Skip to content

Venafi CLI tool releases

Learn about current and past releases of the Venafi CLI tool.

Latest release

The latest stable version of Venafi CLI is v1.14.1.

Select the file appropriate for your platform below:

Latest Release OS Architecture GPG Signature
Venafi CLI Linux AMD64 / x86-64 Signature
Venafi CLI Linux ARM64 Signature
Venafi CLI macOS AMD64 / x86-64 Signature
Venafi CLI macOS ARM64, Apple Silicon Signature
Venafi CLI Windows AMD64 / x86-64 Signature
Checksums (SHA256)

Verifying Venafi CLI archives after download

Once you have downloaded the Venafi CLI archive and its corresponding signature file, you can verify by executing a command similar to the following:

gpg --verify venctl-linux-amd64.zip.sig venctl-linux-amd64.zip

For a valid signature, the output is similar to the example below:

gpg: Signature made Wed Dec  6 11:09:05 2023 UTC
gpg:                using RSA key BA2F4B4442D945F0A2810A686B99EC1CEEE83892
gpg:                issuer "gpg-vaas@venafi.com"
gpg: Good signature from "Venafi, Inc. <gpg-vaas@venafi.com>" [ultimate]
If you see the error message Can't check signature: No public key., it means that you haven't trusted Venafi's GPG (GNU Privacy Guard)signing key yet. To prevent this error, make sure to trust Venafi's GPG signing key manually before verifying the Venafi CLI archive.

Trusting the Venafi GPG signing key
  1. Download the Venafi GPG public key:

    curl -O https://dl.venafi.cloud/vaaskey.pub
    
  2. Import the key into your GPG keyring:

    gpg --import ./vaaskey.pub
    
  3. Set ownertrust for Venafi Inc. to ultimate:

    echo -e "trust\n5\ny\n" | gpg --no-tty --command-fd 0 --edit-key "gpg-vaas@venafi.com"
    
  4. Verify the key in your keyring:

    gpg --list-keys
    

    The result should look similar to the following:

    /home/user/.gnupg/pubring.kbx
    -----------------------------
    pub   rsa4096 2022-03-18 [SCEA]
          BA2F4B4442D945F0A2810A686B99EC1CEEE83892
    uid           [ultimate] Venafi, Inc. <gpg-vaas@venafi.com>
    sub   rsa2048 2022-03-22 [A]
    sub   rsa2048 2022-03-22 [E]
    

Release 1.14.1

Venafi CLI tool 1.14.1 was released on September 11, 2024.

Important

If you have downloaded and installed v1.14.0, you should upgrade to v1.14.1 using the venctl update command or, for Homebrew users, brew upgrade venctl.

Key features

  • Bug fixes An issue where venctl installation cluster connect failed in release v1.14.0.
  • Default component versions for this release

    The following is a full list of the component versions installable by default in release 1.14.1.

    Component Default version for this release
    Approver Policy v0.15.1
    Approver Policy Enterprise v0.18.1
    AWS Private CA Issuer v1.3.0
    cert-manager v1.15.3
    CSI driver v0.10.1
    CSI driver for SPIFFE v0.8.1
    Firefly v1.5.0
    Istio CSR 0.12.0
    OpenShift Routes 0.6.0
    Trust Manager v0.12.0
    Venafi Connection v0.1.0
    Venafi Enhanced Issuer v0.14.0
    Venafi Kubernetes Agent v1.0.0
Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.14.1 Linux AMD64 / x86-64 ff9b8fd0dcff6a58f4e9b8d8bfb956f393b7d3b3567ee84153ba034cdfcccd37 Signature
Venafi CLI 1.14.1 Linux ARM64 644bddbc32aea0ebd55a0e297ecf8e40450c9277ed4a9132f4ab35df388b8948 Signature
Venafi CLI 1.14.1 macOS AMD64 / x86-64 803d3864fc013a06ac611a1a1cb2f9fef9fa45b0c1c9bfcb95847c60132c20e2 Signature
Venafi CLI 1.14.1 macOS ARM64, Apple Silicon 9c88704d436a6f52dc9d3f2e3bdd15679aba2eecf2a8988b87ee81afb9df14b7 Signature
Venafi CLI 1.14.1 Windows AMD64 / x86-64 aa8d7f8998935ae59eed701a49854d3d4ff40d34ae05d15d403770c09af14c73 Signature
Checksums (SHA256)

Release 1.14.0

Venafi CLI tool 1.14.0 was released on September 11, 2024.

Key features

  • OpenShift Routes support Release v1.14.0 adds support for installing the OpenShift Routes component.
  • Venafi Kubernetes Agent manifest improvements You can now generate manifests for agents without needing to specify a client ID.
  • Manifest comments Generated manifests now include a comment at the top containing the command used to generate the manifest. This helps you to edit or recreate a manifest if required later..
  • Istio CSR support This release adds support for Istio CSR with extra objects defined at manifest generation time.
  • Bug fixes An issue where the Venafi CLI tool incorrectly required a TTY when the --no-prompts flags is used was corrected.
  • Default component versions for this release

    The following is a full list of the component versions installable by default in release 1.14.0.

    Component Default version for this release
    Approver Policy v0.15.1
    Approver Policy Enterprise v0.18.1
    AWS Private CA Issuer v1.3.0
    cert-manager v1.15.3
    CSI driver v0.10.1
    CSI driver for SPIFFE v0.8.1
    Firefly v1.5.0
    Istio CSR 0.12.0
    OpenShift Routes 0.6.0
    Trust Manager v0.12.0
    Venafi Connection v0.1.0
    Venafi Enhanced Issuer v0.14.0
    Venafi Kubernetes Agent v1.0.0
Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.14.0 Linux AMD64 / x86-64 602c7af3ce6101e529801be13fb65bf71c43f1dd84a3228b0e945d86a643fe76 Signature
Venafi CLI 1.14.0 Linux ARM64 eb1dabe8ec2fde60835f9f615e1dd46c6a1d4378f7aac08358171150720416be Signature
Venafi CLI 1.14.0 macOS AMD64 / x86-64 fe849b5c561375f143bee00dde77a8337e95df509029953be4928910c3396f27 Signature
Venafi CLI 1.14.0 macOS ARM64, Apple Silicon 74b1f94596f3967e8b110f40f848f526a47d4cf2446f9e947c2eebad2537a8fb Signature
Venafi CLI 1.14.0 Windows AMD64 / x86-64 71af55b11b0a45e44a4ebe57912e314280dea7124312f3db13628a2d689b3b25 Signature
Checksums (SHA256)

Release 1.13.0

Venafi CLI tool 1.13.0 was released on August 6, 2024.

