Installing Venafi Kubernetes Agent using the Venafi Control Plane Operator¶
Venafi Control Plane Operator for Red Hat OpenShift is designed to assist customers in installing, maintaining, and upgrading Venafi cluster components.
Follow the steps below to deploy the default version of cert-manager and Venafi Kubernetes Agent using the Venafi Control Plane Operator.
Prerequisites¶
To install Venafi Kubernetes Agent using the Venafi Control Plane Operator, you'll need to ensure you have the following:
- Access to the Venafi OCI registry (or your own mirror).
- Venafi Control Plane Operator already installed on your system.
- Red Hat OpenShift CLI tool
ocinstalled on your system.
Step 1: Configure access to the Venafi OCI registry¶
Important
Follow the instructions in Configuring access to the Venafi OCI registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.
For the example below, it's assumed that you created the following Kubernetes Secret:
- namespace:
venafi - name:
venafi-image-pull-secret
Step 2: Create a service account in the Venafi Control Plane UI¶
If you haven't already done so, create a service account in the Venafi Control Plane UI and obtain both the private key and client ID.
- Sign in to Venafi Control Plane.
-
Click Settings > Service Accounts.
-
Click New.
-
Choose the Kubernetes Agent option from the Use case list, and click Continue.
The use cases available for you to choose depend on which Venafi Control Plane components you have licenses for.
-
Enter a Name for your new service account.
-
Select an Owning Team. This team owns the machine you want to create the service account for.
-
(Conditional) Enter the number of days for which you want the account to remain valid in the Validity (days) field. You can select any number from 1 to 365 days. This step doesn't apply when creating a Custom API Integration service account.
-
Select the Kubernetes Discovery option from the Scope drop-down, and click Continue. Learn more
-
Select one of the following key generation options as required:
Click the Auto-generate a keypair and download the private key radio button, and click Create.
In the Credentials section, copy the public and private keys.
Important
Copy and store this private key securely as it cannot be recovered if lost. This is your only opportunity to copy this private key.
Store the private key as a
venafi-agent-private-key.pemfile, so it can be later imported to the cluster.Or:
Click the Generate your own keypair and upload the public key radio button, and click Continue.
In the Credentials section, provide the public key corresponding to the private key that your service will use. For your public key to be valid, it must be in PEM format and no longer than 2000 characters. The supported key algorithms are:
- RSA in 2048, 3072, or 4096 key lengths - ECDSA: P256, P384, or P521 - EDDSA: ED25519 -
Click Finish to create the service account and return to the Service Accounts page.
-
In the Service Account inventory page, locate the service account you just created. At the far right side of the screen, click the more icon, then click Copy Client ID.
Paste the client ID to a location you will be able to access later as it will be required as part of the Helm install command.
-
Create the
venafinamespace, and a Kubernetes secret containing the private key of the desired service account.oc create namespace venafi -
Import the private key you created and stored earlier in to the cluster:
oc create secret generic agent-credentials \ --namespace=venafi \ --from-file=privatekey.pem=venafi-agent-private-key.pem
Step 3: Create and apply the manifest¶
-
Create a manifest
venafi-components.yaml. You can use one of the samples below:venafi-components.yamlapiVersion: installer.venafi.com/v1alpha1 kind: VenafiInstall metadata: name: venafi-components spec: globals: enableDefaultApprover: false imagePullSecretNames: [venafi-image-pull-secret] namespace: venafi useFIPSImages: false vcpRegion: US region: US certManager: install: true skip: false version: v1.15.3 venafiKubernetesAgent: install: true clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx values: securityContext: runAsUser: xxxxxxxxxx tolerations: - key: node-role.kubernetes.io/infra operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/private operator: Exists effect: NoSchedule version: 1.0.0venafi-components.yamlapiVersion: installer.venafi.com/v1alpha1 kind: VenafiInstall metadata: name: venafi-components spec: globals: enableDefaultApprover: false imagePullSecretNames: [venafi-image-pull-secret] namespace: venafi useFIPSImages: false vcpRegion: EU region: EU certManager: install: true skip: false version: v1.15.3 venafiKubernetesAgent: install: true clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx values: securityContext: runAsUser: xxxxxxxxxx tolerations: - key: node-role.kubernetes.io/infra operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/private operator: Exists effect: NoSchedule version: 1.0.0venafi-components.yamlapiVersion: installer.venafi.com/v1alpha1 kind: VenafiInstall metadata: name: venafi-components spec: globals: customChartRepository: oci://myregistry.example.com/charts customImageRegistry: myregistry.example.com enableDefaultApprover: false imagePullSecretNames: [venafi-image-pull-secret] namespace: venafi useFIPSImages: false certManager: install: true skip: false version: v1.15.3 venafiKubernetesAgent: install: true clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx values: securityContext: runAsUser: xxxxxxxxxx tolerations: - key: node-role.kubernetes.io/infra operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/private operator: Exists effect: NoSchedule version: 1.0.0Notes
Set the
spec.certManager.skipparameter totrueand thespec.certManager.installparameter tofalseif you have already installed and configured cert-manager.Use the
clientIDfield to specify the client ID of the Venafi Control Plane service account for the Venafi Kubernetes Agent. This is a required field when installing Venafi Kubernetes Agent.Using a Proxy server
Some Kubernetes clusters are configured to only allow Internet connections via a HTTP(S) proxy. If that applies to you:
- Add
api.venafi.cloudto the allowed domain list of your egress proxy if you are using the US region. If you are using the EU Venafi Control Plane region, addapi.venafi.euinstead. -
Add one of the following environment variable Helm values parameters as required to the manifest
venafi-components.yamlfile.Configures the HTTP_PROXY environment variable where a HTTP proxy is required. For example:
venafi-components... values: http_proxy: "http://<proxy server>:<port>" ...Configures the HTTPS_PROXY environment variable where a HTTP proxy is required. For example:
venafi-components... values: https_proxy: "https://<proxy server>:<port>" ...Configures the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded. For example:
venafi-components... values: no_proxy: 127.0.0.1,localhost,kubernetes.default.svc,kubernetes.default.svc.cluster.local ...
Also, when the Venafi Kubernetes Agent requires a proxy for outbound connections, and the proxy uses a certificate issued by a private certificate authority, you can add the certificate authority to a custom CA bundle that the agent will trust. The Helm chart supports specifying volumes and volume mounts to streamline this process. For more information, see the Venafi Kubernetes Agent Helm values reference page.
Tip
For a complete list of Venafi Control Plane Operator configuration parameters, refer to the Venafi Control Plane Operator API reference.
- Add
-
Apply the manifest by running the following command:
oc apply -f venafi-components.yaml
Using a proxy server¶
Some Kubernetes clusters are configured to only allow Internet connections via an HTTP(S) proxy. If that applies to you:
- Add
api.venafi.cloudto the allowed domain list of your egress proxy if you are using the US region. If you are using the EU Venafi Control Plane region, addapi.venafi.euinstead. -
If using a Helm chart to install Venafi Kubernetes Agent, you can use of the following Helm values.
Configures the HTTP_PROXY environment variable where a HTTP proxy is required. For example:
http_proxy: "http://<proxy server>:<port>"Configure the HTTPS_PROXY environment variable where a HTTP proxy is required. For example:
https_proxy: "https://<proxy server>:<port>"Configure the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded. For example:
no_proxy: 127.0.0.1,localhost,kubernetes.default.svc,kubernetes.default.svc.cluster.local
For more information about proxy server Helm values for Venafi Kubernetes Agent, see the Venafi Kubernetes Agent Helm values reference page.
Also, when the Venafi Kubernetes Agent requires a proxy for outbound connections, and the proxy uses a certificate issued by a private certificate authority, you can now add the certificate authority to a custom CA bundle that the agent will trust. The Helm chart supports specifying volumes and volume mounts to streamline this process. For more information, see the Venafi Kubernetes Agent Helm values reference page.
Step 4: Verify the installation¶
-
Verify whether Venafi Kubernetes Agent is successfully installed by running the following command:
oc get venafiinstall,podsSample output:
NAME STATUS LAST SYNC venafiinstall.installer.venafi.com/venafi-components Synced 5h8m NAME READY STATUS RESTARTS AGE pod/cert-manager-7b67bb8b56-9tslt 1/1 Running 0 5h10m pod/cert-manager-cainjector-6f55988c8f-qjj94 1/1 Running 0 5h10m pod/cert-manager-webhook-75ddc44d97-8mmjq 1/1 Running 0 5h10m pod/vcp-operator-6f76c5fb67-z2cm2 1/1 Running 0 6d8h pod/venafi-kubernetes-agent-6cc4bc5967-2992j 1/1 Running 0 5h10m