Skip to content

Installing Venafi Enhanced Issuer using the Venafi CLI tool

The Venafi CLI tool offers the quickest and easiest method for installing Venafi Enhanced Issuer.

To download the latest version of Venafi Enhanced Issuer as a Docker image or Helm Chart, see the download links specific to your region on the Venafi Enhanced Issuer release page.

Prerequisites

  • You must have access to a Venafi Control Plane (TLS Protect Cloud or TLS Protect Datacenter) instance.
  • You must have permission to install Helm charts and CRDs on your Kubernetes cluster.
  • You must install cert-manager in your cluster.
  • You must have kubectl installed on your local computer.

Important

If you use your own registry, which replicates the Venafi images, replace the address of your own registry in any of the relevant commands given on this page.

Step 1: Configure access to the Venafi OCI registry

Follow the instructions in Configuring access to enterprise components to enable access to the artifacts required for this component (Venafi Enhanced Issuer Component for cert-manager is the default scope for Venafi Enhanced Issuer). Use venafi as the namespace.

For the example below, we assume you created the following Kubernetes secret:

  • namespace: venafi
  • name: venafi-image-pull-secret

Step 2: (Optional) Create trusted CA bundles

If you want to use Venafi Enhanced Issuer with TLS Protect Datacenter or HashiCorp Vault instance that is served by a certificate signed by your company's private CA, you must tell Venafi Enhanced Issuer which CA certificates to trust.

If you want to use Venafi Enhanced Issuer with Venafi Control Plane and that egress traffic in your Kubernetes clusters is controlled using an HTTP or transparent proxy, you may also need to configure a custom CA bundle to trust the proxy that terminates the TLS connection.

Note

Unlike cert-manager, which has the caBundle field, Venafi Enhanced Issuer requires you to mount the CA certificates to be trusted in Venafi Enhanced Issuer's file system (at /etc/ssl/certs) using ConfigMap resources.

To configure the CA certificates to trust, first create a ConfigMap in the venafi namespace, and reference the certificates in the trustedCaBundles field in the Helm chart. The trustedCaBundles field defines which ConfigMap resources are mounted at /etc/ssl/certs in the pod.

The example in Step 3 assumes that you created the following Kubernetes ConfigMap resources:

For TLS Protect Datacenter:

  • namespace: venafi
  • name: ca-cert-tpp

For HashiCorp Vault:

  • namespace: venafi
  • name: ca-cert-vault

For an HTTP or transparent proxy:

  • namespace: venafi
  • name: ca-cert-proxy

To configure a ConfigMap using trustedCaBundles:

  1. Use kubectl to add the custom CA bundle to a ConfigMap:

    kubectl --namespace venafi create configmap ca.crt --from-file=ca-cert=<file-name>
    
  2. Create a file named venafi-enhanced-issuer.values.yaml:

    venafi-enhanced-issuer.values.yaml
    venafiEnhancedIssuer:
      manager:
        trustedCaBundles:
          # To load the CA bundle to trust your TPP server:
          - configMapName: ca-cert-tpp
            configMapKey: ca.crt
          # To load the CA bundle to trust your Vault server:
          - configMapName: ca-cert-vault
            configMapKey: ca.crt
          # To load the CA bundle to trust your transparent or HTTP proxy:
          - configMapName: ca-cert-proxy
            configMapKey: ca.crt
    

Step 3: Deploying Venafi Enhanced Issuer using the Venafi CLI tool

  1. If not already installed, download and install the relevant version of the Venafi CLI tool for your platform.
  2. Initialize the Venafi Kubernetes Manifest tool:

    venctl components kubernetes manifest tool init
    

    For more information on this command and its associated flags, see the venctl reference page.

  3. Issue the following command to generate a Venafi Kubernetes manifest which, when applied, will install Venafi Enhanced Issuer:

    A sample command for users of the US region OCI registry:

    venctl components kubernetes manifest generate --region us  --venafi-enhanced-issuer > venafi-components.yaml
    

    A sample command for users of the EU region OCI registry:

    venctl components kubernetes manifest generate --region eu --venafi-enhanced-issuer > venafi-components.yaml
    

    A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    venctl components kubernetes manifest generate \
      --region custom \
      --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
      --cert-manager-custom-image-registry myregistry.example.com \
      --venafi-enhanced-issuer-custom-chart-repository oci://myregistry.example.com/charts \
      --venafi-enhanced-issuer-custom-image-registry myregistry.example.com \
      --venafi-enhanced-issuer > venafi-components.yaml
    

    Deploying Venafi Enhanced Issuer with trusted CA bundles

    If you want to deploy Venafi Enhanced Issuer with trusted CA bundles (as shown in Step 2 above), replace the manifest generate command in Step 3.3 with the following:

    A sample command for users of the US region OCI registry:

    venctl components kubernetes manifest generate \
        --region us \
        --venafi-enhanced-issuer-values-files venafi-enhanced-issuer.values.yaml \
        --venafi-enhanced-issuer > venafi-components.yaml
    

    A sample command for users of the EU region OCI registry:

    venctl components kubernetes manifest generate \
        --region eu \
        --venafi-enhanced-issuer-values-files venafi-enhanced-issuer.values.yaml \
        --venafi-enhanced-issuer > venafi-components.yaml
    

    A sample command for users with their own organizational OCI registry. Be sure to update this command with the URI of your own company's registry:

    venctl components kubernetes manifest generate \
        --region custom \
        --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
        --cert-manager-custom-image-registry myregistry.example.com \
        --venafi-enhanced-issuer-custom-chart-repository oci://myregistry.example.com/charts \
        --venafi-enhanced-issuer-custom-image-registry myregistry.example.com \
        --venafi-enhanced-issuer-values-files venafi-enhanced-issuer.values.yaml \
        --venafi-enhanced-issuer > venafi-components.yaml
    
  4. To apply the manifest, use the following command:

    venctl components kubernetes manifest tool sync --file venafi-components.yaml
    

    For more information and options on using the Venafi CLI tool to install this component, see the Venafi CLI tool reference page.

    Tip

    To find out the current default version of Trust Manager (and all the Venafi Kubernetes components you can install with the Venafi CLI tool), use the venctl components kubernetes manifest print-versions command.

Tip

You can also use the venctl components kubernetes apply command to install this component on a Kubernetes cluster quickly and easily for test purposes. Note that this command is not recommended for use in production environments.

See venctl components kubernetes apply for more information on how to use the command with this component.