Known issue

When installing the Istio CSR component, the 1.13.0 release of the Venafi CLI tool does not set the DNS names for the serving certificates it generates. As a workaround, use a custom values.yaml file to set the value manually. See the example below:

values.yaml
app:
tls:
    certificateDNSNames:
    - cert-manager-istio-csr.venafi.svc

You can install Istio CSR with this custom values.yaml file using the following command:

venctl components kubernetes manifest generate --cert-manager --istio-csr --istio-csr-values-files values.yaml --default-approver

A future release of the Venafi CLI tool will set this value automatically.

Key features

  • Istio CSR support

    The Venafi CLI tool now allows you to install Istio CSR in addition to the other Venafi Kubernetes components.

  • New Helm custom chart repository CA options added

    The Venafi CLI tool includes new custom chart repository CA flags for the venctl components kubernetes manifest generate and venctl components kubernetes apply commands to indicate the path to PEM-formatted CA bundles used to validate the Helm repository for component charts. Learn more

  • Go version updated

    The version of Go used was updated to v1.22.5.

  • Default component versions for this release

    The following is a full list of the component versions installable by default in release 1.13.0.

    Component Default version for this release
    Approver Policy v0.15.0
    Approver Policy Enterprise v0.18.0
    AWS Private CA Issuer v1.3.0
    cert-manager v1.15.2
    CSI driver v0.10.0
    CSI driver for SPIFFE v0.8.0
    Firefly v1.4.2
    Istio CSR 0.11.0
    Trust Manager v0.12.0
    Venafi Connection v0.1.0
    Venafi Enhanced Issuer v0.14.0
    Venafi Kubernetes Agent v0.1.49
Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.13.0 Linux AMD64 / x86-64 7296e4a56e2c80c172efe2112dea98f18ef7bed46c7600a9829e4e029fd0852a Signature
Venafi CLI 1.13.0 Linux ARM64 6a427f90545975d4cbbd0033f087fe93593d9227398a281dcabac8e256aefe98 Signature
Venafi CLI 1.13.0 macOS AMD64 / x86-64 a4f46264bc8f343622c720d52bdd256666376c44eae7e281da9a15b9154c0038 Signature
Venafi CLI 1.13.0 macOS ARM64, Apple Silicon 499d2f9b28a9c4053ab5e842c756e2275e53f87aef971851019cee043deffca9 Signature
Venafi CLI 1.13.0 Windows AMD64 / x86-64 5ce0a6eee52c6ced562e123ef3de3a5cc631bf3c9ac300882ea680ebcaafb71f Signature
Checksums (SHA256)

Release 1.12.0

Venafi CLI tool 1.12.0 was released on July 18, 2024.

Key features

  • Helm chart repository authentication

    This release adds new authentication parameters for protected OCI (credential configuration) and non-OCI (username and password) Helm chart repositories. Learn more.

    If you are using a protected Helm registry you may be required to provide additional authentication. New flags for the venctl components kubernetes manifest generate and venctl components kubernetes apply commands allow you to authenticate to protected Helm registries.

    For an OCI-based Helm registry you can provide a docker_config.json file containing authentication credentials:

    venctl components kubernetes apply \
      --cert-manager \
      --custom-chart-repository oci://my-registry.example.com/charts \
      --custom-chart-repository-config docker_config.json
    

    For HTTPs-based Helm registry you can specify the username and password:

    venctl components kubernetes apply \
      --cert manager \
      --custom-chart-repository https://my-charts.example.com/ \
      --custom-chart-repository-username <username> \
      --custom-chart-repository-password <password>
    
  • enterprise-cert-manager scope renamed to cert-manager-components

    The enterprise-cert-manager value for the --scopes flag used with the venctl iam service-accounts registry create command is deprecated in favor of cert-manager-components.

    A sample venctl iam service-accounts registry create command using the new flag:

    venctl iam service-accounts registry create --name "My Service Account" --output-file "venafi-image-pull-secret.json" --owning-team "My Platform Team" --scopes "cert-manager-components" --validity 365 --api-key xyz
    

    An example of the same command in previous releases:

    venctl iam service-accounts registry create --name "My Service Account" --output-file "venafi-image-pull-secret.json" --owning-team "My Platform Team" --scopes "enterprise-cert-manager" --validity 365 --api-key xyz
    
  • Repository updates for livenessprobe and csi-node-driver-registrar images

    Venafi CLI tool was updated to install the livenessprobe and csi-node-driver-registrar images from the private-registry.venafi.cloud/csi-driver-spiffe repository.

  • Venafi Connection dependency for Approver Policy Enterprise added to the Venafi Kubernetes Manifest tool

    This release includes a fix for an issue where the Venafi Connection dependency for Approver Policy Enterprise was not installed by the Venafi Kubernetes Manifest tool by default.

  • Default component versions for this release

    The following is a full list of the component versions installable by default in release 1.12.0.

