Skip to content

Installing Enterprise Issuer for CyberArk Certificate Manager using the CLI tool

The CLI tool for CyberArk Certificate Manager offers the quickest and easiest method for installing Enterprise Issuer for CyberArk Certificate Manager (Enterprise Issuer).

To download the latest version of Enterprise Issuer as a Docker image or Helm Chart, see the download links specific to your region on the Enterprise Issuer releases page.

Prerequisites

  • You must have access to a Certificate Manager - SaaS or Certificate Manager - Self-Hosted instance.
  • You must have permission to install Helm charts and CRDs on your Kubernetes cluster.
  • You must install cert-manager in your cluster.
  • You must have kubectl installed on your local computer.

Important

If you use your own registry, which replicates the CyberArk images, replace the address of your own registry in any of the relevant commands given on this page.

Step 1: Configure access to the CyberArk OCI registry

Follow the instructions in Configuring access to enterprise components to enable access to the artifacts required for this component (Enterprise Issuer Component for cert-manager is the default scope for Enterprise Issuer). Use venafi as the namespace.

For the example below, we assume you created the following Kubernetes secret:

  • namespace: venafi
  • name: venafi-image-pull-secret

Step 2: (Optional) Create trusted CA bundles

If you want to use Enterprise Issuer with Certificate Manager - Self-Hosted or HashiCorp Vault instance that is served by a certificate signed by your company's private CA, you must tell Enterprise Issuer which CA certificates to trust.

If you want to use Enterprise Issuer with Certificate Manager - SaaS and that egress traffic in your Kubernetes clusters is controlled using an HTTP or transparent proxy, you may also need to configure a custom CA bundle to trust the proxy that terminates the TLS connection.

Note

Unlike cert-manager, which has the caBundle field, Enterprise Issuer requires you to mount the CA certificates to be trusted in Enterprise Issuer's file system (at /etc/ssl/certs) using ConfigMap resources.

To configure the CA certificates to trust, first create a ConfigMap in the venafi namespace, and reference the certificates in the trustedCaBundles field in the Helm chart. The trustedCaBundles field defines which ConfigMap resources are mounted at /etc/ssl/certs in the pod.

The example in Step 3 assumes that you created the following Kubernetes ConfigMap resources:

For Certificate Manager - Self-Hosted:

  • namespace: venafi
  • name: ca-cert-tpp

For HashiCorp Vault:

  • namespace: venafi
  • name: ca-cert-vault

For an HTTP or transparent proxy:

  • namespace: venafi
  • name: ca-cert-proxy

To configure a ConfigMap using trustedCaBundles:

  1. Use kubectl to add the custom CA bundle to a ConfigMap:

    kubectl --namespace venafi create configmap ca.crt --from-file=ca-cert=<file-name>

  2. Create a file named venafi-enhanced-issuer.values.yaml:

    venafi-enhanced-issuer.values.yaml
    venafiEnhancedIssuer:
  manager:
    trustedCaBundles:
      # To load the CA bundle to trust your TPP server:
      - configMapName: ca-cert-tpp
        configMapKey: ca.crt
      # To load the CA bundle to trust your Vault server:
      - configMapName: ca-cert-vault
        configMapKey: ca.crt
      # To load the CA bundle to trust your transparent or HTTP proxy:
      - configMapName: ca-cert-proxy
        configMapKey: ca.crt

Step 3: Deploying Enterprise Issuer using the CLI tool for CyberArk Certificate Manager

  1. If not already installed, download and install the relevant version of the CLI tool for CyberArk Certificate Manager for your platform.

  2. Issue the following command to generate a CyberArk Kubernetes manifest which, when applied, will install Enterprise Issuer:

    A sample command for users of the US region OCI registry:

    venctl components kubernetes manifest generate --region us  --venafi-enhanced-issuer > venafi-components.yaml

    Regional registries

    The example above uses the US-based OCI registry. Tenants in the following Certificate Manager - SaaS regions—US, Canada, Australia, and Singapore must use this registry. Tenants in the EU and UK must use the EU registry: private-registry.venafi.eu.

    For more information on Venafi OCI registries, see Configuring access to a Venafi OCI Registry.

    A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    venctl components kubernetes manifest generate \
  --region custom \
  --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
  --cert-manager-custom-image-registry myregistry.example.com \
  --venafi-enhanced-issuer-custom-chart-repository oci://myregistry.example.com/charts \
  --venafi-enhanced-issuer-custom-image-registry myregistry.example.com \
  --venafi-enhanced-issuer > venafi-components.yaml

    Deploying Enterprise Issuer with trusted CA bundles

    If you want to deploy Enterprise Issuer for CyberArk Certificate Manager with trusted CA bundles (as shown in Step 2 above), replace the manifest generate command in Step 3.3 with the following:

    A sample command for users of the US region OCI registry:

    venctl components kubernetes manifest generate \
    --region us \
    --venafi-enhanced-issuer-values-files venafi-enhanced-issuer.values.yaml \
    --venafi-enhanced-issuer > venafi-components.yaml

    For information on how pull from non-US registry for this command, see the Regional registries note above.

    A sample command for users with their own organizational OCI registry. Be sure to update this command with the URI of your own company's registry:

    venctl components kubernetes manifest generate \
    --region custom \
    --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
    --cert-manager-custom-image-registry myregistry.example.com \
    --venafi-enhanced-issuer-custom-chart-repository oci://myregistry.example.com/charts \
    --venafi-enhanced-issuer-custom-image-registry myregistry.example.com \
    --venafi-enhanced-issuer-values-files venafi-enhanced-issuer.values.yaml \
    --venafi-enhanced-issuer > venafi-components.yaml

  3. To apply the manifest, use the following command:

    venctl components kubernetes manifest tool sync --file venafi-components.yaml

    For more information and options on using the CLI tool for CyberArk Certificate Manager to install this component, see the CLI tool for CyberArk Certificate Manager reference page.

    Tip

    To find out the current default version of Trust Manager (and all the CyberArk Kubernetes components you can install with the CLI tool for CyberArk Certificate Manager), use the venctl components kubernetes manifest print-versions command.

Tip

You can also use the venctl components kubernetes apply command to install this component on a Kubernetes cluster quickly and easily for test purposes. Note that this command is not recommended for use in production environments.

See venctl components kubernetes apply for more information on how to use the command with this component.