Skip to content

Installing Trust Manager using the Venafi Control Plane Operator

Venafi Control Plane Operator for Red Hat OpenShift is designed to assist customers in installing, maintaining, and upgrading Venafi cluster components.

Follow the steps below to deploy the default version of cert-manager and Trust Manager using the Venafi Control Plane Operator.

Prerequisites

To install Trust Manager using the Venafi Control Plane Operator, you'll need the following:

  • Access to the Venafi OCI registry (or your own mirror).
  • You have Venafi Control Plane Operator already installed on your system.
  • You have the Red Hat OpenShift CLI tool oc installed on your system.

Step 1: Configure access to the Venafi OCI registry

Important

Follow the instructions in Configuring access to the Venafi OCI registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.

For the example below, it's assumed that you created the following Kubernetes Secret:

  • namespace: venafi
  • name: venafi-image-pull-secret

Step 2: Create and apply the manifest

  1. Create a manifest venafi-components.yaml. You can use one of the samples below:

    venafi-components.yaml
    apiVersion: installer.venafi.com/v1alpha1
    kind: VenafiInstall
    metadata:
      name: venafi-components
    spec:
      globals:
        enableDefaultApprover: false
        imagePullSecretNames: [venafi-image-pull-secret]
        namespace: venafi
        useFIPSImages: false
        vcpRegion: US
        region: US
      certManager: 
        install: true
      trustManager:
        install: true
        values: 
          tolerations: 
          - key: node-role.kubernetes.io/infra
            operator: Exists
            effect: NoSchedule
          - key: node-role.kubernetes.io/private
            operator: Exists
            effect: NoSchedule
        version: v0.12.0
    
    venafi-components.yaml
    apiVersion: installer.venafi.com/v1alpha1
    kind: VenafiInstall
    metadata:
      name: venafi-components
    spec:
      globals:
        enableDefaultApprover: false
        imagePullSecretNames: [venafi-image-pull-secret]
        namespace: venafi
        useFIPSImages: false
        vcpRegion: EU
        region: EU
      certManager: 
        install: true
      trustManager:
        install: true
        values: 
          tolerations: 
          - key: node-role.kubernetes.io/infra
            operator: Exists
            effect: NoSchedule
          - key: node-role.kubernetes.io/private
            operator: Exists
            effect: NoSchedule
        version: v0.12.0
    
    venafi-components.yaml
    apiVersion: installer.venafi.com/v1alpha1
    kind: VenafiInstall
    metadata:
      name: venafi-components
    spec:
      globals: 
        customChartRepository: oci://myregistry.example.com/charts
        customImageRegistry: myregistry.example.com
        enableDefaultApprover: false
        imagePullSecretNames: [venafi-image-pull-secret]
        namespace: venafi
        useFIPSImages: false
      certManager: 
        install: true
      trustManager:
        install: true
        values: 
          tolerations: 
          - key: node-role.kubernetes.io/infra
            operator: Exists
            effect: NoSchedule
          - key: node-role.kubernetes.io/private
            operator: Exists
            effect: NoSchedule
        version: v0.12.0
    

    Note

    Set the spec.certManager.skip parameter to true and the spec.certManager.install parameter to false if you have already installed and configured cert-manager.

    Tip

    For a complete list of Venafi Control Plane Operator configuration parameters, refer to the Venafi Control Plane Operator API reference.

  2. Apply the manifest by running the following command:

    oc apply -f venafi-components.yaml
    

Step 3: Verify the installation

  1. Verify whether Trust Manager is successfully installed by running the following command:

    oc get venafiinstall,pods
    

    Sample output:

    NAME                                                   STATUS   LAST SYNC
    venafiinstall.installer.venafi.com/venafi-components   Synced   112s
    
    NAME                                           READY   STATUS    RESTARTS   AGE
    pod/cert-manager-6976949b6d-t5l8f              1/1     Running   0          2m50s
    pod/cert-manager-cainjector-6f55988c8f-m9kxv   1/1     Running   0          9m15s
    pod/cert-manager-webhook-75ddc44d97-wbm64      1/1     Running   0          9m15s
    pod/trust-manager-7877f6d8bd-zptmr             1/1     Running   0          2m47s
    pod/vcp-operator-6f76c5fb67-z2cm2              1/1     Running   2          5d8h
    

Secret targets

Secret targets are supported in Trust Manager v0.7.0 or later, but you must explicitly enable them on the controller. Enable this feature using the --set secretTargets.enabled=true Helm value. Because the controller needs RBAC to read and update secrets, you also need to set secretTargets.authorizedSecretsAll or secretTargets.authorizedSecrets.

If you use the Venafi Control Plane Operator to deploy Trust Manager, you can set these values using the values parameter in your venafi-components.yaml file. For example:

venafi-components.yaml
...
  trustManager:
    install: true
    values:
      secretTargets.enabled: true
      secretTargets.authorizedSecretsAll: true
      secretTargets.authorizedSecrets: true

Approver Policy / Approver Policy Enterprise integration

If you're running Approver Policy or Approver Policy Enterprise, the cert-manager's default approver will be disabled. This means that Trust Manager's webhook certificate will - by default - block when you install the Helm chart until it's manually approved.

As of Trust Manager v0.6.0, you can choose to automatically add an Approver Policy CertificateRequestPolicy that will approve the Trust Manager webhook certificate by adding the --set app.webhook.tls.approverPolicy.enabled=true flag to the Helm upgrade command if using Approver Policy or Approver Policy Enterprise.

If you are using the Venafi Control Plane Operator to deploy Trust Manager along with Approver Policy or Approver Policy Enterprise, you can set app.webhook.tls.approverPolicy.enabled in the values parameter in your venafi-components.yaml file. For example:

venafi-components.yaml
...
  trustManager:
    install: true
    values:
      app:
        webhook: 
          tls:
            approverPolicy:
              enabled: true

Note

If you've installed cert-manager to a different namespace, you'll need to pass that namespace in app.webhook.tls.approverPolicy.certManagerNamespace.