Installing Venafi Enhanced Issuer using the Venafi Control Plane Operator¶
Venafi Control Plane Operator for Red Hat OpenShift is designed to assist customers in installing, maintaining, and upgrading Venafi cluster components.
Follow the steps below to deploy the default version of cert-manager and Venafi Enhanced Issuer using the Venafi Control Plane Operator.
Prerequisites¶
To install Venafi Enhanced Issuer using the Venafi Control Plane Operator you'll need the following:
- Access to the Venafi OCI registry (or your own mirror).
- You have Venafi Control Plane Operator already installed on your system.
- You have the Red Hat OpenShift CLI tool
oc
installed on your system.
Step 1: Configure access to the Venafi OCI registry¶
Important
Follow the instructions in Configuring access to the Venafi OCI registry to enable access to the artifacts required for this component (cert-manager Components
is the default scope for cert-manager). Use venafi
as the namespace.
For the example below, it's assumed that you created the following Kubernetes Secret:
- namespace:
venafi
- name:
venafi-image-pull-secret
Step 2: Create and apply the manifest¶
-
Create a manifest
venafi-components.yaml
. You can use one of the samples below as a base:venafi-components.yamlapiVersion: installer.venafi.com/v1alpha1 kind: VenafiInstall metadata: name: venafi-components spec: globals: enableDefaultApprover: false imagePullSecretNames: [venafi-image-pull-secret] namespace: venafi useFIPSImages: false vcpRegion: US region: US certManager: install: true venafiConnection: install: true venafiEnhancedIssuer: install: true values: venafiEnhancedIssuer: tolerations: - key: node-role.kubernetes.io/infra operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/private operator: Exists effect: NoSchedule version: v0.14.0
venafi-components.yamlapiVersion: installer.venafi.com/v1alpha1 kind: VenafiInstall metadata: name: venafi-components spec: globals: enableDefaultApprover: false imagePullSecretNames: [venafi-image-pull-secret] namespace: venafi useFIPSImages: false vcpRegion: EU region: EU certManager: install: true venafiConnection: install: true venafiEnhancedIssuer: install: true values: venafiEnhancedIssuer: tolerations: - key: node-role.kubernetes.io/infra operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/private operator: Exists effect: NoSchedule version: v0.14.0
venafi-components.yamlapiVersion: installer.venafi.com/v1alpha1 kind: VenafiInstall metadata: name: venafi-components spec: globals: customChartRepository: oci://myregistry.example.com/charts customImageRegistry: myregistry.example.com enableDefaultApprover: false imagePullSecretNames: [venafi-image-pull-secret] namespace: venafi useFIPSImages: false certManager: install: true venafiConnection: install: true venafiEnhancedIssuer: install: true values: venafiEnhancedIssuer: tolerations: - key: node-role.kubernetes.io/infra operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/private operator: Exists effect: NoSchedule version: v0.14.0
Note
Set the
spec.certManager.skip
parameter totrue
and thespec.certManager.install
parameter tofalse
if you have already installed and configured cert-manager.Tip
For a complete list of Venafi Control Plane Operator configuration parameters, refer to the Venafi Control Plane Operator API reference.
-
Apply the manifest by running the following command:
oc apply -f venafi-components.yaml
Step 3: Verify the installation¶
-
Verify whether Venafi Enhanced Issuer is successfully installed by running the following command:
oc get venafiinstall,pods
Sample output:
NAME STATUS LAST SYNC venafiinstall.installer.venafi.com/venafi-components Synced 109s NAME READY STATUS RESTARTS AGE pod/cert-manager-6976949b6d-dkc7c 1/1 Running 0 33m pod/cert-manager-cainjector-6f55988c8f-clmfj 1/1 Running 0 33m pod/cert-manager-webhook-75ddc44d97-4xt7f 1/1 Running 0 33m pod/vcp-operator-6f76c5fb67-z2cm2 1/1 Running 2 5d10h pod/venafi-enhanced-issuer-64bf67974c-2z86d 1/1 Running 0 2m16s