    Component Default version for this release
    Approver Policy v0.14.1
    Approver Policy Enterprise v0.17.2
    AWS Private CA Issuer v1.2.7
    cert-manager v1.15.1
    CSI driver v0.9.0
    CSI driver for SPIFFE v0.7.0
    Firefly v1.4.1
    Trust Manager v0.11.1
    Venafi Connection v0.1.0
    Venafi Enhanced Issuer v0.14.0
    Venafi Kubernetes Agent v0.1.49
Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.12.0 Linux AMD64 / x86-64 e084de3724e3f2d8c62848ca3a26798a65db7a304e5b2f7f4814d6d99f9d567c Signature
Venafi CLI 1.12.0 Linux ARM64 c2f48894c7ca2b45ed6ec79a31dae90d89a518f110cb15b76fcabfab0e2afb0d Signature
Venafi CLI 1.12.0 macOS AMD64 / x86-64 22792ed6c07277f323f148d1fccf3e2d954e7068e5d2fc26c8c386464718a3b7 Signature
Venafi CLI 1.12.0 macOS ARM64, Apple Silicon d9a255a003d4765fa924148906d5c0c357a807eb7dc718afb9a720fa093c7c24 Signature
Venafi CLI 1.12.0 Windows AMD64 / x86-64 f8952536092760150abaed2acdff441c80967c2b40d4356ec3d484ca8e3fc408 Signature
Checksums (SHA256)

Release 1.11.0

Venafi CLI tool 1.11.0 was released on June 6, 2024.

Key features

  • Default component versions for this release

    Release 1.11.0 updates the Venafi Manifest tool to allow you to install the latest version of cert-manager and Trust Manager.

    The following is a full list of the component versions installable by default in release 1.11.0.

    Component Default version for this release
    Approver Policy v0.14.1
    Approver Policy Enterprise v0.17.0
    AWS Private CA Issuer v1.2.7
    cert-manager v1.15.0
    CSI driver v0.8.1
    CSI driver for SPIFFE v0.6.0
    Firefly v1.3.4
    Trust Manager v0.11.0
    Venafi Connection v0.1.0
    Venafi Enhanced Issuer v0.14.0
    Venafi Kubernetes Agent v0.1.48
  • Go dependency updated

    This release also updates the version of Go used for the build to 1.22.4.

Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.11.0 Linux AMD64 / x86-64 ce22c820e83b3f18e4485555d7fdeef929296eb30f720d0437c8c5ad85a5c72b Signature
Venafi CLI 1.11.0 Linux ARM64 f91e7c7ef61b9e9910733eb54c901f6bc0ebf92102ff43bd107eba5117d40982 Signature
Venafi CLI 1.11.0 macOS AMD64 / x86-64 958e81cd153697011f123b4462f84ef5c05e9310a1af7f05867c72367ebfb021 Signature
Venafi CLI 1.11.0 macOS ARM64, Apple Silicon eb257247b1b2a98f884d56da29c3908490e8a0fcca433e2f62d27a6f6815b23f Signature
Venafi CLI 1.11.0 Windows AMD64 / x86-64 42eac19daf0883eb09946044ffa41daae051453f834524169481b53285c544b0 Signature
Checksums (SHA256)

Release 1.10.0

Venafi CLI tool 1.10.0 was released on May 22, 2024.

Key features

  • Install CSI driver for SPIFFE

    Release 1.10.0 updates the Venafi Manifest tool to allow you to install the CSI driver for SPIFFE component. Learn more

  • Minor improvements

    This release introduces improvements to the venctl command:

    • When deploying the Venafi Kubernetes Agent using venctl installation cluster connect, you can now modify the agent's deployment without encountering errors.
    • A pre-requisite check for the minimum required Helm version has been added to commands that use the Helm binary. This ensures compatibility and avoids potential issues.
  • Default component versions for this release

    The following is a full list of the component versions installable by default in release 1.10.0.

    Component Default version for this release
    Approver Policy v0.14.1
    Approver Policy Enterprise v0.17.0
    AWS Private CA Issuer v1.2.7
    cert-manager v1.14.5
    CSI driver v0.8.1
    CSI driver for SPIFFE v0.6.0
    Firefly v1.3.4
    Trust Manager v0.10.0
    Venafi Connection v0.1.0
    Venafi Enhanced Issuer v0.14.0
    Venafi Kubernetes Agent v0.1.48
Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.10.0 Linux AMD64 / x86-64 97fdd47fae913be92fab900a74d0c8e911b52a4c4351b8cd855e9fbe523ceb88 Signature
Venafi CLI 1.10.0 Linux ARM64 2f44064a60e0469e45885476e0ab59dede20276f58bae75c73fa07541d0d0f15 Signature
Venafi CLI 1.10.0 macOS AMD64 / x86-64 c027bbe4acda75ed434927f5beb5b918c779ee050a8f836e84671c99f2802408 Signature
Venafi CLI 1.10.0 macOS ARM64, Apple Silicon f41d62f8a94d0c2e8bcb3a7f143c0d446b51737415bb11a411d4b729ba396dd1 Signature
Venafi CLI 1.10.0 Windows AMD64 / x86-64 4e9be84020463d1000acc6e61e62cd6b743fe364ce1cfa619eda9533266f9b74 Signature
Checksums (SHA256)

Release 1.9.0

Venafi CLI tool 1.9.0 was released on May 8, 2024.

Breaking Changes

This release contains the following breaking changes:

  • The following flags have been renamed in all commands to which they apply:

    • --output has been renamed to --log-format.

      A sample command using the new flag:

      venctl iam service-accounts describe --api-key xyz -n myaccount --log-format json --no-prompts >> accinfo.json
      

      An example of the same command in previous releases:

      venctl iam service-accounts describe --api-key xyz -n myaccount --output json --no-prompts >> accinfo.json
      
    • --credential-format has been renamed to --output.

      A sample command using the new flag:

      venctl iam service-accounts firefly create --output secret --name sa-firefly --api-key xyz
      

      An example of the same command in previous releases:

      venctl iam service-accounts firefly create --credential-format secret --name sa-firefly --api-key xyz
      
    • --credential-file has been renamed to --output-file.

