml for users of the EU region OCI registry:

    cert-manager.values.yaml
    global:
  imagePullSecrets:
    - name: venafi-image-pull-secret

crds:
  enabled: true

image:
  repository: private-registry.venafi.eu/cert-manager/cert-manager-controller

acmesolver:
  image:
    repository: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver

webhook:
  image:
    repository: private-registry.venafi.eu/cert-manager/cert-manager-webhook

cainjector:
  image:
    repository: private-registry.venafi.eu/cert-manager/cert-manager-cainjector

startupapicheck:
  image:
    repository: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck

    A sample cert-manager.values.yaml for users with their own OCI registry:

    cert-manager.values.yaml
    global:
  imagePullSecrets:
    - name: venafi-image-pull-secret

crds:
  enabled: true

image:
  repository: myregistry.example.com/cert-manager/cert-manager-controller

acmesolver:
  image:
    repository: myregistry.example.com/cert-manager/cert-manager-acmesolver

webhook:
  image:
    repository: myregistry.example.com/cert-manager/cert-manager-webhook

cainjector:
  image:
    repository: myregistry.example.com/cert-manager/cert-manager-cainjector

startupapicheck:
  image:
    repository: myregistry.example.com/cert-manager/cert-manager-startupapicheck

    Note

    As of cert-manager v1.15.0, the installCRDs value is deprecated in favor of crds.enabled.

  2. Use Helm to install the software and wait for it to be ready:

    helm upgrade cert-manager oci://registry.venafi.cloud/charts/cert-manager \
  --install \
  --wait \
  --create-namespace \
  --namespace venafi \
  --values cert-manager.values.yaml \
  --version v1.16.1

    Note

    For more information about Helm support for OCI package distribution, see the Helm documentation.

Step 3: Install Trust Manager using Helm

  1. Create a trust-manager.values.yaml file to define any Helm values you require. For example:

    app:
  trust:
    namespace: venafi
image:
  repository: private-registry.venafi.cloud/trust-manager/trust-manager
defaultPackageImage:
  repository: private-registry.venafi.cloud/trust-manager/cert-manager-package-debian
imagePullSecrets:
- name: venafi-image-pull-secret

    For more information on the available Helm values for Trust Manager, see Trust Manager Helm values.

  2. Type the following command:

    helm upgrade trust-manager oci://registry.venafi.cloud/charts/trust-manager \
  --install \
  --wait \
  --namespace venafi \
  --values trust-manager.values.yaml \
  --version v0.13.0

    Note

    For more information about Helm support for OCI package distribution, see the Helm documentation.

    Installing Trust Manager without cert-manager

    If you want to install Trust Manager without also installing cert-manager, you can omit step 2 above and replace step 3.2 with the following:

    helm upgrade trust-manager oci://registry.venafi.cloud/charts/trust-manager \
  --install \
  --wait \
  --namespace venafi \
  --values trust-manager.values.yaml \
  --version v0.13.0 \
  --set app.webhook.tls.helmCert.enabled=true

    This functionality is only available in Trust Manager v.0.12.0 or later, and is not recommended for production environments.

How to uninstall Trust Manager using Helm

To uninstall Trust Manager installed via Helm, run the following command:

helm uninstall trust-manager --namespace venafi

These resources were kept due to the resource policy:
[CustomResourceDefinition] bundles.trust.cert-manager.io

release "trust-manager" uninstalled

As shown in the output, the CustomResourceDefinition for Bundle is not removed by the Helm uninstall command. This prevents data loss, as removing the CustomResourceDefinition would also remove all Bundle resources.

This command does not, by design, delete any CRDs. To do that you must also apply the following command:

kubectl delete crd bundles.trust.cert-manager.io

Warning

Trust Manager versions prior to v0.9.0 do not keep the CustomResourceDefinition on uninstall, and will remove all Bundle resources from the cluster. If you are using a version prior to v0.9.0, make sure to back up your Bundle resources before uninstalling Trust Manager. Alternatively, upgrade to v0.9.0 before uninstalling.

Secret targets

Secret targets are supported in Trust Manager v0.7.0 or later, but you must explicitly enable them on the controller. Enable this feature using the --set secretTargets.enabled=true Helm value. Because the controller needs RBAC to read and update secrets, you also need to set secretTargets.authorizedSecretsAll or secretTargets.authorizedSecrets.

Approver Policy / Approver Policy Enterprise integration

If you're running Approver Policy or Approver Policy Enterprise, the cert-manager's default approver will be disabled. This means that Trust Manager's webhook certificate will - by default - block when you install the Helm chart until it's manually approved.

As of Trust Manager v0.6.0, you can choose to automatically add an Approver Policy CertificateRequestPolicy that will approve the Trust Manager webhook certificate by adding the --set app.webhook.tls.approverPolicy.enabled=true flag to the Helm upgrade command if using Approver Policy or Approver Policy Enterprise.