Skip to content

Installing Trust Manager using the CLI tool for CyberArk Certificate Manager

The CLI tool for CyberArk Certificate Manager offers the quickest and easiest method for installing Trust Manager.

Step 1: Configure access to the CyberArk OCI registry

If installing the component from a CyberArk OCI registry, follow the instructions in Configuring access to the CyberArk OCI Registry to enable access to the artifacts required for this component. Use venafi as the namespace.

Step 2: Generate the CyberArk Kubernetes manifest

  1. If not already installed, download and install the relevant version of the CLI tool for CyberArk Certificate Manager for your platform.

  2. Issue the following command to generate a CyberArk Kubernetes manifest which, when applied, will install Trust Manager:

    A sample command for users of the US region OCI registry:

    venctl components kubernetes manifest generate --region us  --trust-manager --default-approver > venafi-components.yaml

    Note

    By default, the CLI tool for CyberArk Certificate Manager will choose a trust package based on the version of Trust Manager which is being installed. If you want to manually specify a trust package, you will need to set both the defaultPackageImage.repository and defaultPackageImage.tag values. For more information about trust packages, see cert-manager.io.

    Regional registries

    The example above uses the US-based OCI registry. Tenants in the following Certificate Manager - SaaS regions—US, Canada, Australia, and Singapore must use this registry. Tenants in the EU and UK must use the EU registry: private-registry.venafi.eu.

    For more information on Venafi OCI registries, see Configuring access to a Venafi OCI Registry.

    A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    venctl components kubernetes manifest generate \
  --region custom \
  --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
  --cert-manager-custom-image-registry myregistry.example.com \
  --default-approver \
  --trust-manager \
  --trust-manager-custom-chart-repository oci://myregistry.example.com/charts \
  --trust-manager-custom-image-registry myregistry.example.com > venafi-components.yaml

    Note

    If you don't want to use the default approver, you must install either Approver Policy or Enterprise Approver Policy by replacing the --default-approver flag with the --approver-policy or --approver-policy-enterprise flags as required. See Approver Policy / Enterprise Approver Policy integration below for more information.

    Tip

    Add the --trust-manager-values-files flag to point to the location of a trust-manager.values.yaml file if you want to define additional Helm values. For more information, see the venctl command reference page, the Secret Targets section below, and the Trust Manager Helm values page.

  3. To apply the manifest, use the following command:

    venctl components kubernetes manifest tool sync --file venafi-components.yaml

    For more information and options on using the CLI tool for CyberArk Certificate Manager to install this component, see the CLI tool for CyberArk Certificate Manager reference page.

    Tip

    To find out the current default version of Trust Manager (and all the CyberArk Kubernetes components you can install with the CLI tool for CyberArk Certificate Manager), use the venctl components kubernetes manifest print-versions command.

Tip

You can also use the venctl components kubernetes apply command to install this component on a Kubernetes cluster quickly and easily for test purposes. Note that this command is not recommended for use in production environments.

See venctl components kubernetes apply for more information on how to use the command with this component.

Secret targets

Secret targets are supported in Trust Manager v0.7.0 or later, but you must explicitly enable them on the controller.

Secret targets must be enabled separately because they require that Trust Manager has permissions to read and write Secrets across the cluster, which is highly privileged.

  1. Enable this feature using the secretTargets.enabled: true Helm value in an additional trust-manager.values.yaml file. Because the controller needs RBAC to read and update secrets, you also need to set secretTargets.authorizedSecretsAll or secretTargets.authorizedSecrets. For example:

    trust-manager.values.yaml
    secretTargets.enabled: true
secretTargets.authorizedSecretsAll: true

  2. You can add the extra helm values file using the venctl components kubernetes manifest generate command. For example:

    A sample command for users of the US region OCI registry:

    venctl components kubernetes manifest generate \
  --region us \
  --trust-manager \
  --trust-manager-values-files trust-manager.values.yaml \
  --default-approver > venafi-components.yaml

    Regional registries

    The example above uses the US-based OCI registry. Tenants in the following Certificate Manager - SaaS regions—US, Canada, Australia, and Singapore must use this registry. Tenants in the EU and UK must use the EU registry: private-registry.venafi.eu.

    For more information on Venafi OCI registries, see Configuring access to a Venafi OCI Registry.

    A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    venctl components kubernetes manifest generate \
  --region custom \
  --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
  --cert-manager-custom-image-registry myregistry.example.com \
  --default-approver \
  --trust-manager \
  --trust-manager-values-files trust-manager.values.yaml \
  --trust-manager-custom-chart-repository oci://myregistry.example.com/charts \
  --trust-manager-custom-image-registry myregistry.example.com > venafi-components.yaml

Approver Policy / Enterprise Approver Policy integration

If you're running Approver Policy or Enterprise Approver Policy for CyberArk Certificate Manager then cert-manager's default approver will be disabled.

Unlike when installing with Helm, there is no need to add an Approver Policy CertificateRequestPolicy that will approve the Trust Manager webhook certificate by setting the app.webhook.tls.approverPolicy.enabled Helm value when you install the components with the CLI tool for CyberArk Certificate Manager.

When you install Trust Manager with Approver Policy/Enterprise Approver Policy (as in the examples below) the app.webhook.tls.approverPolicy.enabled Helm value is set automatically by the CLI tool for CyberArk Certificate Manager:

#Installing Trust Manager with Approver Policy
venctl components kubernetes manifest generate --cert-manager --trust-manager --approver-policy

#Installing Trust Manager with Enterprise Approver Policy
venctl components kubernetes manifest generate --cert-manager --trust-manager --approver-policy-enterprise