      A sample command using the new flag:

      venctl iam service-accounts registry create --name "My Service Account" --output-file "venafi-image-pull-secret.json" --owning-team "My Platform Team" --scopes "enterprise-cert-manager" --validity 365 --api-key xyz
      

      An example of the same command in previous releases:

      venctl iam service-accounts registry create --name "My Service Account" --credential-file "venafi-image-pull-secret.json" --owning-team "My Platform Team" --scopes "enterprise-cert-manager" --validity 365 --api-key xyz
      
  • The output from the iam service-accounts registry create output dockerconfig has been updated to contain only dockerconfig content rather than being nested in a JSON object.

    The following is a sample of the output in this release:

    {
        "auths": {
                "private-registry.venafi.cloud": {
                        "username": "sa-us@1cef4d3d-f28b-11ee-9365-c29bc6f4bab0",
                        "auth": "c2EtdXNAMWNlZjRkM2QtZjI4Yi0xMWVlLTkzNjUtYzI5YmM2ZjRiYWIwOnlWNE5jZHZ5SG1jY2FYU2thQ1FKbUJzZktsZERqRVA5eW11dW5XY1V6c0d2ZWtpamVhZWNBR3o5MlppQ0d5eXVJRmVua2RqalpGY3NrWXZ6WXFPdWlQZnVPd2NCRlRYRVJJcXEyaEloNDVHaEx2c01HNkRtNVJNZHJzNUVCd2Zx"
                }
        }
    }
    

    The following is an example of the output from previous releases:

    {
        "client_id": "f95b37ac-f28c-11ee-a4ea-bad1c4de4f71",
        "image_pull_secret": "{\"auths\":{\"private-registry.venafi.cloud\":{\"username\":\"sa-us@f95b37ac-f28c-11ee-a4ea-bad1c4de4f71\",\"auth\":\"c2EtdXNAZjk1YjM3YWMtZjI4Yy0xMWVlLWE0ZWEtYmFkMWM0ZGU0ZjcxOkVXVFlLTHFRZ0o3U2M4UTlSTDg2SEh2SldVTWlvT2VZSEhDaWpwRmVVRENNM2FIbEhQdURDb1p3RE1pQ0pRVGZOWlpxWExId3VGb0RLS1NrYW9tbDVsUEdxSG1zeVl2cWc2UURFSFlWSVdzblZ2S2ZSZHdvbnhldjF5NG5iUW5V\"}}}\n"
    }
    

The --name, --validity, and --owning-team flags are now only available in the subcommands where they are relevant. These flags have been removed from the main venctl iam service-accounts command and added to each applicable subcommand.

Key features

  • Dependency updates

    This release updates the version of Go used to 1.22.3. This release also includes a fix for the following Hashicorp go-getter library vulnerability: CVE-2024-3817.

  • Default component versions for this release

    The following is a full list of the component versions installable by default in release 1.9.0.

    Component Default version for this release
    Approver Policy v0.14.0
    Approver Policy Enterprise v0.16.0
    AWS Private CA Issuer v1.2.7
    cert-manager v1.14.5
    CSI Driver v0.8.0
    Firefly v1.3.4
    Trust Manager v0.9.2
    Venafi Connection v0.0.20
    Venafi Enhanced Issuer v0.13.3
    Venafi Kubernetes Agent v0.1.47
Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.9.0 Linux AMD64 / x86-64 cfb0a86b98f68b9a7684ab00b8176577c42162c3dfa976b8c99cf02064a092bb Signature
Venafi CLI 1.9.0 Linux ARM64 78dd48ae03c9a6931d0981d66443fcdb103a055af61db104493c166d5d67831c Signature
Venafi CLI 1.9.0 macOS AMD64 / x86-64 667b8773980ce1342d51466e4f78e0fca1ab95819fca2d1c6b8a2a81198df4e6 Signature
Venafi CLI 1.9.0 macOS ARM64, Apple Silicon d68c5959bc8be6f9e9d2f5d1eec39293414cf466bbb2eb306b3f40817711e9d5 Signature
Venafi CLI 1.9.0 Windows AMD64 / x86-64 12c779814fa53e8d5b05a7a1f33e07637004d28c067ad7c3e897c25535c01160 Signature
Checksums (SHA256)

Release 1.8.0

Venafi CLI tool 1.8.0 was released on April 5, 2024.

Breaking changes

The output from the venctl iam service-accounts agent create and venctl iam service-accounts firefly create commands now return the raw private key rather than a base64-encoded string.

The following is a sample of the output in this release:

{
        "client_id": "7dd207f4-f1ae-11ee-83f9-3a7af823c704",
        "private_key": "-----BEGIN PRIVATE KEY-----\nMHcCAQEEIKcGfBGimDbNqTrv0zw2h8W2OavVY8WHATEH89VIrQmBoAoGCCqGSM49\nAwEHoUQDQgAEzwbbEkbMMxvRBPLkmAJ/jkJZIHwpskxtBNXZU18jqAW+J8TSfuv6\nkPGe/frubEqyT+w496F45Vqi3Y9ha/6Ozg==\n-----END PRIVATE KEY-----\n"
}

The following is an example of the output from previous releases:

{
        "client_id": "7dd207f4-f1ae-11ee-83f9-3a7af823c704",
        "private_key": "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tXG5NSGNDQVFFRUlLY0dmQkdpbURiTnFUcnYwencyaDhXMk9hdlZZOFdIQVRFSDg5VklyUW1Cb0FvR0NDcUdTTTQ5XG5Bd0VIb1VRRFFnQUV6d2JiRWtiTU14dlJCUExrbUFKL2prSlpJSHdwc2t4dEJOWFpVMThqcUFXK0o4VFNmdXY2XG5rUEdlL2ZydWJFcXlUK3c0OTZGNDVWcWkzWTloYS82T3pnPT1cbi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS1cbgo="
}

Key features

  • New service account custom integration functionality

    A new venctl iam service-accounts custom-integration createcommand has been added that allows you to create service accounts for custom integrations with Venafi Control Plane. For more information, see the venctl iam service-accounts custom-integration create command reference documentation.

