Installing Venafi Enhanced Issuer using Venafi OCI registries¶

Venafi Enhanced Issuer is a software component of Venafi Control Plane.

To download the latest version of Venafi Enhanced Issuer as a Docker image or Helm Chart, see the download links specific to your region on the Venafi Enhanced Issuer release page.

Prerequisites¶

• You must have access to a Venafi Control Plane (TLS Protect Cloud or TLS Protect Datacenter) instance.
• You must have permission to install Helm charts and CRDs on your Kubernetes cluster.
• You must install cert-manager in your cluster.
• You must have kubectl and Helm 3.8.0 or later on your local computer.

Step 1: Configure access to the Venafi OCI registry¶

For the example below, we assume you created the following Kubernetes secret:

• namespace: venafi
• name: venafi-image-pull-secret

Step 2: (Optional) Create trusted CA bundles¶

If you want to use Venafi Enhanced Issuer with TLS Protect Datacenter or HashiCorp Vault instance that is served by a certificate signed by your company's private CA, you must tell Venafi Enhanced Issuer which CA certificates to trust.

To configure the CA certificates to trust, first create a ConfigMap in the venafi namespace, and reference the certificates in the trustedCaBundles field in the Helm chart. The trustedCaBundles field defines which ConfigMap resources are mounted at /etc/ssl/certs in the pod.

The example below assumes that you created the following Kubernetes ConfigMap resources:

For TLS Protect Datacenter:

• namespace: venafi
• name: ca-cert-tpp

For HashiCorp Vault:

• namespace: venafi
• name: ca-cert-vault

Step 3: Deploying Venafi Enhanced Issuer¶

There are two ways you deploy Venafi Enhanced Issuer:

• Using Helm
• Using the Venafi CLI tool

Deploying Venafi Enhanced Issuer using Helm¶

This procedure installs Venafi Enhanced Issuer in the venafi namespace, and configures it to use the pull secret created earlier, in addition to specifying the CA bundles Venafi Enhanced Issuer should trust.

1. Create a file called: venafi-enhanced-issuer.values.yaml containing the following content:

   US RegionEU Region

   # venafi-enhanced-issuer.values.yaml
   global:
     imagePullSecrets:
       - name: venafi-image-pull-secret
   
   venafiConnection:
     include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed
   
   venafiEnhancedIssuer:
     manager:
       image:
         repository: private-registry.venafi.cloud/venafi-issuer/venafi-enhanced-issuer
   
       # The trustedCaBundles allows you to specify additional CA certificate
       # bundles that will be mounted to /etc/ssl/certs/. Note that Mozilla's CA
       # certificates are present in the image by default at
       # /etc/ssl/certs/ca-certificates.crt, and cannot be disabled.
       trustedCaBundles:
         - configMapName: ca-cert-tpp # for TLS Protect Datacenter
           configMapKey: ca.crt
         - configMapName: ca-cert-vault # for HashiCorp Vault
           configMapKey: ca.crt
   

   # venafi-enhanced-issuer.values.yaml
   global:
     imagePullSecrets:
       - name: venafi-image-pull-secret
   
   venafiConnection:
     include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed
   
   venafiEnhancedIssuer:
     manager:
       image:
         repository: private-registry.venafi.eu/venafi-issuer/venafi-enhanced-issuer
   
       # The trustedCaBundles allows you to specify additional CA certificate
       # bundles that will be mounted to /etc/ssl/certs/. Note that Mozilla's CA
       # certificates are present in the image by default at
       # /etc/ssl/certs/ca-certificates.crt, and cannot be disabled.
       trustedCaBundles:
         - configMapName: ca-cert-tpp # for TLS Protect Datacenter
           configMapKey: ca.crt
         - configMapName: ca-cert-vault # for HashiCorp Vault
           configMapKey: ca.crt
   

2. Use Helm to install the software and wait for it to be ready:

   helm upgrade venafi-enhanced-issuer oci://registry.venafi.cloud/charts/venafi-enhanced-issuer \
       --install \
       --wait \
       --namespace venafi \
       --values venafi-enhanced-issuer.values.yaml \
       --version v0.13.3
   

   For more information, see Helm 3 support for OCI package distribution.

3. If you are using Approver Policy or Approver Policy Enterprise, no further action is required. If not, you must let cert-manager auto-approve the certificate requests that reference the VenafiClusterIssuer and VenafiIssuer types with the following RBAC:

   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
     name: cert-manager-controller-approve:venafi-enhanced-issuer
   rules:
     - apiGroups: ["cert-manager.io"]
       resources: ["signers"]
       verbs: ["approve"]
       resourceNames: ["venafiissuers.jetstack.io/*", "venaficlusterissuers.jetstack.io/*"]
   ---
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: cert-manager-controller-approve:venafi-enhanced-issuer
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: cert-manager-controller-approve:venafi-enhanced-issuer
   subjects:
     - name: cert-manager
       namespace: venafi
       kind: ServiceAccount
   

Deploying Venafi Enhanced Issuer the Venafi CLI tool¶

1. If not already installed, download and install the relevant version of the Venafi CLI tool for your platform.

2. Initialize the Venafi Kubernetes Manifest tool.

   venctl components kubernetes manifest tool init
   

3. Issue the following command to generate a Venafi Kubernetes manifest which, when applied, will install Venafi Enhanced Issuer:

   venctl components kubernetes manifest generate --venafi-enhanced-issuer
   

   For more information and options on using the Venafi CLI tool to install Venafi Enhanced Issuer, see the Venafi CLI tool reference page.

Related links¶

• Configuring Venafi Enhanced Issuer
• Metrics for Venafi Enhanced Issuer
• Venafi Enhanced Issuer API reference
• Venafi Enhanced Issuer image flags