Installing Trust Manager using the Venafi Control Plane Operator¶
Venafi Control Plane Operator for Red Hat OpenShift is designed to assist customers in installing, maintaining, and upgrading Venafi cluster components.
Follow the steps below to deploy the default version of cert-manager and Trust Manager using the Venafi Control Plane Operator.
Prerequisites¶
To install Trust Manager using the Venafi Control Plane Operator, you'll need the following:
- Access to the Venafi OCI registry (or your own mirror).
- You have Venafi Control Plane Operator already installed on your system.
- You have the Red Hat OpenShift CLI tool
ocinstalled on your system.
Step 1: Configure access to the Venafi OCI registry¶
Important
Follow the instructions in Configuring access to the Venafi OCI registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.
For the example below, it's assumed that you created the following Kubernetes Secret:
- namespace:
venafi - name:
venafi-image-pull-secret
Step 2: Create and apply the manifest¶
-
Create a manifest
venafi-components.yaml. You can use one of the samples below:venafi-components.yamlapiVersion: installer.venafi.com/v1alpha1 kind: VenafiInstall metadata: name: venafi-components spec: globals: enableDefaultApprover: false imagePullSecretNames: [venafi-image-pull-secret] namespace: venafi useFIPSImages: false vcpRegion: US region: US certManager: install: true trustManager: install: true values: tolerations: - key: node-role.kubernetes.io/infra operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/private operator: Exists effect: NoSchedule version: v0.12.0venafi-components.yamlapiVersion: installer.venafi.com/v1alpha1 kind: VenafiInstall metadata: name: venafi-components spec: globals: enableDefaultApprover: false imagePullSecretNames: [venafi-image-pull-secret] namespace: venafi useFIPSImages: false vcpRegion: EU region: EU certManager: install: true trustManager: install: true values: tolerations: - key: node-role.kubernetes.io/infra operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/private operator: Exists effect: NoSchedule version: v0.12.0venafi-components.yamlapiVersion: installer.venafi.com/v1alpha1 kind: VenafiInstall metadata: name: venafi-components spec: globals: customChartRepository: oci://myregistry.example.com/charts customImageRegistry: myregistry.example.com enableDefaultApprover: false imagePullSecretNames: [venafi-image-pull-secret] namespace: venafi useFIPSImages: false certManager: install: true trustManager: install: true values: tolerations: - key: node-role.kubernetes.io/infra operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/private operator: Exists effect: NoSchedule version: v0.12.0Note
Set the
spec.certManager.skipparameter totrueand thespec.certManager.installparameter tofalseif you have already installed and configured cert-manager.Tip
For a complete list of Venafi Control Plane Operator configuration parameters, refer to the Venafi Control Plane Operator API reference.
-
Apply the manifest by running the following command:
oc apply -f venafi-components.yaml
Step 3: Verify the installation¶
-
Verify whether Trust Manager is successfully installed by running the following command:
oc get venafiinstall,podsSample output:
NAME STATUS LAST SYNC venafiinstall.installer.venafi.com/venafi-components Synced 112s NAME READY STATUS RESTARTS AGE pod/cert-manager-6976949b6d-t5l8f 1/1 Running 0 2m50s pod/cert-manager-cainjector-6f55988c8f-m9kxv 1/1 Running 0 9m15s pod/cert-manager-webhook-75ddc44d97-wbm64 1/1 Running 0 9m15s pod/trust-manager-7877f6d8bd-zptmr 1/1 Running 0 2m47s pod/vcp-operator-6f76c5fb67-z2cm2 1/1 Running 2 5d8h
Secret targets¶
Secret targets are supported in Trust Manager v0.7.0 or later, but you must explicitly enable them on the controller. Enable this feature using the --set secretTargets.enabled=true Helm value. Because the controller needs RBAC to read and update secrets, you also need to set secretTargets.authorizedSecretsAll or secretTargets.authorizedSecrets.
If you use the Venafi Control Plane Operator to deploy Trust Manager, you can set these values using the values parameter in your venafi-components.yaml file. For example:
...
trustManager:
install: true
values:
secretTargets.enabled: true
secretTargets.authorizedSecretsAll: true
secretTargets.authorizedSecrets: true
Approver Policy / Approver Policy Enterprise integration¶
If you're running Approver Policy or Approver Policy Enterprise, the cert-manager's default approver will be disabled. This means that Trust Manager's webhook certificate will - by default - block when you install the Helm chart until it's manually approved.
As of Trust Manager v0.6.0, you can choose to automatically add an Approver Policy CertificateRequestPolicy that will approve the Trust Manager webhook certificate by adding the --set app.webhook.tls.approverPolicy.enabled=true flag to the Helm upgrade command if using Approver Policy or Approver Policy Enterprise.
If you are using the Venafi Control Plane Operator to deploy Trust Manager along with Approver Policy or Approver Policy Enterprise, you can set app.webhook.tls.approverPolicy.enabled in the values parameter in your venafi-components.yaml file. For example:
...
trustManager:
install: true
values:
app:
webhook:
tls:
approverPolicy:
enabled: true
Note
If you've installed cert-manager to a different namespace, you'll need to pass that namespace in app.webhook.tls.approverPolicy.certManagerNamespace.