  • New service account authentication functionality

    New --auth.client-id, --auth.key, and --auth.key-file flags have been added to the venctl iam service-account agent create command to support service account authentication to Venafi Control Plane. This is useful for non-interactive sessions when service accounts for Venafi Kubernetes Agent are needed. For more information, see the venctl iam service-account agent create command reference documentation.

  • Support for global tolerations

    This release includes a new flag, --global-tolerations-file, for the venctl components kubernetes manifest generate command. This flag points to a YAML file containing an array of Kubernetes corev1.Toleration objects. For more information, see Global tolerations.

  • Support for global affinities

    This release includes a new flag, --global-affinities-file, for the venctl components kubernetes manifest generate command. This flag points to a YAML file containing an array of Kubernetes corev1.Affinity objects, which is validated in the same way that Kubernetes validates affinities in-cluster. For more information, see Global affinities.

  • Support for global topology spread constraints

    This release includes a new flag, --global-topology-spread-constraints-file, for the venctl components kubernetes manifest generate command. This flag allows the configuration of global topology spread constraints which can be applied to all components for which topology spread constraints are configurable. For more information, see Global topology spread constraints.

  • Support for High Availability (HA)

    This release includes a new flag, --ha-file-dir, for the venctl components kubernetes manifest generate command that allows you to set default values for HA deployments for the following Venafi Kubernetes components:

    • cert-manager
    • Approver Policy Enterprise
    • CSI Driver
    • Trust Manager
    • Venafi Kubernetes Agent
    • Venafi Enhanced Issuer

    For more information, see Setting default values for HA deployments using the Venafi CLI tool, and the venctl components kubernetes manifest generate command reference documentation..

  • Default component versions for this release

    The following is a full list of the component versions installable by default in release 1.8.0.

    Component Default version for this release
    Approver Policy v0.13.1
    Approver Policy Enterprise v0.15.0
    AWS Private CA Issuer v1.2.7
    cert-manager v1.14.4
    CSI Driver v0.8.0
    Firefly v1.3.3
    Trust Manager v0.9.2
    Venafi Connection v0.0.20
    Venafi Enhanced Issuer v0.13.3
    Venafi Kubernetes Agent v0.1.47
Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.8.0 Linux AMD64 / x86-64 c4a49eb57c337e93c33a004e8cda3e48d4ad27e3d6beb0d04c54c217b23b6768 Signature
Venafi CLI 1.8.0 Linux ARM64 e536fc37c3ed2339780a5f272a49d2fb5a1a5005c770c8c18ca0093dd57f866a Signature
Venafi CLI 1.8.0 macOS AMD64 / x86-64 4692d780be197b47a94caac269dd3e3a248bcf3ae246cb9a9c23007d810c12a7 Signature
Venafi CLI 1.8.0 macOS ARM64, Apple Silicon 66a59e1fbe31ac941782f35588651a1f8e47555107d7e47a1d5afb70d678ae32 Signature
Venafi CLI 1.8.0 Windows AMD64 / x86-64 6c0fd3b677af768952a9fdec404ae0bb9f5dfb08cf6afd235042ea4298c3c40c Signature
Checksums (SHA256)

Release 1.7.0

Venafi CLI tool 1.7.0 was released on March 14, 2024.

Key features

  • New Manifest tool commands

    Two new manifest tool commands have been added:

    • venctl components kubernetes manifest tool diff - Use this command as a convenient way to visualize the changes between the active deployment and the updated manifest.
    • venctl components kubernetes manifest tool template - Use this command to template releases defined in the state file.

    For more information, see the venafi components kubernetes manifest tool diff and venafi components kubernetes manifest tool template reference documentation.

  • Quick install/uninstall commands

    This release introduces two new commands that allow you to set up and tear down a Venafi cert-manager environment quickly and easily. This installation method is not recommended for production environments. For more information, see the Venafi CLI command reference documentation.

  • Custom registry support

    You can now specify your own custom registry when connecting to Venafi Control Plane using the venctl installation cluster connect command.

  • Bug fixes

    The current release includes fix for an issue with the venctl components kubernetes manifest generate command when the default version of a component was specified.

  • Default component versions for this release

    Below is a full list of the component versions installable by default in release 1.7.0.

    Component Default version for this release
    Approver Policy v0.13.0
    Approver Policy Enterprise v0.14.0
    AWS Private CA Issuer v1.2.7
    cert-manager v1.14.4
    CSI Driver v0.7.1
    Firefly v1.3.2
    Trust Manager v0.9.1
    Venafi Connection v0.0.19
    Venafi Enhanced Issuer v0.13.1
    Venafi Kubernetes Agent v0.1.45
Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.7.0 Linux AMD64 / x86-64 3455b982fed40d80a40759c42bf8e5145bdc0ec3121744652f73a05d87c2b088 Signature
Venafi CLI 1.7.0 Linux ARM64 154ff31bebe9bf8019a94489cb80f34e4161eed3461312c9f6b805adaedefa53 Signature
Venafi CLI 1.7.0 macOS AMD64 / x86-64 86d4a11ecd582b94d45e35de66112fa90ee154a0c1c547f0389832a3c7453960 Signature
Venafi CLI 1.7.0 macOS ARM64, Apple Silicon eb2fde0b9f45d9be0d4debb0d12ade9c8b956a61bcb2c0b65a677f38135b9d58 Signature
Venafi CLI 1.7.0 Windows AMD64 / x86-64 69cf65385955f2a20536fb4c3a7b19b33df3b76edf1f27b241290ab82b69a41a Signature
Checksums (SHA256)

Release 1.6.0

Venafi CLI tool 1.6.0 was released on February 23, 2024.

Key features

  • Service account creation for Firefly

    Release 1.6.0 allows you to create services accounts that allow Venafi Firefly to connect to Venafi Control Plane using the new venctl iam service-accounts firefly create command. For more information, see the Venafi CLI command reference documentation.

