Installing Venafi Enhanced Issuer using Venafi OCI registries¶
Venafi Enhanced Issuer is a software component of Venafi Control Plane.
To download the latest version of Venafi Enhanced Issuer as a Docker image or Helm Chart, see the download links specific to your region on the Venafi Enhanced Issuer release page.
Prerequisites¶
- You must have access to a Venafi Control Plane (TLS Protect Cloud or TLS Protect Datacenter) instance.
- You must have permission to install Helm charts and CRDs on your Kubernetes cluster.
- You must install cert-manager in your cluster.
- You must have
kubectl
and Helm 3.8.0 or later on your local computer.
Important
If you use your own registry, which replicates the Venafi images, replace the address of your own registry in any of the relevant commands given on this page.
Step 1: Configure access to the Venafi OCI registry¶
Important
Follow the instructions in Configuring access to the Venafi OCI registry to enable access to the artifacts required for this component (Venafi Enhanced Issuer Component for cert-manager
is the default scope for Venafi Enhanced Issuer). Use venafi
as the namespace.
For the example below, we assume you created the following Kubernetes secret:
- namespace:
venafi
- name:
venafi-image-pull-secret
Step 2: (Optional) Create trusted CA bundles¶
If you want to use Venafi Enhanced Issuer with TLS Protect Datacenter or HashiCorp Vault instance that is served by a certificate signed by your company's private CA, you must tell Venafi Enhanced Issuer which CA certificates to trust.
Note
Unlike cert-manager, which has the caBundle
field, Venafi Enhanced Issuer requires you to mount the CA certificates to be trusted in Venafi Enhanced Issuer's file system (at /etc/ssl/certs
) using ConfigMap resources.
To configure the CA certificates to trust, first create a ConfigMap in the venafi
namespace, and reference the certificates in the trustedCaBundles
field in the Helm chart. The trustedCaBundles
field defines which ConfigMap resources are mounted at /etc/ssl/certs
in the pod.
The example below assumes that you created the following Kubernetes ConfigMap resources:
For TLS Protect Datacenter:
- namespace:
venafi
- name:
ca-cert-tpp
For HashiCorp Vault:
- namespace:
venafi
- name:
ca-cert-vault
Step 3: Deploying Venafi Enhanced Issuer¶
There are two ways you deploy Venafi Enhanced Issuer:
- Using Helm
- Using the Venafi CLI tool
Deploying Venafi Enhanced Issuer using Helm¶
This procedure installs Venafi Enhanced Issuer in the venafi namespace, and configures it to use the pull secret created earlier, in addition to specifying the CA bundles Venafi Enhanced Issuer should trust.
-
Create a file called:
venafi-enhanced-issuer.values.yaml
containing the following content:# venafi-enhanced-issuer.values.yaml global: imagePullSecrets: - name: venafi-image-pull-secret venafiConnection: include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed venafiEnhancedIssuer: manager: image: repository: private-registry.venafi.cloud/venafi-issuer/venafi-enhanced-issuer # The trustedCaBundles allows you to specify additional CA certificate # bundles that will be mounted to /etc/ssl/certs/. Note that Mozilla's CA # certificates are present in the image by default at # /etc/ssl/certs/ca-certificates.crt, and cannot be disabled. trustedCaBundles: - configMapName: ca-cert-tpp # for TLS Protect Datacenter configMapKey: ca.crt - configMapName: ca-cert-vault # for HashiCorp Vault configMapKey: ca.crt
# venafi-enhanced-issuer.values.yaml global: imagePullSecrets: - name: venafi-image-pull-secret venafiConnection: include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed venafiEnhancedIssuer: manager: image: repository: private-registry.venafi.eu/venafi-issuer/venafi-enhanced-issuer # The trustedCaBundles allows you to specify additional CA certificate # bundles that will be mounted to /etc/ssl/certs/. Note that Mozilla's CA # certificates are present in the image by default at # /etc/ssl/certs/ca-certificates.crt, and cannot be disabled. trustedCaBundles: - configMapName: ca-cert-tpp # for TLS Protect Datacenter configMapKey: ca.crt - configMapName: ca-cert-vault # for HashiCorp Vault configMapKey: ca.crt
-
Use Helm to install the software and wait for it to be ready:
helm upgrade venafi-enhanced-issuer oci://registry.venafi.cloud/charts/venafi-enhanced-issuer \ --install \ --wait \ --namespace venafi \ --values venafi-enhanced-issuer.values.yaml \ --version v0.13.3
For more information, see Helm 3 support for OCI package distribution.
-
If you are using Approver Policy or Approver Policy Enterprise, no further action is required. If not, you must let cert-manager auto-approve the certificate requests that reference the VenafiClusterIssuer and VenafiIssuer types with the following RBAC:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cert-manager-controller-approve:venafi-enhanced-issuer rules: - apiGroups: ["cert-manager.io"] resources: ["signers"] verbs: ["approve"] resourceNames: ["venafiissuers.jetstack.io/*", "venaficlusterissuers.jetstack.io/*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cert-manager-controller-approve:venafi-enhanced-issuer roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-controller-approve:venafi-enhanced-issuer subjects: - name: cert-manager namespace: venafi kind: ServiceAccount
Deploying Venafi Enhanced Issuer the Venafi CLI tool¶
- If not already installed, download and install the relevant version of the Venafi CLI tool for your platform.
-
Initialize the Venafi Kubernetes Manifest tool.
venctl components kubernetes manifest tool init
-
Issue the following command to generate a Venafi Kubernetes manifest which, when applied, will install Venafi Enhanced Issuer:
venctl components kubernetes manifest generate --venafi-enhanced-issuer
For more information and options on using the Venafi CLI tool to install Venafi Enhanced Issuer, see the Venafi CLI tool reference page.
Tip
You can also use the venctl components kubernetes apply
command to install this component on a Kubernetes cluster quickly and easily for test purposes. Note that this command is not recommended for use in production environments.
See venctl components kubernetes apply
for more information on how to use the command with this component.