Important Announcement!

This deprecated version of TLS Protect for Kubernetes, originally known as Jetstack Secure, will be PERMANENTLY SHUTDOWN on May 19, 2025. If you're still using this version, please work with your CyberArk/Venafi account team to transition to the current version of TLS Protect for Kubernetes.

Configure cert-manager

Create a cert-manager Issuer (or ClusterIssuer), referencing a Secret, but do not create the Secret.

⚠ The issuer refers to a credentialsRef that we did not create. That is intentional. It is the job of venafi-oauth-helper to create the secret with access-token required to access Venafi TPP.

kubectl apply -f- <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: issuer-1
spec:
venafi:
zone: "REPLACE_WITH_YOUR_VENAFI_POLICY_FOLDER"
tpp:
url: https://REPLACE_WITH_VENAFI_TPP_HOST/vedsdk
caBundle: REPLACE_WITH_BASE64_ENCODED_CERT_CHAIN_TO_ACCESS_VENAFI
credentialsRef:
name: issuer-1-credentials
EOF
Copy to clipboard

Check to see the status of the issuer. It should be ready.

kubectl get issuer issuer-1
Copy to clipboard
kubectl describe issuer issuer-1
Copy to clipboard

Next Steps

On this page