Venafi CLI tool releases¶

Learn about current and past releases of the Venafi CLI tool.

Latest release¶

The latest stable version of Venafi CLI is v1.8.0.

Select the file appropriate for your platform below:

Verifying Venafi CLI archives after download¶

Once you have downloaded the Venafi CLI archive and its corresponding signature file, you can verify by executing a command similar to the following:

gpg --verify venctl-linux-amd64.zip.sig venctl-linux-amd64.zip

For a valid signature, the output is similar to the example below:

gpg: Signature made Wed Dec  6 11:09:05 2023 UTC
gpg:                using RSA key BA2F4B4442D945F0A2810A686B99EC1CEEE83892
gpg:                issuer "gpg-vaas@venafi.com"
gpg: Good signature from "Venafi, Inc. <gpg-vaas@venafi.com>" [ultimate]

Release 1.8.0¶

Venafi CLI tool 1.8.0 was released on April 5, 2024.

Breaking changes¶

The output from the venctl iam service-accounts agent create and venctl iam service-accounts firefly create commands now return the raw private key rather than a base64-encoded string.

The following is a sample of the output in this release:

{
        "client_id": "7dd207f4-f1ae-11ee-83f9-3a7af823c704",
        "private_key": "-----BEGIN PRIVATE KEY-----\nMHcCAQEEIKcGfBGimDbNqTrv0zw2h8W2OavVY8WHATEH89VIrQmBoAoGCCqGSM49\nAwEHoUQDQgAEzwbbEkbMMxvRBPLkmAJ/jkJZIHwpskxtBNXZU18jqAW+J8TSfuv6\nkPGe/frubEqyT+w496F45Vqi3Y9ha/6Ozg==\n-----END PRIVATE KEY-----\n"
}

The following is an example of the output from previous releases:

{
        "client_id": "7dd207f4-f1ae-11ee-83f9-3a7af823c704",
        "private_key": "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tXG5NSGNDQVFFRUlLY0dmQkdpbURiTnFUcnYwencyaDhXMk9hdlZZOFdIQVRFSDg5VklyUW1Cb0FvR0NDcUdTTTQ5XG5Bd0VIb1VRRFFnQUV6d2JiRWtiTU14dlJCUExrbUFKL2prSlpJSHdwc2t4dEJOWFpVMThqcUFXK0o4VFNmdXY2XG5rUEdlL2ZydWJFcXlUK3c0OTZGNDVWcWkzWTloYS82T3pnPT1cbi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS1cbgo="
}

Key features¶

• New service account custom integration functionality

  A new venctl iam service-accounts custom-integration createcommand has been added that allows you to create service accounts for custom integrations with Venafi Control Plane. For more information, see the venctl iam service-accounts custom-integration create command reference documentation.

• New service account authentication functionality

  New --auth.client-id, --auth.key, and --auth.key-file flags have been added to the venctl iam service-account agent create command to support service account authentication to Venafi Control Plane. This is useful for non-interactive sessions when service accounts for Venafi Kubernetes Agent are needed. For more information, see the venctl iam service-account agent create command reference documentation.

• Support for global tolerations

  This release includes a new flag, --global-tolerations-file, for the venctl components kubernetes manifest generate command. This flag points to a YAML file containing an array of Kubernetes corev1.Toleration objects. For more information, see Global tolerations.

• Support for global affinities

  This release includes a new flag, --global-affinities-file, for the venctl components kubernetes manifest generate command. This flag points to a YAML file containing an array of Kubernetes corev1.Affinity objects, which is validated in the same way that Kubernetes validates affinities in-cluster. For more information, see Global affinities.

• Support for global topology spread constraints

  This release includes a new flag, --global-topology-spread-constraints-file, for the venctl components kubernetes manifest generate command. This flag allows the configuration of global topology spread constraints which can be applied to all components for which topology spread constraints are configurable. For more information, see Global topology spread constraints.

• Support for High Availability (HA)

  This release includes a new flag, --ha-file-dir, for the venctl components kubernetes manifest generate command that allows you to set default values for HA deployments for the following Venafi Kubernetes components:

  • cert-manager
  • Approver Policy Enterprise
  • CSI Driver
  • Trust Manager
  • Venafi Kubernetes Agent
  • Venafi Enhanced Issuer

  For more information, see Setting default values for HA deployments using the Venafi CLI tool, and the venctl components kubernetes manifest generate command reference documentation..

• Default component versions for this release

  The following is a full list of the component versions installable by default in release 1.8.0.

  Component	Default version for this release
  Approver Policy	v0.13.1
  Approver Policy Enterprise	v0.15.0
  AWS Private CA Issuer	v1.2.7
  cert-manager	v1.14.4
  CSI Driver	v0.8.0
  Firefly	v1.3.3
  Trust Manager	v0.9.2
  Venafi Connection	v0.0.20
  Venafi Enhanced Issuer	v0.13.3
  Venafi Kubernetes Agent	v0.1.47

Release 1.7.0¶

Venafi CLI tool 1.7.0 was released on March 14, 2024.