  • FIPS support for CSI Driver

    This release includes support for FIPS-compliant versions of Docker images for CSI Driver.

  • New positional arguments

    Instead of having to use the --name flag with the following commands, you can now also use positional arguments:

    • venctl iam service-accounts describe
    • venctl iam service-accounts registry create
    • venctl iam service-accounts delete
    • venctl installation cluster connect

    For example:

    venctl iam service-accounts describe my-service-account
    
  • Logging and error messages improvements

    Several updates have been made that improve error messages and logging in the Venafi CLI tool.

  • Default component versions for this release

    The venctl components kubernetes manifest generate command now installs Venafi Enhanced Issuer v0.12.0 and Venafi Kubernetes Agent v0.1.45.

    Below is a full list of the component versions installable by default in release 1.6.0.

    Component Default version for this release
    Approver Policy v0.12.1
    Approver Policy Enterprise v0.13.0
    AWS Private CA Issuer v1.2.7
    cert-manager v1.14.3
    CSI Driver v0.7.1
    Firefly v1.3.1
    Trust Manager v0.8.0
    Venafi Connection v0.0.19
    Venafi Enhanced Issuer v0.12.0
    Venafi Kubernetes Agent v0.1.45
Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.6.0 Linux AMD64 / x86-64 08ad637f5f3b55fe0ea232e1c9b2f318a1a388408db0d2f5e550fb39a6da9b57 Signature
Venafi CLI 1.6.0 Linux ARM64 d36ac9abe8df6f812d864442501217a7e369cb68a54f32582a3d711fdb314952 Signature
Venafi CLI 1.6.0 macOS AMD64 / x86-64 104086f856e2f7c69602029a38377a3efbd208595473233e3e5d78872b9fab1c Signature
Venafi CLI 1.6.0 macOS ARM64, Apple Silicon 2ab8e11408297b3c1077112b899bae2c45cec6cc4351f316180dd7b38042ddc6 Signature
Venafi CLI 1.6.0 Windows AMD64 / x86-64 9753d92abcbacce0144b42ce075399f6d235e5265d1377e3d8eacbda1d8b9239 Signature
Checksums (SHA256)

Release 1.5.0

Venafi CLI tool 1.5.0 was released on February 9, 2024.

Breaking Changes

Updated flags in venctl iam service-accounts registry create

As of this version, the Venafi CLI tool introduces two critical flag changes that impact how you create service accounts for Venafi OCI registry access:

  • Renamed Flag: --image-pull-secret-file is now --credential-file.
  • Renamed Flag: --image-pull-secret-format is now --credential-format.

This change aligns with broader terminology within the Venafi CLI tool, and aims to simplify usage. Remember to update your commands accordingly to avoid errors.

Example:

  • Venafi CLI tool 1.2.0 - 1.4.0:

    venctl iam service-accounts registry create --name sa --image-pull-secret-file my-secret.yaml --image-pull-secret-format secret
    
  • Venafi CLI tool 1.5.0:

    venctl iam service-accounts registry create --name sa --credential-file my-credential.json --credential-format secret
    

Updated the output format of --credential-format secret for venctl iam service-accounts registry create

This update impacts how Venafi CLI tool generates service accounts for registry access with the --credential-format secret flag.

Previously, only the Kubernetes secret (in YAML format) was included in the output. Now, both client_id and the Kubernetes secret for image pulling (in YAML format) are provided under a JSON structure.

Output details

Upon successful execution of venctl iam service-accounts registry create --name sa --credential-file my-credential.json --credential-format secret, the output will include:

  • client_id: The client identifier used for authentication with the registry.
  • image_pull_secret: The Kubernetes secret encoded in YAML format, granting access to Venafi OCI registry artifacts.

Accessing the client ID and secret

To extract the image_pull_secret from the JSON output, use the following command:

jq -r '.image_pull_secret' < my-credential.json

To extract the client_id from the JSON output, use the following command:

jq -r '.client_id' < my-credential.json

Important

The commands above assume the output is saved in a file named my-credential.json. Replace it with the actual file path as necessary.

Key features

  • Service account creation for Venafi Kubernetes Agent

    A venctl iam service-accounts agent create command was added. This command allows you to create service accounts in Venafi Control Plane for your Venafi Kubernetes Agents.

  • Service account listing

    A new venctl iam service-accounts list command was added. This command lists all service accounts in the Venafi Control Plane. For more information, see the venctl reference page.

  • Service account description

    The venctl iam service-accounts show command has been renamed venctl iam service-accounts describe. It provides a description of a named service account in the Venafi Control Plane. For more information, see the venctl reference page.

  • Venafi Improvements to the Venafi Kubernetes Manifest feature of Venafi CLI

    This release also sees updates to the way that the Venafi Manifest tool deploys cert-manager, and adds support for cert-manager v1.14.1 and later.

  • Flag changes

    The --image-pull-secret-file and --image-pull-secret-format flags for the venctl iam service-accounts registry create command have been renamed to --credential-file and --credential-format, respectively.

Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.5.0 Linux AMD64 / x86-64 3f3b41b9808b4af71491a147d2d42e962780548ce4188d21bb3de7a98d547722 Signature
Venafi CLI 1.5.0 Linux ARM64 1984c6a5c6b8a4a2d5ad50b227bc006a6ec8e42792fb363ef594c2bc825cdaba Signature
Venafi CLI 1.5.0 macOS AMD64 / x86-64 ba3dd02f21f99e5a75b32cd28ddd83478c578fc427d7158359af7fc7348182a9 Signature
Venafi CLI 1.5.0 macOS ARM64, Apple Silicon 37038c99e9b39e4c06b94124e139b6ade73ce87afaacba2b9e55441dc49a6611 Signature
Venafi CLI 1.5.0 Windows AMD64 / x86-64 e35546749dd395cdfde4969a5ec8853ebf71e528de3f6ecd46a64c9a38cb1bdf Signature
Checksums (SHA256)

Release 1.4.0

Venafi CLI tool 1.4.0 was released on January 25, 2024.

