Skip to content

Installing Enterprise Issuer using the CyberArk Certificate Manager Operator

CyberArk Certificate Manager Operator for Red Hat OpenShift (formerly known as Venafi Control Plane Operator) is designed to assist customers in installing, maintaining, and upgrading CyberArk cluster components.

Follow the steps below to deploy the default version of cert-manager and Enterprise Issuer for CyberArk Certificate Manager using the CyberArk Certificate Manager Operator.

Prerequisites

To install Enterprise Issuer using the CyberArk Certificate Manager Operator you'll need the following:

  • Access to the CyberArk OCI registry (or your own mirror).
  • You have CyberArk Certificate Manager Operator already installed on your system.
  • You have the Red Hat OpenShift CLI tool oc installed on your system.

Step 1: Configure access to the CyberArk OCI registry

Important

Follow the instructions in Configuring access to the OCI registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.

For the example below, it's assumed that you created the following Kubernetes Secret:

  • namespace: venafi
  • name: venafi-image-pull-secret

Step 2: Create and apply the manifest

  1. Create a manifest venafi-components.yaml. You can use one of the samples below as a base:

    venafi-components.yaml
    apiVersion: installer.venafi.com/v1alpha1
kind: VenafiInstall
metadata:
  name: venafi-components
spec:
  globals:
    enableDefaultApprover: false
    imagePullSecretNames: [venafi-image-pull-secret]
    namespace: venafi
    useFIPSImages: false
    vcpRegion: US
    region: US
  certManager: 
    install: true
  venafiConnection:
    install: true
  venafiEnhancedIssuer:
    install: true
    values: 
      venafiEnhancedIssuer:
        tolerations: 
        - key: node-role.kubernetes.io/infra
          operator: Exists
          effect: NoSchedule
        - key: node-role.kubernetes.io/private
          operator: Exists
          effect: NoSchedule
    version: v0.17.1

    Regional registries

    The example above uses the Venafi US registry parameters. If you want to use a different Venafi registry replace vcpRegion: US and region: US with the relevant regional repository value:

    • EU registry

      venafi-components.yaml
      ...
spec:
  globals:
    ...
    vcpRegion: EU
    region: EU
    ...

    • UK registry

      venafi-components.yaml
      ...
spec:
  globals:
    ...
    vcpRegion: UK
    region: EU
    ...

    • Australia registry

      venafi-components.yaml
      ...
spec:
  globals:
    ...
    vcpRegion: AU
    region: US
    ...

    • Canada registry

      venafi-components.yaml
      ...
spec:
  globals:
    ...
    vcpRegion: CA
    region: US
    ...

    • Singapore registry

      venafi-components.yaml
      ...
spec:
  globals:
    ...
    vcpRegion: SG
    region: US
    ...

    For more information on Venafi OCI registries, see Configuring access to a Venafi OCI Registry.

    venafi-components.yaml
    apiVersion: installer.venafi.com/v1alpha1
kind: VenafiInstall
metadata:
  name: venafi-components
spec:
  globals: 
    customChartRepository: oci://myregistry.example.com/charts
    customImageRegistry: myregistry.example.com
    enableDefaultApprover: false 
    imagePullSecretNames: [venafi-image-pull-secret] 
    namespace: venafi 
    useFIPSImages: false
  certManager: 
    install: true
  venafiConnection:
    install: true
  venafiEnhancedIssuer:
    install: true
    values: 
      venafiEnhancedIssuer:
        tolerations: 
        - key: node-role.kubernetes.io/infra
          operator: Exists
          effect: NoSchedule
        - key: node-role.kubernetes.io/private
          operator: Exists
          effect: NoSchedule
    version: v0.17.1

    Note

    Set the spec.certManager.skip parameter to true and the spec.certManager.install parameter to false if you have already installed and configured cert-manager.

    Tip

    For a complete list of CyberArk Certificate Manager Operator configuration parameters, refer to the CyberArk Certificate Manager Operator API reference.

  2. Apply the manifest by running the following command:

    oc apply -f venafi-components.yaml

Step 3: Verify the installation

  1. Verify whether Enterprise Issuer is successfully installed by running the following command:

    oc get venafiinstall,pods

    Sample output:

    NAME                                                   STATUS   LAST SYNC
venafiinstall.installer.venafi.com/venafi-components   Synced   109s

NAME                                           READY   STATUS    RESTARTS   AGE
pod/cert-manager-6976949b6d-dkc7c              1/1     Running   0          33m
pod/cert-manager-cainjector-6f55988c8f-clmfj   1/1     Running   0          33m
pod/cert-manager-webhook-75ddc44d97-4xt7f      1/1     Running   0          33m
pod/vcp-operator-6f76c5fb67-z2cm2              1/1     Running   2          5d10h
pod/venafi-enhanced-issuer-64bf67974c-2z86d    1/1     Running   0          2m16s