Installing Trust Manager using Helm¶
The Helm install comes with a publicly trusted certificate bundle package (for theuseDefaultCAs source) derived from Debian containers.
Important
If you use your own registry, which replicates the Venafi images, replace the address of your own registry in any of the relevant commands given on this page.
Step 1: Configure access to the Venafi OCI registry¶
Configure access to the Venafi OCI registry. Follow the instructions in Configuring access to the Venafi OCI Registry to enable access to the artifacts required for this component (cert-manager Components
is the default scope for cert-manager). Use venafi
as the namespace.
The sample file below, for example, assumes you created a Kubernetes Secret using venafi
as the namespace and venafi-image-pull-secret
as the name of the secret.
Step 2: Install cert-manager using Helm¶
If you are running Trust Manager in a production environment, it is highly recommended that you also install cert-manager, as it will handle the rotation of the certificates used by Trust Manager.
Note
As of release v.0.12.0, it is possible to install Trust Manager without cert-manager thanks to Helm's inbuilt support for generating certificates. However, this is not recommended for production environments. If you want to install stand-alone Trust Manager you can omit this step. Learn more
-
To install cert-manager in the venafi namespace, and configure it to use the pull-secret, create a file
cert-manager.values.yaml
containing the following content.A sample
cert-manager.values.yaml
for users of the US region OCI registry:cert-manager.values.yamlglobal: imagePullSecrets: - name: venafi-image-pull-secret crds: enabled: true image: repository: private-registry.venafi.cloud/cert-manager/cert-manager-controller acmesolver: image: repository: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver webhook: image: repository: private-registry.venafi.cloud/cert-manager/cert-manager-webhook cainjector: image: repository: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector startupapicheck: image: repository: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck
A sample
cert-manager.values.yaml
for users of the EU region OCI registry:cert-manager.values.yamlglobal: imagePullSecrets: - name: venafi-image-pull-secret crds: enabled: true image: repository: private-registry.venafi.eu/cert-manager/cert-manager-controller acmesolver: image: repository: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver webhook: image: repository: private-registry.venafi.eu/cert-manager/cert-manager-webhook cainjector: image: repository: private-registry.venafi.eu/cert-manager/cert-manager-cainjector startupapicheck: image: repository: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck
A sample
cert-manager.values.yaml
for users with their own OCI registry:cert-manager.values.yamlglobal: imagePullSecrets: - name: venafi-image-pull-secret crds: enabled: true image: repository: myregistry.example.com/cert-manager/cert-manager-controller acmesolver: image: repository: myregistry.example.com/cert-manager/cert-manager-acmesolver webhook: image: repository: myregistry.example.com/cert-manager/cert-manager-webhook cainjector: image: repository: myregistry.example.com/cert-manager/cert-manager-cainjector startupapicheck: image: repository: myregistry.example.com/cert-manager/cert-manager-startupapicheck
Note
As of cert-manager v1.15.0, the
installCRDs
value is deprecated in favor ofcrds.enabled
. -
Use Helm to install the software and wait for it to be ready:
helm upgrade cert-manager oci://registry.venafi.cloud/charts/cert-manager \ --install \ --wait \ --create-namespace \ --namespace venafi \ --values cert-manager.values.yaml \ --version v1.16.2
Note
For more information about Helm support for OCI package distribution, see the Helm documentation.
Step 3: Install Trust Manager using Helm¶
-
Create a
trust-manager.values.yaml
file to define any Helm values you require. For example:app: trust: namespace: venafi image: repository: private-registry.venafi.cloud/trust-manager/trust-manager defaultPackageImage: repository: private-registry.venafi.cloud/trust-manager/cert-manager-package-debian imagePullSecrets: - name: venafi-image-pull-secret
For more information on the available Helm values for Trust Manager, see Trust Manager Helm values.
-
Type the following command:
helm upgrade trust-manager oci://registry.venafi.cloud/charts/trust-manager \ --install \ --wait \ --namespace venafi \ --values trust-manager.values.yaml \ --version v0.14.0
Note
For more information about Helm support for OCI package distribution, see the Helm documentation.
Installing Trust Manager without cert-manager
If you want to install Trust Manager without also installing cert-manager, you can omit step 2 above and replace step 3.2 with the following:
helm upgrade trust-manager oci://registry.venafi.cloud/charts/trust-manager \ --install \ --wait \ --namespace venafi \ --values trust-manager.values.yaml \ --version v0.14.0 \ --set app.webhook.tls.helmCert.enabled=true
This functionality is only available in Trust Manager v.0.12.0 or later, and is not recommended for production environments.
How to uninstall Trust Manager using Helm¶
To uninstall Trust Manager installed via Helm, run the following command:
helm uninstall trust-manager --namespace venafi
These resources were kept due to the resource policy:
[CustomResourceDefinition] bundles.trust.cert-manager.io
release "trust-manager" uninstalled
As shown in the output, the CustomResourceDefinition
for Bundle
is not removed by the Helm uninstall command. This prevents data loss, as removing the CustomResourceDefinition
would also remove all Bundle
resources.
This command does not, by design, delete any CRDs. To do that you must also apply the following command:
kubectl delete crd bundles.trust.cert-manager.io
Warning
Trust Manager versions prior to v0.9.0 do not keep the CustomResourceDefinition
on uninstall, and will remove all Bundle resources from the cluster. If you are using a version prior to v0.9.0, make sure to back up your Bundle resources before uninstalling Trust Manager. Alternatively, upgrade to v0.9.0 before uninstalling.
Secret targets¶
Secret targets are supported in Trust Manager v0.7.0 or later, but you must explicitly enable them on the controller. Enable this feature using the --set secretTargets.enabled=true
Helm value. Because the controller needs RBAC to read and update secrets, you also need to set secretTargets.authorizedSecretsAll
or secretTargets.authorizedSecrets
.
Approver Policy / Approver Policy Enterprise integration¶
If you're running Approver Policy or Approver Policy Enterprise, the cert-manager's default approver will be disabled. This means that Trust Manager's webhook certificate will - by default - block when you install the Helm chart until it's manually approved.
As of Trust Manager v0.6.0, you can choose to automatically add an Approver Policy CertificateRequestPolicy that will approve the Trust Manager webhook certificate by adding the --set app.webhook.tls.approverPolicy.enabled=true
flag to the Helm upgrade command if using Approver Policy or Approver Policy Enterprise.