Installing Venafi Enhanced Issuer using Helm¶
Venafi Enhanced Issuer is a software component of Venafi Control Plane.
To download the latest version of Venafi Enhanced Issuer as a Docker image or Helm Chart, see the download links specific to your region on the Venafi Enhanced Issuer release page.
Prerequisites¶
- You must have access to a Venafi Control Plane (TLS Protect Cloud or TLS Protect Datacenter) instance.
- You must have permission to install Helm charts and CRDs on your Kubernetes cluster.
- You must install cert-manager in your cluster.
- You must have
kubectland Helm 3.8.0 or later on your local computer.
Important
If you use your own registry, which replicates the Venafi images, replace the address of your own registry in any of the relevant commands given on this page.
Step 1: Configure access to the Venafi OCI registry¶
Important
Follow the instructions in Configuring access to enterprise components to enable access to the artifacts required for this component (Venafi Enhanced Issuer Component for cert-manager is the default scope for Venafi Enhanced Issuer). Use venafi as the namespace.
For the example below, we assume you created the following Kubernetes secret:
- namespace:
venafi - name:
venafi-image-pull-secret
Step 2: (Optional) Create trusted CA bundles¶
If you want to use Venafi Enhanced Issuer with TLS Protect Datacenter or HashiCorp Vault instance that is served by a certificate signed by your company's private CA, you must tell Venafi Enhanced Issuer which CA certificates to trust.
If you want to use Venafi Enhanced Issuer with Venafi Control Plane and that egress traffic in your Kubernetes clusters is controlled using an HTTP or transparent proxy, you may also need to configure a custom CA bundle to trust the proxy that terminates the TLS connection.
Note
Unlike cert-manager, which has the caBundle field, Venafi Enhanced Issuer requires you to mount the CA certificates to be trusted in Venafi Enhanced Issuer's file system (at /etc/ssl/certs) using ConfigMap resources.
To configure the CA certificates to trust, first create a ConfigMap in the venafi namespace, and reference the certificates in the trustedCaBundles field in the Helm chart. The trustedCaBundles field defines which ConfigMap resources are mounted at /etc/ssl/certs in the pod.
The example in Step 3 assumes that you created the following Kubernetes ConfigMap resources:
For TLS Protect Datacenter:
- namespace:
venafi - name:
ca-cert-tpp
For HashiCorp Vault:
- namespace:
venafi - name:
ca-cert-vault
For an HTTP or transparent proxy:
- namespace:
venafi - name:
ca-cert-proxy
To configure a ConfigMap using trustedCaBundles:
-
Use
kubectlto add the custom CA bundle to a ConfigMap:kubectl --namespace venafi create configmap ca.crt --from-file=ca-cert=<file-name>
Step 3: Deploying Venafi Enhanced Issuer¶
This procedure installs Venafi Enhanced Issuer in the venafi namespace, and configures it to use the pull secret created earlier, in addition to specifying the CA bundles Venafi Enhanced Issuer should trust.
-
Create a file called:
venafi-enhanced-issuer.values.yamlcontaining the following content:A sample
venafi-enhanced-issuer.values.yamlfile for users of the Venafi US OCI registry:venafi-enhanced-issuer.values.yamlglobal: imagePullSecrets: - name: venafi-image-pull-secret venafiConnection: include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed venafiEnhancedIssuer: manager: image: repository: private-registry.venafi.cloud/venafi-issuer/venafi-enhanced-issuer # The trustedCaBundles allows you to specify additional CA certificate # bundles that will be mounted to /etc/ssl/certs/. Note that Mozilla's CA # certificates are present in the image by default at # /etc/ssl/certs/ca-certificates.crt, and cannot be disabled. trustedCaBundles: # To load the CA bundle to trust your TPP server: - configMapName: ca-cert-tpp configMapKey: ca.crt # To load the CA bundle to trust your Vault server: - configMapName: ca-cert-vault configMapKey: ca.crt # To load the CA bundle to trust your transparent or HTTP proxy: - configMapName: ca-cert-proxy configMapKey: ca.crtA sample
venafi-enhanced-issuer.values.yamlfile for users of the Venafi EU OCI registry:venafi-enhanced-issuer.values.yamlglobal: imagePullSecrets: - name: venafi-image-pull-secret venafiConnection: include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed venafiEnhancedIssuer: manager: image: repository: private-registry.venafi.eu/venafi-issuer/venafi-enhanced-issuer # The trustedCaBundles allows you to specify additional CA certificate # bundles that will be mounted to /etc/ssl/certs/. Note that Mozilla's CA # certificates are present in the image by default at # /etc/ssl/certs/ca-certificates.crt, and cannot be disabled. trustedCaBundles: # To load the CA bundle to trust your TPP server: - configMapName: ca-cert-tpp configMapKey: ca.crt # To load the CA bundle to trust your Vault server: - configMapName: ca-cert-vault configMapKey: ca.crt # To load the CA bundle to trust your transparent or HTTP proxy: - configMapName: ca-cert-proxy configMapKey: ca.crtA sample
venafi-enhanced-issuer.values.yamlfile for users with their own OCI registry:venafi-enhanced-issuer.values.yamlglobal: imagePullSecrets: - name: venafi-image-pull-secret venafiConnection: include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed venafiEnhancedIssuer: manager: image: repository: myregistry.example.com/venafi-issuer/venafi-enhanced-issuer # The trustedCaBundles allows you to specify additional CA certificate # bundles that will be mounted to /etc/ssl/certs/. Note that Mozilla's CA # certificates are present in the image by default at # /etc/ssl/certs/ca-certificates.crt, and cannot be disabled. trustedCaBundles: # To load the CA bundle to trust your TPP server: - configMapName: ca-cert-tpp configMapKey: ca.crt # To load the CA bundle to trust your Vault server: - configMapName: ca-cert-vault configMapKey: ca.crt # To load the CA bundle to trust your transparent or HTTP proxy: - configMapName: ca-cert-proxy configMapKey: ca.crt -
Use Helm to install the software and wait for it to be ready:
helm upgrade venafi-enhanced-issuer oci://registry.venafi.cloud/charts/venafi-enhanced-issuer \ --install \ --wait \ --namespace venafi \ --values venafi-enhanced-issuer.values.yaml \ --version v0.14.0For more information, see Helm support for OCI package distribution.
-
If you are using Approver Policy or Approver Policy Enterprise, no further action is required. If not, you must let cert-manager auto-approve the certificate requests that reference the VenafiClusterIssuer and VenafiIssuer types with the following RBAC:
venafi-enhanced-issuer.rbac.yamlapiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cert-manager-controller-approve:venafi-enhanced-issuer rules: - apiGroups: ["cert-manager.io"] resources: ["signers"] verbs: ["approve"] resourceNames: ["venafiissuers.jetstack.io/*", "venaficlusterissuers.jetstack.io/*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cert-manager-controller-approve:venafi-enhanced-issuer roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-controller-approve:venafi-enhanced-issuer subjects: - name: cert-manager namespace: venafi kind: ServiceAccountUse the following
kubectlcommand to apply it:kubectl apply -f venafi-enhanced-issuer.rbac.yaml
Tip
You can also use the venctl components kubernetes apply command to install this component on a Kubernetes cluster quickly and easily for test purposes. Note that this command is not recommended for use in production environments.
See venctl components kubernetes apply for more information on how to use the command with this component.