Skip to content

Installing Trust Manager using the Venafi CLI tool

The Venafi CLI tool offers the quickest and easiest method for installing Trust Manager.

Step 1: Configure access to the Venafi OCI registry

If installing the component from a Venafi OCI registry, follow the instructions in Configuring access to the Venafi OCI Registry to enable access to the artifacts required for this component. Use venafi as the namespace.

Step 2: Generate the Venafi Kubernetes manifest

  1. If not already installed, download and install the relevant version of the Venafi CLI tool for your platform.
  2. Initialize the Venafi Kubernetes Manifest tool:

    venctl components kubernetes manifest tool init
    

    For more information on this command and its associated flags, see the venctl reference page.

  3. Issue the following command to generate a Venafi Kubernetes manifest which, when applied, will install Trust Manager:

    A sample command for users of the US region OCI registry:

    venctl components kubernetes manifest generate --region us  --trust-manager --default-approver > venafi-components.yaml
    

    A sample command for users of the EU region OCI registry:

    venctl components kubernetes manifest generate --region eu --trust-manager --default-approver > venafi-components.yaml
    

    A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    venctl components kubernetes manifest generate \
      --region custom \
      --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
      --cert-manager-custom-image-registry myregistry.example.com \
      --default-approver \
      --trust-manager \
      --trust-manager-custom-chart-repository oci://myregistry.example.com/charts \
      --trust-manager-custom-image-registry myregistry.example.com > venafi-components.yaml
    

    Note

    If you don't want to use the default approver, you must install either Approver Policy or Approver Policy Enterprise by replacing the --default-approver flag with the --approver-policy or --approver-policy-enterprise flags as required. See Approver Policy / Approver Policy Enterprise integration below for more information.

    Tip

    Add the --trust-manager-values-files flag to point to the location of a trust-manager.values.yaml file if you want to define additional Helm values. For more information, see the venctl command reference page, the Secret Targets section below, and the Trust Manager Helm values page.

  4. To apply the manifest, use the following command:

    venctl components kubernetes manifest tool sync --file venafi-components.yaml
    

    For more information and options on using the Venafi CLI tool to install this component, see the Venafi CLI tool reference page.

    Tip

    To find out the current default version of Trust Manager (and all the Venafi Kubernetes components you can install with the Venafi CLI tool), use the venctl components kubernetes manifest print-versions command.

Tip

You can also use the venctl components kubernetes apply command to install this component on a Kubernetes cluster quickly and easily for test purposes. Note that this command is not recommended for use in production environments.

See venctl components kubernetes apply for more information on how to use the command with this component.

Secret targets

Secret targets are supported in Trust Manager v0.7.0 or later, but you must explicitly enable them on the controller.

Secret targets must be enabled separately because they require that Trust Manager has permissions to read and write Secrets across the cluster, which is highly privileged.

  1. Enable this feature using the secretTargets.enabled: true Helm value in an additional trust-manager.values.yaml file. Because the controller needs RBAC to read and update secrets, you also need to set secretTargets.authorizedSecretsAll or secretTargets.authorizedSecrets. For example:

    trust-manager.values.yaml
    secretTargets.enabled: true
    secretTargets.authorizedSecretsAll: true
    
  2. You can add the extra helm values file using the venctl components kubernetes manifest generate command. For example:

    A sample command for users of the US region OCI registry:

    venctl components kubernetes manifest generate \
      --region us \
      --trust-manager \
      --trust-manager-values-files trust-manager.values.yaml \
      --default-approver > venafi-components.yaml
    

    A sample command for users of the EU region OCI registry:

    venctl components kubernetes manifest generate \
      --region eu \
      --trust-manager \
      --trust-manager-values-files trust-manager.values.yaml \
      --default-approver > venafi-components.yaml
    

    A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    venctl components kubernetes manifest generate \
      --region custom \
      --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
      --cert-manager-custom-image-registry myregistry.example.com \
      --default-approver \
      --trust-manager \
      --trust-manager-values-files trust-manager.values.yaml \
      --trust-manager-custom-chart-repository oci://myregistry.example.com/charts \
      --trust-manager-custom-image-registry myregistry.example.com > venafi-components.yaml
    

Approver Policy / Approver Policy Enterprise integration

If you're running Approver Policy or Approver Policy Enterprise then cert-manager's default approver will be disabled.

Unlike when installing with Helm, there is no need to add an Approver Policy CertificateRequestPolicy that will approve the Trust Manager webhook certificate by setting the app.webhook.tls.approverPolicy.enabled Helm value when you install the components with the Venafi CLI tool.

When you install Trust Manager with Approver Policy/Approver Policy Enterprise (as in the examples below) the app.webhook.tls.approverPolicy.enabled Helm value is set automatically by the Venafi CLI tool:

#Installing Trust Manager with Approver Policy
venctl components kubernetes manifest generate --cert-manager --trust-manager --approver-policy

#Installing Trust Manager with Approver Policy Enterprise
venctl components kubernetes manifest generate --cert-manager --trust-manager --approver-policy-enterprise