Installing Trust Manager using the Venafi CLI tool¶
The Venafi CLI tool offers the quickest and easiest method for installing Trust Manager.
Step 1: Configure access to the Venafi OCI registry¶
If installing the component from a Venafi OCI registry, follow the instructions in Configuring access to the Venafi OCI Registry to enable access to the artifacts required for this component. Use venafi as the namespace.
Step 2: Generate the Venafi Kubernetes manifest¶
- If not already installed, download and install the relevant version of the Venafi CLI tool for your platform.
-
Initialize the Venafi Kubernetes Manifest tool:
venctl components kubernetes manifest tool initFor more information on this command and its associated flags, see the
venctlreference page. -
Issue the following command to generate a Venafi Kubernetes manifest which, when applied, will install Trust Manager:
A sample command for users of the US region OCI registry:
venctl components kubernetes manifest generate --region us --trust-manager --default-approver > venafi-components.yamlA sample command for users of the EU region OCI registry:
venctl components kubernetes manifest generate --region eu --trust-manager --default-approver > venafi-components.yamlA sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:
venctl components kubernetes manifest generate \ --region custom \ --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \ --cert-manager-custom-image-registry myregistry.example.com \ --default-approver \ --trust-manager \ --trust-manager-custom-chart-repository oci://myregistry.example.com/charts \ --trust-manager-custom-image-registry myregistry.example.com > venafi-components.yamlNote
If you don't want to use the default approver, you must install either Approver Policy or Approver Policy Enterprise by replacing the
--default-approverflag with the--approver-policyor--approver-policy-enterpriseflags as required. See Approver Policy / Approver Policy Enterprise integration below for more information.Tip
Add the
--trust-manager-values-filesflag to point to the location of atrust-manager.values.yamlfile if you want to define additional Helm values. For more information, see the venctl command reference page, the Secret Targets section below, and the Trust Manager Helm values page. -
To apply the manifest, use the following command:
venctl components kubernetes manifest tool sync --file venafi-components.yamlFor more information and options on using the Venafi CLI tool to install this component, see the Venafi CLI tool reference page.
Tip
To find out the current default version of Trust Manager (and all the Venafi Kubernetes components you can install with the Venafi CLI tool), use the
venctl components kubernetes manifest print-versionscommand.
Tip
You can also use the venctl components kubernetes apply command to install this component on a Kubernetes cluster quickly and easily for test purposes. Note that this command is not recommended for use in production environments.
See venctl components kubernetes apply for more information on how to use the command with this component.
Secret targets¶
Secret targets are supported in Trust Manager v0.7.0 or later, but you must explicitly enable them on the controller.
Secret targets must be enabled separately because they require that Trust Manager has permissions to read and write Secrets across the cluster, which is highly privileged.
-
Enable this feature using the
secretTargets.enabled: trueHelm value in an additionaltrust-manager.values.yamlfile. Because the controller needs RBAC to read and update secrets, you also need to setsecretTargets.authorizedSecretsAllorsecretTargets.authorizedSecrets. For example:trust-manager.values.yamlsecretTargets.enabled: true secretTargets.authorizedSecretsAll: true -
You can add the extra helm values file using the
venctl components kubernetes manifest generatecommand. For example:A sample command for users of the US region OCI registry:
venctl components kubernetes manifest generate \ --region us \ --trust-manager \ --trust-manager-values-files trust-manager.values.yaml \ --default-approver > venafi-components.yamlA sample command for users of the EU region OCI registry:
venctl components kubernetes manifest generate \ --region eu \ --trust-manager \ --trust-manager-values-files trust-manager.values.yaml \ --default-approver > venafi-components.yamlA sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:
venctl components kubernetes manifest generate \ --region custom \ --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \ --cert-manager-custom-image-registry myregistry.example.com \ --default-approver \ --trust-manager \ --trust-manager-values-files trust-manager.values.yaml \ --trust-manager-custom-chart-repository oci://myregistry.example.com/charts \ --trust-manager-custom-image-registry myregistry.example.com > venafi-components.yaml
Approver Policy / Approver Policy Enterprise integration¶
If you're running Approver Policy or Approver Policy Enterprise then cert-manager's default approver will be disabled.
Unlike when installing with Helm, there is no need to add an Approver Policy CertificateRequestPolicy that will approve the Trust Manager webhook certificate by setting the app.webhook.tls.approverPolicy.enabled Helm value when you install the components with the Venafi CLI tool.
When you install Trust Manager with Approver Policy/Approver Policy Enterprise (as in the examples below) the app.webhook.tls.approverPolicy.enabled Helm value is set automatically by the Venafi CLI tool:
#Installing Trust Manager with Approver Policy
venctl components kubernetes manifest generate --cert-manager --trust-manager --approver-policy
#Installing Trust Manager with Approver Policy Enterprise
venctl components kubernetes manifest generate --cert-manager --trust-manager --approver-policy-enterprise