Key features¶

• New Manifest tool commands

  Two new manifest tool commands have been added:

  • venctl components kubernetes manifest tool diff - Use this command as a convenient way to visualize the changes between the active deployment and the updated manifest.
  • venctl components kubernetes manifest tool template - Use this command to template releases defined in the state file.

  For more information, see the venafi components kubernetes manifest tool diff and venafi components kubernetes manifest tool template reference documentation.

• Quick install/uninstall commands

  This release introduces two new commands that allow you to set up and tear down a Venafi cert-manager environment quickly and easily. This installation method is not recommended for production environments. For more information, see the Venafi CLI command reference documentation.

• Custom registry support

  You can now specify your own custom registry when connecting to Venafi Control Plane using the venctl installation cluster connect command.

• Bug fixes

  The current release includes fix for an issue with the venctl components kubernetes manifest generate command when the default version of a component was specified.

• Default component versions for this release

  Below is a full list of the component versions installable by default in release 1.7.0.

  Component	Default version for this release
  Approver Policy	v0.13.0
  Approver Policy Enterprise	v0.14.0
  AWS Private CA Issuer	v1.2.7
  cert-manager	v1.14.4
  CSI Driver	v0.7.1
  Firefly	v1.3.2
  Trust Manager	v0.9.1
  Venafi Connection	v0.0.19
  Venafi Enhanced Issuer	v0.13.1
  Venafi Kubernetes Agent	v0.1.45

Release 1.6.0¶

Venafi CLI tool 1.6.0 was released on February 23, 2024.

Key features¶

• Service account creation for Firefly

  Release 1.6.0 allows you to create services accounts that allow Venafi Firefly to connect to Venafi Control Plane using the new venctl iam service-accounts firefly create command. For more information, see the Venafi CLI command reference documentation.

• FIPS support for CSI Driver

  This release includes support for FIPS-compliant versions of Docker images for CSI Driver.

• New positional arguments

  Instead of having to use the --name flag with the following commands, you can now also use positional arguments:

  • venctl iam service-accounts describe
  • venctl iam service-accounts registry create
  • venctl iam service-accounts delete
  • venctl installation cluster connect

  For example:

  venctl iam service-accounts describe my-service-account
  

• Logging and error messages improvements

  Several updates have been made that improve error messages and logging in the Venafi CLI tool.

• Default component versions for this release

  The venctl components kubernetes manifest generate command now installs Venafi Enhanced Issuer v0.12.0 and Venafi Kubernetes Agent v0.1.45.

  Below is a full list of the component versions installable by default in release 1.6.0.

  Component	Default version for this release
  Approver Policy	v0.12.1
  Approver Policy Enterprise	v0.13.0
  AWS Private CA Issuer	v1.2.7
  cert-manager	v1.14.3
  CSI Driver	v0.7.1
  Firefly	v1.3.1
  Trust Manager	v0.8.0
  Venafi Connection	v0.0.19
  Venafi Enhanced Issuer	v0.12.0
  Venafi Kubernetes Agent	v0.1.45

Release 1.5.0¶

Venafi CLI tool 1.5.0 was released on February 9, 2024.

Breaking Changes¶

Updated flags in venctl iam service-accounts registry create¶

As of this version, the Venafi CLI tool introduces two critical flag changes that impact how you create service accounts for Venafi OCI registry access:

• Renamed Flag: --image-pull-secret-file is now --credential-file.
• Renamed Flag: --image-pull-secret-format is now --credential-format.

This change aligns with broader terminology within the Venafi CLI tool, and aims to simplify usage. Remember to update your commands accordingly to avoid errors.

Example:

• Venafi CLI tool 1.2.0 - 1.4.0:

  venctl iam service-accounts registry create --name sa --image-pull-secret-file my-secret.yaml --image-pull-secret-format secret
  

• Venafi CLI tool 1.5.0:

  venctl iam service-accounts registry create --name sa --credential-file my-credential.json --credential-format secret
  

Updated the output format of --credential-format secret for venctl iam service-accounts registry create¶

This update impacts how Venafi CLI tool generates service accounts for registry access with the --credential-format secret flag.

Previously, only the Kubernetes secret (in YAML format) was included in the output. Now, both client_id and the Kubernetes secret for image pulling (in YAML format) are provided under a JSON structure.

Output details

Upon successful execution of venctl iam service-accounts registry create --name sa --credential-file my-credential.json --credential-format secret, the output will include:

• client_id: The client identifier used for authentication with the registry.
• image_pull_secret: The Kubernetes secret encoded in YAML format, granting access to Venafi OCI registry artifacts.

