Installation

Prerequisites

This course assumes that you have access to a Venafi Trust Protection Platform (TPP) instance. venafi-oauth-helper is tested using Venafi TPP 20.4, and is known to work on TPP 21.0 and above.

To be able to use venafi-oauth-helper, you need to have access to a Kubernetes cluster. venafi-oauth-helper will require access to all Secret resources in your cluster.

You should Install cert-manager in your cluster. This will later be configured to use the access-token generated by venafi-oauth-helper.

You should Install kubectl, helm >= 3.8.0, and vcert >= 4.19.0 on your local machine.

Docker Images

The Docker images for venafi-oauth-helper are published to a private Docker registry at eu.gcr.io/jetstack-secure-enterprise/venafi-oauth-helper and there is a Helm chart published to a private Helm registry at oci://eu.gcr.io/jetstack-secure-enterprise/charts.

There are Multi-architecture Docker images with image indexes for the following platforms: linux/amd64 linux/arm linux/arm64 linux/ppc64le linux/s390x

There are also FIPS compliant Docker images available at eu.gcr.io/jetstack-secure-enterprise/venafi-oauth-helper-fips and these have the same version tags as the main Docker images.

Create a secret that will allow access to Jetstack image registry.

You will need a key to access the private images and Helm charts for TLS Protect for Kubernetes, in the container registry eu.gcr.io/jetstack-secure-enterprise.

You need to save this key to a Secret in the Kubernetes cluster and then patch the default Service Account in the jetstack-secure namespace, so that Kubernetes can authenticate with the Jetstack container registry and download the private Docker images.

Sign in to TLS Protect for Kubernetes and navigate to TLS Protect for Kubernetes > Organization > Private Images. Then click "CREATE IMAGE PULL SECRET" and follow the instructions for your cluster, substituting the namespace "default" with the namespace "jetstack-secure" in the commands in those instructions.

Helm Install

There is a Helm chart for venafi-oauth-helper in a private registry at oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-oauth-helper.

Here we install it in the jetstack-secure namespace and configure it to use the pull-secret that we created earlier.

helm upgrade demo oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-oauth-helper \
    --registry-config <(jsctl registry auth output --format=dockerconfig) \
    --wait \
    --install \
    --create-namespace \
    --namespace jetstack-secure \
    --set global.imagePullSecret[0].name="jss-pull-secret" \
    --version 0.3.0

Use FIPS compliant Docker images

You can use the FIPS Docker compliant images by overriding the controllerManager.manager.image.repository value of the Helm chart. E.g.:

VERSION=0.3.0
helm upgrade demo oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-oauth-helper \
    --registry-config <(jsctl registry auth output --format=dockerconfig) \
    --wait \
    --install \
    --create-namespace \
    --namespace jetstack-secure \
    --set global.imagePullSecret[0].name="jss-pull-secret" \
    --version $VERSION \
    --set controllerManager.manager.image.repository=eu.gcr.io/jetstack-secure-enterprise/venafi-oauth-helper-fips \
    --set controllerManager.manager.image.tag=$VERSION

You should see that venafi-oauth-helper logs a version number with suffix -fips when it starts up:

kubectl -n venafi-oauth-helper-system logs deploy/demo-venafi-oauth-helper-controller-manager | jl

Next Steps

• Configure Venafi TPP
• Configure venafi-oauth-helper
• Configure cert-manager
• Verify the configuration