Installing Trust Manager¶

There are two methods for installing Trust Manager:

• Using the Venafi CLI tool
• Using Helm

How to install Trust Manager using the Venafi CLI tool¶

The Venafi CLI tool offers the quickest and easiest method for installing Trust Manager.

1. If not already installed, download and install the relevant version of the Venafi CLI tool for your platform.

2. Initialize the Venafi Kubernetes Manifest tool:

   venctl components kubernetes manifest tool init
   

3. Issue the following command to generate a Venafi Kubernetes manifest which, when applied, will install Trust Manager:

   venctl components kubernetes manifest generate --trust-manager --default-approver > helmfile.yaml
   

   Note

   If you don't want to use the default approver, you must install either Approver Policy or Approver Policy Enterprise by replacing the --default-approver flag with the --approver-policy or --approver-policy-enterprise flags as required. See Approver Policy / Approver Policy Enterprise integration below for more information.

   Tip

   Add the --trust-manager-values-files flag to point to the location of a trust-manager.values.yaml file if you want to define additional Helm values. For more information, see the venctl command reference page, the Secret Targets section below, and the Trust Manager Helm values page.

4. To apply the manifest, use the following command:

   venctl components kubernetes manifest tool sync --file helmfile.yaml
   

   For more information and options on using the Venafi CLI tool to install Trust Manager, see the Venafi CLI tool reference page.

   Tip

   To find out the current default version of Trust Manager (and all the Venafi Kubernetes components you can install with the Venafi CLI tool), use the venctl components kubernetes manifest print-versions command.

How to install Trust Manager using Helm¶

The Helm install comes with a publicly trusted certificate bundle package (for theuseDefaultCAs source) derived from Debian containers.

1. Create a trust-manager.values.yaml file to define any Helm values you require. For example:

   app:
       trust:
           namespace: venafi
   image:
       repository: private-registry.venafi.cloud/trust-manager/trust-manager
   defaultPackageImage:
       repository: private-registry.venafi.cloud/trust-manager/cert-manager-package-debian
   imagePullSecrets:
   - venafi-image-pull-secret
   

   For more information on the available Helm values for Trust Manager, see Trust Manager Helm values.

2. Type the following command:

   helm upgrade trust-manager oci://registry.venafi.cloud/charts/trust-manager \
     --install \
     --wait \
     --namespace venafi \
     --values trust-manager.values.yaml \
     --version v0.9.2
   

   Note

   For more information about Helm 3 support for OCI package distribution, see the Helm 3 documentation.

Secret targets¶

Secret targets are supported in Trust Manager v0.7.0 or later, but you must explicitly enable them on the controller. Enable this feature using the --set secretTargets.enabled=true Helm value. Because the controller needs RBAC to read and update secrets, you also need to set secretTargets.authorizedSecretsAll or secretTargets.authorizedSecrets.

Approver Policy / Approver Policy Enterprise integration¶

If you're running Approver Policy or Approver Policy Enterprise then cert-manager's default approver will be disabled. This means that Trust Manager's webhook certificate will - by default - block when you install the Helm chart until it's manually approved.

As of Trust Manager v0.6.0, you can choose to automatically add an Approver Policy CertificateRequestPolicy that will approve the Trust Manager webhook certificate by adding the --set app.webhook.tls.approverPolicy.enabled=true flag to the Helm upgrade command if using Approver Policy or Approver Policy Enterprise.

Related links¶

• Trust Manager overview
• Trust Manager releases
• Installing cert-manager