Known Issue

Versions 1.4.0 and earlier of the Venafi CLI tool are not able to install cert-manager v1.14.0 or later from a generated manifest.

This issue is addressed in Venafi CLI tool 1.5.0.

Key features

  • FIPS support

This release includes support for FIPS-compliant versions of Docker images for Venafi components for Kubernetes. A --use-fips-images flag has been added to the venctl components kubernetes manifest generate command to install the desired component using the FIPS-compliant version of the component Docker image.

Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.4.0 Linux AMD64 / x86-64 f913e9cce9d29f2bdd0d165d9829ace60e49075ed02139a42d761cfb5ef05d9d Signature
Venafi CLI 1.4.0 Linux ARM64 8520421b39c09a2b8b56cd1e53e1b1df758ce92840f0778c7eed8a7cdc58f3af Signature
Venafi CLI 1.4.0 macOS AMD64 / x86-64 50dae730b043d498ae16149be22a5c0edb57b1f12c68b4bb40f72b1ac58af171 Signature
Venafi CLI 1.4.0 macOS ARM64, Apple Silicon 7d41273e9e44e082d29cd5aa9e6cdb7a9d083cbb76b79699fd825075053d5279 Signature
Venafi CLI 1.4.0 Windows AMD64 / x86-64 739f1cca4445868c062c600acea3a9e9fc4f172883e07aed531329d191bb9ada Signature
Checksums (SHA256)

Release 1.3.2

Venafi CLI tool 1.3.2 was released on January 15, 2024.

Key features

  • Service accounts show command

    A new venctl iam service-accounts show command was added. This command provides information on a named service account in the Venafi Control Plane. For more information, see the venctl reference page.

  • Logging improvements

    This release sees improvements in logging to support the venctl iam service-accounts show command.

  • Miscellaneous minor bug fixes

    Several minor bugs were also fixed in this release.

Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.3.2 Linux AMD64 / x86-64 123641fad7fab857fedb739aa8386df92cae178c034d59ac2e71e1e868c1dd64 Signature
Venafi CLI 1.3.2 Linux ARM64 4677c8e8bbe2f28014b3f6cdee11651180a4c5b7ad83a5196fc8cf07b7c26958 Signature
Venafi CLI 1.3.2 macOS AMD64 / x86-64 87e6beba0f5241a9f88ddafb0f50c45b76934857725854bd473050312a710947 Signature
Venafi CLI 1.3.2 macOS ARM64, Apple Silicon ff2283cbc9bd01f8f32975b6375c856ef4b8b151f3390194918cca9bb7cc20cc Signature
Venafi CLI 1.3.2 Windows AMD64 / x86-64 0111fcc0013f619e895082bc1041a44086d07be4db3f49a686bba5adb4387006 Signature
Checksums (SHA256)

Release 1.3.1

Venafi CLI tool 1.3.1 was released on December 20, 2023.

Key features

  • EU region service account deletion issue

    Release 1.3.1 fixes an issue where the venctl iam service-accounts delete command didn't work for service accounts using the EU Venafi Control Plane region.

Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.3.1 Linux AMD64 / x86-64 2743d0ac27a515177c4351a8be70870922332058c2e443868a958ffc865b3cd4 Signature
Venafi CLI 1.3.1 Linux ARM64 c1379600daf9e5f1df0e7dbbb7e3b39e7672844fac98dd72f319259bc2f74596 Signature
Venafi CLI 1.3.1 macOS AMD64 / x86-64 eaf728c5824b9c317e033fd082a99222b9dcfba858d9b2af0867816273a9d926 Signature
Venafi CLI 1.3.1 macOS ARM64, Apple Silicon 9513f6d19afe697a8f04a46bdf0c65b1a34cda15cbcfd53e4b147914ce6f768f Signature
Venafi CLI 1.3.1 Windows AMD64 / x86-64 fe3dbd642334bb4a30bb5ac78a7e67358b8629651b006a3ca540143044aabfe9 Signature
Checksums (SHA256)

Release 1.3.0

Venafi CLI tool 1.3.0 was released on December 15, 2023.

Key features

  • Service account deletion

    Release 1.3.0 adds a new venctl iam service-accounts delete command for deleting service accounts in the Venafi Control Plane.

    For more information on how to use this feature, see Venafi CLI reference page.

  • Venafi Kubernetes manifest for trust-manager

    This release addresses an issue in the Venafi Kubernetes manifest for the trust-manager. Previously, the generated manifest pulled the open-source image for the default trust package, now the enterprise trust-manager version is used unless another registry is configured.

Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.3.0 Linux AMD64 / x86-64 c46cbb94a3db8d909fa2e079d0f64653ae328e21d4c150187d47a4703a6ec3e9 Signature
Venafi CLI 1.3.0 Linux ARM64 7c98800e69b18a688969700a02cea1b09946f001daa78c7324dec69e6a216fc5 Signature
Venafi CLI 1.3.0 macOS AMD64 / x86-64 4c454d7688f6989495583686a6395709b7b886c32d9c93243a4f8d824be26074 Signature
Venafi CLI 1.3.0 macOS ARM64, Apple Silicon f0761d5edb7c1904ccf0641c4da9edac93d3f3c3217bcd7fa90202df7948217c Signature
Venafi CLI 1.3.0 Windows AMD64 / x86-64 8b7e12a0deb9b988d00bb4994bea81cac94d6207957898cdc83ec25ae128122b Signature
Checksums (SHA256)

Release 1.2.1

Venafi CLI tool 1.2.1 was released on December 7, 2023.

Key features

  • macOS install script fix

    This release fixes an issue with the Bash script used to install the utility on the macOS platform when no GPG tool is installed.

Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.2.1 Linux 64-bit a09b716ac8699abb6106aaaab3785a7028b739b10f91c2d9df4020c017b71b4f Signature
Venafi CLI 1.2.1 Linux ARM64 cca761d02e61bba83b15cd77e8fe51e59ebb69b2a216dc743cd09e2a015bef0f Signature
Venafi CLI 1.2.1 macOS 64-bit 352cb55fa351263a83258b4d17384ea71cdf80c6f92b76407887d4af97048a4e Signature
Venafi CLI 1.2.1 macOS ARM64, Apple Silicon bde09e185bf639ed8d635aa812f239c855ce5654f985a11d8c7e6dea45c8ef14 Signature
Venafi CLI 1.2.1 Windows 64-bit d1c1d8461bd78c0ae33c73edbdc3e9be4125d46be8567f5deea5bda7affa4aaa Signature
Checksums (SHA256)

Release 1.2.0

Venafi CLI tool 1.2.0 was released on December 6, 2023.

Key features

  • Venafi Manifest Generator functionality

    This release sees the addition of Venafi Manifest Generator functionality to the Venafi CLI tool. You can now install Venafi Kubernetes components using the Venafi CLI utility.

    For more information on how to use this feature, see Venafi CLI reference page.

  • Service account creation

    Release 1.2.0 adds a new venctl iam service-accounts registry create command for creating service accounts in the Venafi Control Plane for accessing container images from the private Venafi OCI registry.

    For more information on how to use this feature, see Venafi CLI reference page.

  • Utility updates

    The release adds the venctl update command to update the venctl binary to the latest available stable version.

    For more information on how to use this feature, see Venafi CLI reference page.

Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.2.0 Linux 64-bit 714666fab8a97e267bb0bd2529b363a56644d0d8617a597694d67a927ea6a90d Signature
Venafi CLI 1.2.0 Linux ARM64 850708e36a7c308182f90e6fc86111138eeb2287dfaeef8a372292580b0eba4e Signature
Venafi CLI 1.2.0 macOS 64-bit ee65e6a9ac17630761e97c237dae05b7eff488908d2c92288f53b83ab02a1ece Signature
Venafi CLI 1.2.0 macOS ARM64, Apple Silicon 353573021ce33457be8f31216fa24863b8cf70b0b2f2d17596e91890ec1b807a Signature
Venafi CLI 1.2.0 Windows 64-bit bdc2b91537cd1b293537c8fce1308bb80c72a5c57237cd64a290639c1a4ae0a7 Signature
Checksums (SHA256)

Release 1.1.0

Venafi CLI tool 1.1.0 was released on November 3, 2023.

Key features

  • Code signing

    This release introduces GPG code signing for the Venafi CLI binaries, enabling them to be verified for authenticity.

Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum GPG Signature
Venafi CLI 1.1.0 Linux 64-bit 939547572ec4e91bc2e5916ec8c22ed544ec7df071b83cd0067b567eb8b1ab4a Signature
Venafi CLI 1.1.0 Linux ARM64 cbd58f3f312d1eaed189350d9fc3762dbba5c149261bc64a5b1dbac7c23056ae Signature
Venafi CLI 1.1.0 macOS 64-bit 2a32444ffb2d935d8af0987fbf997c05224bae0af0caee44927e4d72ecc9fc48 Signature
Venafi CLI 1.1.0 macOS ARM64, Apple Silicon 529bbf3b98d6e3ae829c5210330fbe2aa682980a271d746a3b129a2ae4a94973 Signature
Venafi CLI 1.1.0 Windows 64-bit 72a0a54b7aa755a3b0ea9238369c42c1605f3cdd043b29bcb9af5fe807d0ae3f Signature
Checksums (SHA256)

Release 1.0.2

Venafi CLI tool 1.0.2 was released on November 1, 2023.

Key features

  • Bug fixes and enhancements

    This release of the Venafi CLI tool contains some bug fixes, and some small under-the-hood enhancements.

Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum
Venafi CLI 1.0.2 Linux 64-bit 18194c1dfadaedabb2d84f87f47917e1af06eeca8d334b11c16f7391c0cb7d1a
Venafi CLI 1.0.2 Linux ARM64 202e6d16672f52fa7b18228642dc22bff6d1ad509dec87840efd49057df4ddb5
Venafi CLI 1.0.2 macOS 64-bit 5574c4bdc8b28b87b799d00f9372b2bcaa3d513e9e900cf9af84e1b9a98d9889
Venafi CLI 1.0.2 macOS ARM64, Apple Silicon 601bf1216ffffdca7ad2105abb3ae18fc7bb83e4ffc3df2747b72369228c88e4
Venafi CLI 1.0.2 Windows 64-bit f502d3f03cdc417e5c71f64c5a5dbd64eabe8dd4d7235e8d3440cc09b7b7e494
Checksums (SHA256)

Release 1.0.0

Venafi CLI tool 1.0.0 was released on October 15, 2023.

Key features

  • Connect Kubernetes clusters to Venafi Control Plane

    Venafi CLI provides a convenient way to connect Kubernetes clusters to Venafi Control Plane.

    To learn more, use the venctl installation cluster connect --help command.

Downloads

Select the file appropriate for your platform:

Release OS Architecture SHA256 Checksum
Venafi CLI 1.0.0 Linux 64-bit 1c8dacade6857266c7cd6c02c6dad139d1f4f0f3fb6d6f14bef551eea8cd0457
Venafi CLI 1.0.0 Linux ARM64 7daad16d55d2aedbc8b6f21944cbaa23adc4ca1011cd6c9eac537b392d0654ee
Venafi CLI 1.0.0 macOS 64-bit fa0aa723eeb58aa85c0fd43419ccbba3080e0638c17d1fe01d77d66f5d9baec4
Venafi CLI 1.0.0 macOS ARM64, Apple Silicon daae557f0fc73e42c2205bda3b5a2cd3d28bd021c0e97cb88b5db47811af071d
Venafi CLI 1.0.0 Windows 64-bit 0f58ff27bd332b92b2cd49af81efd96f74f6336f68f767013dd36882ac20df38
Checksums (SHA256)