Skip to content

Installing Venafi Enhanced Issuer using Venafi OCI registries

Venafi Enhanced Issuer is a software component of Venafi Control Plane.

To download the latest version of Venafi Enhanced Issuer as a Docker image or Helm Chart, see the download links specific to your region on the Venafi Enhanced Issuer release page.

Prerequisites

  • You must have access to a Venafi Control Plane (TLS Protect Cloud or TLS Protect Datacenter) instance.
  • You must have permission to install Helm charts and CRDs on your Kubernetes cluster.
  • You must install cert-manager in your cluster.
  • You must have kubectl and Helm 3.8.0 or later on your local computer.

Important

If you use your own registry, which replicates the Venafi images, replace the address of your own registry in any of the relevant commands given on this page.

Step 1: Configure access to the Venafi OCI registry

Important

Follow the instructions in Configuring access to enterprise components to enable access to the artifacts required for this component (Venafi Enhanced Issuer Component for cert-manager is the default scope for Venafi Enhanced Issuer). Use venafi as the namespace.

For the example below, we assume you created the following Kubernetes secret:

  • namespace: venafi
  • name: venafi-image-pull-secret

Step 2: (Optional) Create trusted CA bundles

If you want to use Venafi Enhanced Issuer with TLS Protect Datacenter or HashiCorp Vault instance that is served by a certificate signed by your company's private CA, you must tell Venafi Enhanced Issuer which CA certificates to trust.

Note

Unlike cert-manager, which has the caBundle field, Venafi Enhanced Issuer requires you to mount the CA certificates to be trusted in Venafi Enhanced Issuer's file system (at /etc/ssl/certs) using ConfigMap resources.

To configure the CA certificates to trust, first create a ConfigMap in the venafi namespace, and reference the certificates in the trustedCaBundles field in the Helm chart. The trustedCaBundles field defines which ConfigMap resources are mounted at /etc/ssl/certs in the pod.

The example below assumes that you created the following Kubernetes ConfigMap resources:

For TLS Protect Datacenter:

  • namespace: venafi
  • name: ca-cert-tpp

For HashiCorp Vault:

  • namespace: venafi
  • name: ca-cert-vault

Step 3: Deploying Venafi Enhanced Issuer

There are two ways you deploy Venafi Enhanced Issuer:

  • Using Helm
  • Using the Venafi CLI tool

Deploying Venafi Enhanced Issuer using Helm

This procedure installs Venafi Enhanced Issuer in the venafi namespace, and configures it to use the pull secret created earlier, in addition to specifying the CA bundles Venafi Enhanced Issuer should trust.

  1. Create a file called: venafi-enhanced-issuer.values.yaml containing the following content:

    # venafi-enhanced-issuer.values.yaml
    global:
      imagePullSecrets:
        - name: venafi-image-pull-secret
    
    venafiConnection:
      include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed
    
    venafiEnhancedIssuer:
      manager:
        image:
          repository: private-registry.venafi.cloud/venafi-issuer/venafi-enhanced-issuer
    
        # The trustedCaBundles allows you to specify additional CA certificate
        # bundles that will be mounted to /etc/ssl/certs/. Note that Mozilla's CA
        # certificates are present in the image by default at
        # /etc/ssl/certs/ca-certificates.crt, and cannot be disabled.
        trustedCaBundles:
          - configMapName: ca-cert-tpp # for TLS Protect Datacenter
            configMapKey: ca.crt
          - configMapName: ca-cert-vault # for HashiCorp Vault
            configMapKey: ca.crt
    
    # venafi-enhanced-issuer.values.yaml
    global:
      imagePullSecrets:
        - name: venafi-image-pull-secret
    
    venafiConnection:
      include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed
    
    venafiEnhancedIssuer:
      manager:
        image:
          repository: private-registry.venafi.eu/venafi-issuer/venafi-enhanced-issuer
    
        # The trustedCaBundles allows you to specify additional CA certificate
        # bundles that will be mounted to /etc/ssl/certs/. Note that Mozilla's CA
        # certificates are present in the image by default at
        # /etc/ssl/certs/ca-certificates.crt, and cannot be disabled.
        trustedCaBundles:
          - configMapName: ca-cert-tpp # for TLS Protect Datacenter
            configMapKey: ca.crt
          - configMapName: ca-cert-vault # for HashiCorp Vault
            configMapKey: ca.crt
    
  2. Use Helm to install the software and wait for it to be ready:

    helm upgrade venafi-enhanced-issuer oci://registry.venafi.cloud/charts/venafi-enhanced-issuer \
        --install \
        --wait \
        --namespace venafi \
        --values venafi-enhanced-issuer.values.yaml \
        --version v0.14.0
    

    For more information, see Helm 3 support for OCI package distribution.

  3. If you are using Approver Policy or Approver Policy Enterprise, no further action is required. If not, you must let cert-manager auto-approve the certificate requests that reference the VenafiClusterIssuer and VenafiIssuer types with the following RBAC:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: cert-manager-controller-approve:venafi-enhanced-issuer
    rules:
      - apiGroups: ["cert-manager.io"]
        resources: ["signers"]
        verbs: ["approve"]
        resourceNames: ["venafiissuers.jetstack.io/*", "venaficlusterissuers.jetstack.io/*"]
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: cert-manager-controller-approve:venafi-enhanced-issuer
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cert-manager-controller-approve:venafi-enhanced-issuer
    subjects:
      - name: cert-manager
        namespace: venafi
        kind: ServiceAccount
    

Deploying Venafi Enhanced Issuer using the Venafi CLI tool

  1. If not already installed, download and install the relevant version of the Venafi CLI tool for your platform.
  2. Initialize the Venafi Kubernetes Manifest tool.

    venctl components kubernetes manifest tool init
    
  3. Issue the following command to generate a Venafi Kubernetes manifest which, when applied, will install Venafi Enhanced Issuer:

    venctl components kubernetes manifest generate --venafi-enhanced-issuer
    

    For more information and options on using the Venafi CLI tool to install Venafi Enhanced Issuer, see the Venafi CLI tool reference page.

Tip

You can also use the venctl components kubernetes apply command to install this component on a Kubernetes cluster quickly and easily for test purposes. Note that this command is not recommended for use in production environments.

See venctl components kubernetes apply for more information on how to use the command with this component.