Installation
Prerequisites
This course assumes that you have access to a Venafi Trust Protection Platform (TPP) instance. venafi-oauth-helper is tested using Venafi TPP 20.4, and is known to work on TPP 21.0 and above.
To be able to use venafi-oauth-helper, you need to have access to a Kubernetes cluster. venafi-oauth-helper will require access to all Secret resources in your cluster.
You should Install cert-manager in your cluster. This will later be configured to use the access-token generated by venafi-oauth-helper.
You should Install kubectl, helm >= 3.8.0, and vcert >= 4.19.0 on your local machine.
Docker Images
The Docker images for venafi-oauth-helper are published to a private Docker registry at eu.gcr.io/jetstack-secure-enterprise/venafi-oauth-helper and there is a Helm chart published to a private Helm registry at oci://eu.gcr.io/jetstack-secure-enterprise/charts.
There are Multi-architecture Docker images with image indexes for the following platforms: linux/amd64 linux/arm linux/arm64 linux/ppc64le linux/s390x
There are also FIPS compliant Docker images available at eu.gcr.io/jetstack-secure-enterprise/venafi-oauth-helper-fips and these have the same version tags as the main Docker images.
Create a secret that will allow access to Jetstack image registry.
You will need a key to access the private images and Helm charts for TLS Protect for Kubernetes, in the container registry eu.gcr.io/jetstack-secure-enterprise.
You need to save this key to a Secret in the Kubernetes cluster and then patch the default Service Account in the jetstack-secure namespace, so that Kubernetes can authenticate with the Jetstack container registry and download the private Docker images.
Sign in to TLS Protect for Kubernetes and navigate to TLS Protect for Kubernetes > Organization > Private Images. Then click "CREATE IMAGE PULL SECRET" and follow the instructions for your cluster, substituting the namespace "default" with the namespace "jetstack-secure" in the commands in those instructions.
🔰 Read about how to Pull an Image from a Private Registry and how to Add ImagePullSecrets to a service account in the Kubernetes documentation
Helm Install
There is a Helm chart for venafi-oauth-helper in a private registry at oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-oauth-helper.
Here we install it in the jetstack-secure namespace and configure it to use the pull-secret that we created earlier.
helm upgrade demo oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-oauth-helper \--registry-config <(jsctl registry auth output --format=dockerconfig) \--wait \--install \--create-namespace \--namespace jetstack-secure \--set global.imagePullSecret[0].name="jss-pull-secret" \--version 0.3.0
⚠️ Helm 3.8.0 or above is required to be able to use the oci:// protocol. If you are using Helm 3.7, you can still use the feature by setting HELM_EXPERIMENTAL_OCI=1. Alternatively, you can download the venafi-oauth-helper.tgz Helm package on the releases page.
🔰 Read about Helm 3 support for OCI package distribution.
Use FIPS compliant Docker images
You can use the FIPS Docker compliant images by overriding the controllerManager.manager.image.repository value of the Helm chart. E.g.:
VERSION=0.3.0helm upgrade demo oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-oauth-helper \--registry-config <(jsctl registry auth output --format=dockerconfig) \--wait \--install \--create-namespace \--namespace jetstack-secure \--set global.imagePullSecret[0].name="jss-pull-secret" \--version $VERSION \--set controllerManager.manager.image.repository=eu.gcr.io/jetstack-secure-enterprise/venafi-oauth-helper-fips \--set controllerManager.manager.image.tag=$VERSION
⚠ Make sure that the Chart --version flag matches the image tag version.
You should see that venafi-oauth-helper logs a version number with suffix -fips when it starts up:
kubectl -n venafi-oauth-helper-system logs deploy/demo-venafi-oauth-helper-controller-manager | jl
[2022-03-17 13:25:54] INFO: starting [client-id=cert-manager.io enable-leader-election=true features= logger=setup metrics-addr=127.0.0.1:8080 version=v0.3.0-fips]