Issue and approve certificates with Venafi Control Plane
Learn how to configure Venafi Control Plane, cert-manager, approver-policy-enterprise, and venafi-enhanced-issuer so that application teams can help themselves to SSL certificates which comply with enterprise PKI policy.
Create a Cluster Issuer
Now that you've installed all the prerequisite software in your cluster it's time to configure a cluster issuer.
ā¹ļø VenafiClusterIssuer is recommended in this scenario because it prevents individual teams from altering the configuration. of the connection to Venafi, which should be the responsibility of the platform team.
This job would typically be performed by the platform team.
The following example shows a cluster issuer resource which uses a Kubernetes ServiceAccount Token to authenticate to HashiCorp Vault which contains the credentials for Venafi TPP.
š venafi-cluster-issuer.yaml
# venafi-cluster-issuer.yamlapiVersion: jetstack.io/v1alpha1kind: VenafiClusterIssuermetadata:name: application-team-1spec:venafiConnectionName: application-team-1-connectionzone: \VED\Policy\Teams\application-team-1
kubectl apply -f venafi-cluster-issuer.yaml