Skip to content

Installing Venafi Enhanced Issuer using Helm

Venafi Enhanced Issuer is a software component of Venafi Control Plane.

To download the latest version of Venafi Enhanced Issuer as a Docker image or Helm Chart, see the download links specific to your region on the Venafi Enhanced Issuer release page.

Prerequisites

  • You must have access to a Venafi Control Plane (TLS Protect Cloud or TLS Protect Datacenter) instance.
  • You must have permission to install Helm charts and CRDs on your Kubernetes cluster.
  • You must install cert-manager in your cluster.
  • You must have kubectl and Helm 3.8.0 or later on your local computer.

Important

If you use your own registry, which replicates the Venafi images, replace the address of your own registry in any of the relevant commands given on this page.

Step 1: Configure access to the Venafi OCI registry

Important

Follow the instructions in Configuring access to enterprise components to enable access to the artifacts required for this component (Venafi Enhanced Issuer Component for cert-manager is the default scope for Venafi Enhanced Issuer). Use venafi as the namespace.

For the example below, we assume you created the following Kubernetes secret:

  • namespace: venafi
  • name: venafi-image-pull-secret

Step 2: (Optional) Create trusted CA bundles

If you want to use Venafi Enhanced Issuer with TLS Protect Datacenter or HashiCorp Vault instance that is served by a certificate signed by your company's private CA, you must tell Venafi Enhanced Issuer which CA certificates to trust.

Note

Unlike cert-manager, which has the caBundle field, Venafi Enhanced Issuer requires you to mount the CA certificates to be trusted in Venafi Enhanced Issuer's file system (at /etc/ssl/certs) using ConfigMap resources.

To configure the CA certificates to trust, first create a ConfigMap in the venafi namespace, and reference the certificates in the trustedCaBundles field in the Helm chart. The trustedCaBundles field defines which ConfigMap resources are mounted at /etc/ssl/certs in the pod.

The example below assumes that you created the following Kubernetes ConfigMap resources:

For TLS Protect Datacenter:

  • namespace: venafi
  • name: ca-cert-tpp

For HashiCorp Vault:

  • namespace: venafi
  • name: ca-cert-vault

Step 3: Deploying Venafi Enhanced Issuer

This procedure installs Venafi Enhanced Issuer in the venafi namespace, and configures it to use the pull secret created earlier, in addition to specifying the CA bundles Venafi Enhanced Issuer should trust.

  1. Create a file called: venafi-enhanced-issuer.values.yaml containing the following content:

    A sample venafi-enhanced-issuer.values.yaml file for users of the Venafi US OCI registry:

    venafi-enhanced-issuer.values.yaml
    global:
  imagePullSecrets:
    - name: venafi-image-pull-secret

venafiConnection:
  include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed

venafiEnhancedIssuer:
  manager:
    image:
      repository: private-registry.venafi.cloud/venafi-issuer/venafi-enhanced-issuer

    # The trustedCaBundles allows you to specify additional CA certificate
    # bundles that will be mounted to /etc/ssl/certs/. Note that Mozilla's CA
    # certificates are present in the image by default at
    # /etc/ssl/certs/ca-certificates.crt, and cannot be disabled.
    trustedCaBundles:
      - configMapName: ca-cert-tpp # for TLS Protect Datacenter
        configMapKey: ca.crt
      - configMapName: ca-cert-vault # for HashiCorp Vault
        configMapKey: ca.crt

    A sample venafi-enhanced-issuer.values.yaml file for users of the Venafi EU OCI registry:

    venafi-enhanced-issuer.values.yaml
    global:
  imagePullSecrets:
    - name: venafi-image-pull-secret

venafiConnection:
  include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed

venafiEnhancedIssuer:
  manager:
    image:
      repository: private-registry.venafi.eu/venafi-issuer/venafi-enhanced-issuer

    # The trustedCaBundles allows you to specify additional CA certificate
    # bundles that will be mounted to /etc/ssl/certs/. Note that Mozilla's CA
    # certificates are present in the image by default at
    # /etc/ssl/certs/ca-certificates.crt, and cannot be disabled.
    trustedCaBundles:
      - configMapName: ca-cert-tpp # for TLS Protect Datacenter
        configMapKey: ca.crt
      - configMapName: ca-cert-vault # for HashiCorp Vault
        configMapKey: ca.crt

    A sample venafi-enhanced-issuer.values.yaml file for users with their own OCI registry:

    venafi-enhanced-issuer.values.yaml
    global:
  imagePullSecrets:
    - name: venafi-image-pull-secret

venafiConnection:
  include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed

venafiEnhancedIssuer:
  manager:
    image:
      repository: myregistry.example.com/venafi-issuer/venafi-enhanced-issuer

    # The trustedCaBundles allows you to specify additional CA certificate
    # bundles that will be mounted to /etc/ssl/certs/. Note that Mozilla's CA
    # certificates are present in the image by default at
    # /etc/ssl/certs/ca-certificates.crt, and cannot be disabled.
    trustedCaBundles:
      - configMapName: ca-cert-tpp # for TLS Protect Datacenter
        configMapKey: ca.crt
      - configMapName: ca-cert-vault # for HashiCorp Vault
        configMapKey: ca.crt

  2. Use Helm to install the software and wait for it to be ready:

    helm upgrade venafi-enhanced-issuer oci://registry.venafi.cloud/charts/venafi-enhanced-issuer \
    --install \
    --wait \
    --namespace venafi \
    --values venafi-enhanced-issuer.values.yaml \
    --version v0.14.0

    For more information, see Helm support for OCI package distribution.

  3. If you are using Approver Policy or Approver Policy Enterprise, no further action is required. If not, you must let cert-manager auto-approve the certificate requests that reference the VenafiClusterIssuer and VenafiIssuer types with the following RBAC:

    venafi-enhanced-issuer.rbac.yaml
    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-controller-approve:venafi-enhanced-issuer
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["signers"]
    verbs: ["approve"]
    resourceNames: ["venafiissuers.jetstack.io/*", "venaficlusterissuers.jetstack.io/*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-controller-approve:venafi-enhanced-issuer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-approve:venafi-enhanced-issuer
subjects:
  - name: cert-manager
    namespace: venafi
    kind: ServiceAccount

    Use the following kubectl command to apply it:

    kubectl apply -f venafi-enhanced-issuer.rbac.yaml

Tip

You can also use the venctl components kubernetes apply command to install this component on a Kubernetes cluster quickly and easily for test purposes. Note that this command is not recommended for use in production environments.

See venctl components kubernetes apply for more information on how to use the command with this component.