Skip to content

Installing Venafi Enhanced Issuer using the Venafi Control Plane Operator

Venafi Control Plane Operator for Red Hat OpenShift is designed to assist customers in installing, maintaining, and upgrading Venafi cluster components.

Follow the steps below to deploy the default version of cert-manager and Venafi Enhanced Issuer using the Venafi Control Plane Operator.

Prerequisites

To install Venafi Enhanced Issuer using the Venafi Control Plane Operator you'll need the following:

  • Access to the Venafi OCI registry (or your own mirror).
  • You have Venafi Control Plane Operator already installed on your system.
  • You have the Red Hat OpenShift CLI tool oc installed on your system.

Step 1: Configure access to the Venafi OCI registry

Important

Follow the instructions in Configuring access to the Venafi OCI registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.

For the example below, it's assumed that you created the following Kubernetes Secret:

  • namespace: venafi
  • name: venafi-image-pull-secret

Step 2: Create and apply the manifest

  1. Create a manifest venafi-components.yaml. You can use one of the samples below as a base:

    venafi-components.yaml
    apiVersion: installer.venafi.com/v1alpha1
    kind: VenafiInstall
    metadata:
      name: venafi-components
    spec:
      globals:
        enableDefaultApprover: false
        imagePullSecretNames: [venafi-image-pull-secret]
        namespace: venafi
        useFIPSImages: false
        vcpRegion: US
        region: US
      certManager: 
        install: true
      venafiConnection:
        install: true
      venafiEnhancedIssuer:
        install: true
        values: 
          venafiEnhancedIssuer:
            tolerations: 
            - key: node-role.kubernetes.io/infra
              operator: Exists
              effect: NoSchedule
            - key: node-role.kubernetes.io/private
              operator: Exists
              effect: NoSchedule
        version: v0.14.0
    
    venafi-components.yaml
    apiVersion: installer.venafi.com/v1alpha1
    kind: VenafiInstall
    metadata:
      name: venafi-components
    spec:
      globals:
        enableDefaultApprover: false 
        imagePullSecretNames: [venafi-image-pull-secret] 
        namespace: venafi 
        useFIPSImages: false 
        vcpRegion: EU 
        region: EU
      certManager: 
        install: true
      venafiConnection:
        install: true
      venafiEnhancedIssuer:
        install: true
        values: 
          venafiEnhancedIssuer:
            tolerations: 
            - key: node-role.kubernetes.io/infra
              operator: Exists
              effect: NoSchedule
            - key: node-role.kubernetes.io/private
              operator: Exists
              effect: NoSchedule
        version: v0.14.0
    
    venafi-components.yaml
    apiVersion: installer.venafi.com/v1alpha1
    kind: VenafiInstall
    metadata:
      name: venafi-components
    spec:
      globals: 
        customChartRepository: oci://myregistry.example.com/charts
        customImageRegistry: myregistry.example.com
        enableDefaultApprover: false 
        imagePullSecretNames: [venafi-image-pull-secret] 
        namespace: venafi 
        useFIPSImages: false
      certManager: 
        install: true
      venafiConnection:
        install: true
      venafiEnhancedIssuer:
        install: true
        values: 
          venafiEnhancedIssuer:
            tolerations: 
            - key: node-role.kubernetes.io/infra
              operator: Exists
              effect: NoSchedule
            - key: node-role.kubernetes.io/private
              operator: Exists
              effect: NoSchedule
        version: v0.14.0
    

    Note

    Set the spec.certManager.skip parameter to true and the spec.certManager.install parameter to false if you have already installed and configured cert-manager.

    Tip

    For a complete list of Venafi Control Plane Operator configuration parameters, refer to the Venafi Control Plane Operator API reference.

  2. Apply the manifest by running the following command:

    oc apply -f venafi-components.yaml
    

Step 3: Verify the installation

  1. Verify whether Venafi Enhanced Issuer is successfully installed by running the following command:

    oc get venafiinstall,pods
    

    Sample output:

    NAME                                                   STATUS   LAST SYNC
    venafiinstall.installer.venafi.com/venafi-components   Synced   109s
    
    NAME                                           READY   STATUS    RESTARTS   AGE
    pod/cert-manager-6976949b6d-dkc7c              1/1     Running   0          33m
    pod/cert-manager-cainjector-6f55988c8f-clmfj   1/1     Running   0          33m
    pod/cert-manager-webhook-75ddc44d97-4xt7f      1/1     Running   0          33m
    pod/vcp-operator-6f76c5fb67-z2cm2              1/1     Running   2          5d10h
    pod/venafi-enhanced-issuer-64bf67974c-2z86d    1/1     Running   0          2m16s