Accessing the client ID and secret

To extract the image_pull_secret from the JSON output, use the following command:

jq -r '.image_pull_secret' < my-credential.json

To extract the client_id from the JSON output, use the following command:

jq -r '.client_id' < my-credential.json

Key features¶

• Service account creation for Venafi Kubernetes Agent

  A venctl iam service-accounts agent create command was added. This command allows you to create service accounts in Venafi Control Plane for your Venafi Kubernetes Agents.

• Service account listing

  A new venctl iam service-accounts list command was added. This command lists all service accounts in the Venafi Control Plane. For more information, see the venctl reference page.

• Service account description

  The venctl iam service-accounts show command has been renamed venctl iam service-accounts describe. It provides a description of a named service account in the Venafi Control Plane. For more information, see the venctl reference page.

• Venafi Improvements to the Venafi Kubernetes Manifest feature of Venafi CLI

  This release also sees updates to the way that the Venafi Manifest tool deploys cert-manager, and adds support for cert-manager v1.14.1 and later.

• Flag changes

  The --image-pull-secret-file and --image-pull-secret-format flags for the venctl iam service-accounts registry create command have been renamed to --credential-file and --credential-format, respectively.

Release 1.4.0¶

Venafi CLI tool 1.4.0 was released on January 25, 2024.

Key features¶

• FIPS support

This release includes support for FIPS-compliant versions of Docker images for Venafi components for Kubernetes. A --use-fips-images flag has been added to the venctl components kubernetes manifest generate command to install the desired component using the FIPS-compliant version of the component Docker image.

Release 1.3.2¶

Venafi CLI tool 1.3.2 was released on January 15, 2024.

Key features¶

• Service accounts show command

  A new venctl iam service-accounts show command was added. This command provides information on a named service account in the Venafi Control Plane. For more information, see the venctl reference page.

• Logging improvements

  This release sees improvements in logging to support the venctl iam service-accounts show command.

• Miscellaneous minor bug fixes

  Several minor bugs were also fixed in this release.

Release 1.3.1¶

Venafi CLI tool 1.3.1 was released on December 20, 2023.

Key features¶

• EU region service account deletion issue

  Release 1.3.1 fixes an issue where the venctl iam service-accounts delete command didn't work for service accounts using the EU Venafi Control Plane region.

Release 1.3.0¶

Venafi CLI tool 1.3.0 was released on December 15, 2023.

Key features¶

• Service account deletion

  Release 1.3.0 adds a new venctl iam service-accounts delete command for deleting service accounts in the Venafi Control Plane.

  For more information on how to use this feature, see Venafi CLI reference page.

• Venafi Kubernetes manifest for trust-manager

  This release addresses an issue in the Venafi Kubernetes manifest for the trust-manager. Previously, the generated manifest pulled the open-source image for the default trust package, now the enterprise trust-manager version is used unless another registry is configured.

Release 1.2.1¶

Venafi CLI tool 1.2.1 was released on December 7, 2023.

Key features¶

• macOS install script fix

  This release fixes an issue with the Bash script used to install the utility on the macOS platform when no GPG tool is installed.

Release 1.2.0¶

Venafi CLI tool 1.2.0 was released on December 6, 2023.

Key features¶

• Venafi Manifest Generator functionality

  This release sees the addition of Venafi Manifest Generator functionality to the Venafi CLI tool. You can now install Venafi Kubernetes components using the Venafi CLI utility.

  For more information on how to use this feature, see Venafi CLI reference page.

• Service account creation

  Release 1.2.0 adds a new venctl iam service-accounts registry create command for creating service accounts in the Venafi Control Plane for accessing container images from the private Venafi OCI registry.

  For more information on how to use this feature, see Venafi CLI reference page.

• Utility updates

  The release adds the venctl update command to update the venctl binary to the latest available stable version.

  For more information on how to use this feature, see Venafi CLI reference page.

Release 1.1.0¶

Venafi CLI tool 1.1.0 was released on November 3, 2023.

Key features¶

• Code signing

  This release introduces GPG code signing for the Venafi CLI binaries, enabling them to be verified for authenticity.

Release 1.0.2¶

Venafi CLI tool 1.0.2 was released on November 1, 2023.

Key features¶

• Bug fixes and enhancements

  This release of the Venafi CLI tool contains some bug fixes, and some small under-the-hood enhancements.

Release 1.0.0¶

Venafi CLI tool 1.0.0 was released on October 15, 2023.

Key features¶

• Connect Kubernetes clusters to Venafi Control Plane

  Venafi CLI provides a convenient way to connect Kubernetes clusters to Venafi Control Plane.

  To learn more, use the venctl installation cluster connect --help command.

Related links¶

• Venafi CLI tool overview
• Venafi CLI reference
• Installing the Venafi CLI tool