Skip to content

Configuring Venafi Control Plane Operator

Configuring Venafi Control Plane Operator for Red Hat OpenShift is a simple procedure, and is done using VenafiInstall custom resources.

Installing Venafi Kubernetes components using Venafi Control Plane Operator

When you install Venafi Control Plane Operator on your cluster, it creates a VenafiInstall CRD that you can use to manage the Venafi Kubernetes components you need.

You can configure Venafi Control Plane Operator to install the following Venafi Kubernetes components:

  • Approver Policy
  • Approver Policy Enterprise
  • cert-manager
  • CSI Driver
  • CSI Driver for SPIFFE
  • Venafi Firefly
  • Istio CSR
  • OpenShift Routes for cert-manager
  • Trust Manager
  • Venafi Kubernetes Agent
  • Venafi Enhanced Issuer

Configuring the Operator to install cert-manager

Follow the steps below to deploy the default version of cert-manager.

Step 1: Configure access to the Venafi OCI registry

Important

Follow the instructions in Configuring access to the Venafi OCI registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.

For the example below, it's assumed that you created the following Kubernetes Secret:

  • namespace: venafi
  • name: venafi-image-pull-secret

Step 2: Create an instance of VenafiInstall to deploy cert-manager

  1. Create a YAML file, for example, venafi-components.yaml, with the following content:

    venafi-components.yaml
    apiVersion: installer.venafi.com/v1alpha1
kind: VenafiInstall
metadata:
  name: venafi-components
spec:
  globals:
    imagePullSecretNames: [venafi-image-pull-secret] # (1)!
  certManager:
    install: true
    1. The name of the image pull secret required to authenticate with the Venafi OCI registry.

    Tip

    For a complete list of Venafi Control Plane Operator configuration parameters, refer to the Venafi Control Plane Operator API reference.

  2. Apply the manifest by running the following command:

    oc apply -f venafi-components.yaml

Step 3: Verifying the configuration

Verify whether the cert-manager is successfully installed by running the following command:

oc get pods -n venafi

Sample output:

NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-a317f649c4-dp632              1/1     Running   0          1m1s
cert-manager-cainjector-3125b8f897-g1adf   1/1     Running   0          1m7s
cert-manager-webhook-26228cbdd-f9121       1/1     Running   0          1m11s

Using a custom Helm repository

Venafi Control Plane Operator can be set up to pull components from a custom Helm repository for environments that do not have access to oci://registry.venafi.cloud/charts.

Configuration

The chart registry can be configured globally or on a per-component basis. Using the sample shown above for installing cert-manager, a custom Helm repository can be configured as in the following example:

venafi-components.yaml
apiVersion: installer.venafi.com/v1alpha1
kind: VenafiInstall
metadata:
  name: venafi-components
spec:
  globals:
    imagePullSecretNames: [venafi-image-pull-secret] 
    customChartRepository: oci://example.com/charts # (1)!

  certManager:
    install: true
  1. The OCI registry to use when installing components.
venafi-components.yaml
apiVersion: installer.venafi.com/v1alpha1
kind: VenafiInstall
metadata:
  name: venafi-components
spec:
  globals:
    imagePullSecretNames: [venafi-image-pull-secret]
    customChartRepository: https://example.com # (1)!

  certManager:
    install: true
  1. The HTTPs Helm repository to use when installing components.

Authentication

Both HTTPs and OCI Helm repositories may require authentication. With Venafi Control Plane Operator you can use the chartRepositoryAuthenticationSecretRef field to reference a Kubernetes secret containing your credentials.

venafi-components.yaml
apiVersion: installer.venafi.com/v1alpha1
kind: VenafiInstall
metadata:
  name: venafi-components
spec:
  globals:
    imagePullSecretNames: [venafi-image-pull-secret] 
    customChartRepository: oci://example.com/charts 
    chartRepositoryAuthenticationSecretRef: 
      name: venafi-helm-pull-secret

  certManager:
    install: true
---
apiVersion: v1
kind: Secret
metadata:
  name: venafi-helm-pull-secret
data:
  ca.crt: ...  # (1)!
  .dockerconfigjson: ...  # (2)!
  1. If specified, the certificate the Helm repository presents is validated against this CA bundle.
  2. This key only applies to OCI registries. If specified, the credentials from this docker_config.json file are used.
venafi-components.yaml
apiVersion: installer.venafi.com/v1alpha1
kind: VenafiInstall
metadata:
  name: venafi-components
spec:
  globals:
    imagePullSecretNames: [venafi-image-pull-secret] 
    customChartRepository: https://example.com 
    chartRepositoryAuthenticationSecretRef: 
      name: venafi-helm-pull-secret

  certManager:
    install: true
---
apiVersion: v1
kind: Secret
metadata:
  name: venafi-helm-pull-secret
data:
  ca.crt: ...  # (1)!
  username: ...  # (2)!
  password: ...  # (3)!
  1. If specified, the certificate the Helm repository presents is validated against this CA bundle.
  2. This key only applies to HTTPS repositories. If specified, this username will be presented to the repository.
  3. This key only applies to HTTPS repositories. If specified, this password will be presented to the repository