Installing Trust Manager¶
There are two methods for installing Trust Manager:
- Using the Venafi CLI tool
- Using Helm
Important
If you use your own registry, which replicates the Venafi images, replace the address of your own registry in any of the relevant commands given on this page.
How to install Trust Manager using the Venafi CLI tool¶
The Venafi CLI tool offers the quickest and easiest method for installing Trust Manager.
- If not already installed, download and install the relevant version of the Venafi CLI tool for your platform.
-
Initialize the Venafi Kubernetes Manifest tool:
venctl components kubernetes manifest tool init
-
Issue the following command to generate a Venafi Kubernetes manifest which, when applied, will install Trust Manager:
venctl components kubernetes manifest generate --trust-manager --default-approver > helmfile.yaml
Note
If you don't want to use the default approver, you must install either Approver Policy or Approver Policy Enterprise by replacing the
--default-approver
flag with the--approver-policy
or--approver-policy-enterprise
flags as required. See Approver Policy / Approver Policy Enterprise integration below for more information.Tip
Add the
--trust-manager-values-files
flag to point to the location of atrust-manager.values.yaml
file if you want to define additional Helm values. For more information, see the venctl command reference page, the Secret Targets section below, and the Trust Manager Helm values page. -
To apply the manifest, use the following command:
venctl components kubernetes manifest tool sync --file helmfile.yaml
For more information and options on using the Venafi CLI tool to install Trust Manager, see the Venafi CLI tool reference page.
Tip
To find out the current default version of Trust Manager (and all the Venafi Kubernetes components you can install with the Venafi CLI tool), use the
venctl components kubernetes manifest print-versions
command.
Tip
You can also use the venctl components kubernetes apply
command to install this component on a Kubernetes cluster quickly and easily for test purposes. Note that this command is not recommended for use in production environments.
See venctl components kubernetes apply
for more information on how to use the command with this component.
How to install Trust Manager using Helm¶
The Helm install comes with a publicly trusted certificate bundle package (for theuseDefaultCAs source) derived from Debian containers.
-
Create a
trust-manager.values.yaml
file to define any Helm values you require. For example:app: trust: namespace: venafi image: repository: private-registry.venafi.cloud/trust-manager/trust-manager defaultPackageImage: repository: private-registry.venafi.cloud/trust-manager/cert-manager-package-debian imagePullSecrets: - venafi-image-pull-secret
For more information on the available Helm values for Trust Manager, see Trust Manager Helm values.
-
Type the following command:
helm upgrade trust-manager oci://registry.venafi.cloud/charts/trust-manager \ --install \ --wait \ --namespace venafi \ --values trust-manager.values.yaml \ --version v0.9.2
Note
For more information about Helm 3 support for OCI package distribution, see the Helm 3 documentation.
Secret targets¶
Secret targets are supported in Trust Manager v0.7.0 or later, but you must explicitly enable them on the controller. Enable this feature using the --set secretTargets.enabled=true
Helm value. Because the controller needs RBAC to read and update secrets, you also need to set secretTargets.authorizedSecretsAll
or secretTargets.authorizedSecrets
.
Approver Policy / Approver Policy Enterprise integration¶
If you're running Approver Policy or Approver Policy Enterprise then cert-manager's default approver will be disabled. This means that Trust Manager's webhook certificate will - by default - block when you install the Helm chart until it's manually approved.
As of Trust Manager v0.6.0, you can choose to automatically add an Approver Policy CertificateRequestPolicy that will approve the Trust Manager webhook certificate by adding the --set app.webhook.tls.approverPolicy.enabled=true
flag to the Helm upgrade command if using Approver Policy or Approver Policy Enterprise.
Note
If you've installed cert-manager to a different namespace, you'll need to pass that namespace in app.webhook.tls.approverPolicy.certManagerNamespace
.