TLS Protect for Kubernetes
Log inCreate account

Issue and approve certificates with Venafi Control Plane

Learn how to configure Venafi Control Plane, cert-manager, approver-policy-enterprise, and venafi-enhanced-issuer so that application teams can help themselves to SSL certificates which comply with enterprise PKI policy.



Prerequisites

Kubernetes Cluster: You will need a Kubernetes cluster >=1.21 and you will need credentials with administrative privileges. You can use minikube or kind to quickly start a Kubernetes cluster on your laptop.

Helm: Helm is a package manager for Kubernetes which you will use to install the TLS Protect for Kubernetes software. Install it on your laptop by following the Helm Installation documentation.

TLS Protect for Kubernetes subscription: You will need to be a subscriber of the "TLS Protect for Kubernetes Enterprise +" tier to access the Docker images and Helm charts.

Create a jetstack-secure Namespace

It is recommended to install all the TLS Protect for Kubernetes components in a single namespace called jetstack-secure:

kubectl create ns jetstack-secure
Copy to clipboard

Configure access to the enterprise registry

If jsctl is not yet installed, the following script will install it for you. More info can be found on the releases page.

curl -fsSL https://raw.githubusercontent.com/jetstack/jsctl/main/install.sh | sh
Copy to clipboard

Make sure that you are logged in to jsctl:

jsctl auth login
Copy to clipboard

Then, select an organization (you can list the organizations with jsctl organizations list):

jsctl config set organization <name>
Copy to clipboard

Finally, configure the Docker registry credentials:

kubectl -n jetstack-secure apply -f <(jsctl registry auth output --format=secret)
Copy to clipboard

šŸ”‘ Your organization must be subscribed to the tier "TLS Protect for Kubernetes Enterprise +" in order to access the Docker registry. A permission error message will be shown if that is not the case.

šŸ”‘ To know more about about how the above Docker configuration works, you can read more at Access to enterprise components.

Install cert-manager

Install cert-manager using the TLS Protect for Kubernetes images and Helm chart and disabling the default approver.

šŸ”— cert-manager.values.yaml

global:
  imagePullSecrets:
    - name: jse-gcr-creds


installCRDs: true


extraArgs:
  - "--controllers=*,-certificaterequests-approver" # āš  Disable cert-manager's built-in approver


image:
  repository: eu.gcr.io/jetstack-secure-enterprise/cert-manager-controller


acmesolver:
  image:
    repository: eu.gcr.io/jetstack-secure-enterprise/cert-manager-acmesolver


webhook:
  image:
    repository: eu.gcr.io/jetstack-secure-enterprise/cert-manager-webhook


cainjector:
  image:
    repository: eu.gcr.io/jetstack-secure-enterprise/cert-manager-cainjector


startupapicheck:
  image:
    repository: eu.gcr.io/jetstack-secure-enterprise/cert-manager-ctl
Copy to clipboard
helm upgrade cert-manager oci://eu.gcr.io/jetstack-secure-enterprise/charts/cert-manager \
  --registry-config <(jsctl registry auth output --format=dockerconfig) \
  --install \
  --wait \
  --namespace jetstack-secure \
  --create-namespace \
  --values cert-manager.values.yaml \
  --version v1.12.1
Copy to clipboard

Install approver-policy-enterprise

šŸ”— approver-policy-enterprise.values.yaml

cert-manager-approver-policy:
  imagePullSecrets:
    - name: jse-gcr-creds
  app:
    # āš  Allow `approver-policy` to also sign CertificateReqeusts for `venafi-enhanced-issuer`:
    approveSignerNames:
      - "issuers.cert-manager.io/*"
      - "clusterissuers.cert-manager.io/*"
      - "venaficlusterissuers.jetstack.io/*"
      - "venafiissuers.jetstack.io/*"


venafiConnection:
  include: true
Copy to clipboard
helm upgrade approver-policy-enterprise oci://eu.gcr.io/jetstack-secure-enterprise/charts/approver-policy-enterprise \
  --registry-config <(jsctl registry auth output --format=dockerconfig) \
  --install \
  --wait \
  --namespace jetstack-secure \
  --values approver-policy-enterprise.values.yaml \
  --version v0.11.0
Copy to clipboard

šŸ’” In Installing approver-policy documentation more information can be found.

Install venafi-enhanced-issuer

šŸ”— venafi-enhanced-issuer.values.yaml

global:
  imagePullSecrets:
    - name: jse-gcr-creds


venafiConnection:
  # We already installed the VenafiConnection CRDs & RBAC alled when 'approver-policy-enterprise' (see above)
  include: false
Copy to clipboard
helm upgrade venafi-enhanced-issuer oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-enhanced-issuer \
  --registry-config <(jsctl registry auth output --format=dockerconfig) \
  --install \
  --wait \
  --namespace jetstack-secure \
  --values venafi-enhanced-issuer.values.yaml \
  --version v0.8.0
Copy to clipboard

šŸ’” In Installing venafi-enhanced-issuer documentation more information can be found.

Next Steps

On this page