Skip to content

Installing Trust Manager

There are two methods for installing Trust Manager:

  • Using the Venafi CLI tool
  • Using Helm


If you use your own registry, which replicates the Venafi images, replace the address of your own registry in any of the relevant commands given on this page.

How to install Trust Manager using the Venafi CLI tool

The Venafi CLI tool offers the quickest and easiest method for installing Trust Manager.

  1. If not already installed, download and install the relevant version of the Venafi CLI tool for your platform.
  2. Initialize the Venafi Kubernetes Manifest tool:

    venctl components kubernetes manifest tool init
  3. Issue the following command to generate a Venafi Kubernetes manifest which, when applied, will install Trust Manager:

    venctl components kubernetes manifest generate --trust-manager --default-approver > helmfile.yaml


    If you don't want to use the default approver, you must install either Approver Policy or Approver Policy Enterprise by replacing the --default-approver flag with the --approver-policy or --approver-policy-enterprise flags as required. See Approver Policy / Approver Policy Enterprise integration below for more information.


    Add the --trust-manager-values-files flag to point to the location of a trust-manager.values.yaml file if you want to define additional Helm values. For more information, see the venctl command reference page, the Secret Targets section below, and the Trust Manager Helm values page.

  4. To apply the manifest, use the following command:

    venctl components kubernetes manifest tool sync --file helmfile.yaml

    For more information and options on using the Venafi CLI tool to install Trust Manager, see the Venafi CLI tool reference page.


    To find out the current default version of Trust Manager (and all the Venafi Kubernetes components you can install with the Venafi CLI tool), use the venctl components kubernetes manifest print-versions command.


You can also use the venctl components kubernetes apply command to install this component on a Kubernetes cluster quickly and easily for test purposes. Note that this command is not recommended for use in production environments.

See venctl components kubernetes apply for more information on how to use the command with this component.

How to install Trust Manager using Helm

The Helm install comes with a publicly trusted certificate bundle package (for theuseDefaultCAs source) derived from Debian containers.

  1. Create a trust-manager.values.yaml file to define any Helm values you require. For example:

            namespace: venafi
    - venafi-image-pull-secret

    For more information on the available Helm values for Trust Manager, see Trust Manager Helm values.

  2. Type the following command:

    helm upgrade trust-manager oci:// \
      --install \
      --wait \
      --namespace venafi \
      --values trust-manager.values.yaml \
      --version v0.9.2


    For more information about Helm 3 support for OCI package distribution, see the Helm 3 documentation.

Secret targets

Secret targets are supported in Trust Manager v0.7.0 or later, but you must explicitly enable them on the controller. Enable this feature using the --set secretTargets.enabled=true Helm value. Because the controller needs RBAC to read and update secrets, you also need to set secretTargets.authorizedSecretsAll or secretTargets.authorizedSecrets.

Approver Policy / Approver Policy Enterprise integration

If you're running Approver Policy or Approver Policy Enterprise then cert-manager's default approver will be disabled. This means that Trust Manager's webhook certificate will - by default - block when you install the Helm chart until it's manually approved.

As of Trust Manager v0.6.0, you can choose to automatically add an Approver Policy CertificateRequestPolicy that will approve the Trust Manager webhook certificate by adding the --set app.webhook.tls.approverPolicy.enabled=true flag to the Helm upgrade command if using Approver Policy or Approver Policy Enterprise.


If you've installed cert-manager to a different namespace, you'll need to pass that namespace in app.webhook.tls.approverPolicy.certManagerNamespace.