Configuring Venafi Enhanced Issuer¶
Venafi Enhanced Issuer has two custom resources: VenafiIssuer and VenafiClusterIssuer.
- VenafiClusterIssuer is a cluster-scoped resource and doesn't have a namespace. Any Venafi Connection certificate request referenced by a VenafiClusterIssuer MUST be in the
venafinamespace, or which ever namespace you installed Venafi Enhanced Issuer in. - VenafiIssuer is a "namespaced" resource. Any Venafi Connection certificate request referenced by a VenafiIssuer MUST be in the same namespace as the VenafiIssuer resource or MUST be in a namespace explicitly allowed in the Venafi Connection CR definition.
The custom resources definitions for VenafiIssuer and VenafiClusterIssuer are added to your Kubernetes API server when you install Venafi Enhanced Issuer.
Configuring how Venafi Enhanced Issuer connects to the Venafi Control Plane¶
Venafi Enhanced Issuer uses the Venafi Connection custom resource to determine how to connect to the Venafi Control Plane.
VenafiClusterIssuer¶
The example below assumes that the following Venafi Connection resource exists:
namespace: venafi name: application-team-1-connection
apiVersion: jetstack.io/v1alpha1
kind: VenafiClusterIssuer
metadata:
name: application-team-1-ingress-certs
spec:
venafiConnectionName: application-team-1-connection
zone: \VED\Policy\Teams\application-team-1\ingress-certs
VenafiIssuer - same namespace¶
The example below assumes that the following Venafi Connection resource exists:
namespace: application-team-1 name: application-team-1-connection
apiVersion: jetstack.io/v1alpha1
kind: VenafiIssuer
metadata:
name: ingress-certs
namespace: application-team-1
spec:
venafiConnectionName: application-team-1-connection
zone: \VED\Policy\Teams\application-team-1\ingress-certs
VenafiIssuer - cross namespace¶
The example below assumes that the following Venafi Connection resource exists:
namespace: venafi name: application-team-1-connection
You must configure the allowReferencesFrom field of this Venafi Connection to allow VenafiIssuer resources in the application-team-1 namespace to use it.
apiVersion: jetstack.io/v1alpha1
kind: VenafiIssuer
metadata:
name: ingress-certs
namespace: application-team-1
spec:
venafiConnectionName: application-team-1-connection
venafiConnectionNamespace: venafi
zone: \VED\Policy\Teams\application-team-1\ingress-certs
Customize the CertificateName logic¶
In Venafi TLS Protect Datacenter, each certificate object has a unique name. Two certificates with the same name are grouped in the same certificate object. The last requested certificate is the current state of the certificate object. To make tracking of the certificate easier, older certificates are added to the certificate object history. However, it's crucial that you group certificates correctly. You must choose the unique name carefully.
Use the certificateNameExpression field to specify a custom expression to specify the appropriate certificate object name.
For example, you can base the certificate name on the namespace and name of the Certificate Request/ Kubernetes certificate signing request:
apiVersion: jetstack.io/v1alpha1
kind: VenafiClusterIssuer
metadata:
name: my-venafi-issuer
spec:
venafiConnectionName: my-venafi-connection
certificateNameExpression: >-
request.Namespace + "_" + request.name
You can also base it on the attributes of the certificate signing request and/ or the annotations of the resource:
apiVersion: jetstack.io/v1alpha1
kind: VenafiClusterIssuer
metadata:
name: my-venafi-issuer
spec:
venafiConnectionName: my-venafi-connection
certificateNameExpression: >-
optional.none().
or(
request.
annotations[?"venafi.cert-manager.io/custom-fields"].
orValue("[]").
parseJSON().
filter(x, x.name == "field-name-2")[?0].
value
).
or(request.?commonName).
or(request.subject.Organization[?0]).
or(request.dnsNames[?0]).
or(request.uris[?0]).
or(request.emailAddresses[?0]).
or(request.ipAddresses[?0]).
value()
Type the following command to find more information:
kubectl explain venafiissuer.spec.certificateNameExpression