Important Announcement!

This deprecated version of TLS Protect for Kubernetes, originally known as Jetstack Secure, will be PERMANENTLY SHUTDOWN on May 19, 2025. If you're still using this version, please work with your CyberArk/Venafi account team to transition to the current version of TLS Protect for Kubernetes.

QuickstartPreview

Configure access to the enterprise registry

🔑 Follow the instructions in Access to enterprise components to enable access to the artifacts required for this component. Use jetstack-secure as the namespace.

For the example below, we assume you created the following Kubernetes Secret: namespace: jetstack-secure name: jse-gcr-creds

Create an example Installation with a self-signed issuer

Apply Installation resource:

kubectl apply -f - <<EOF
apiVersion: operator.jetstack.io/v1alpha1
kind: Installation
metadata:
name: quickstart-example
spec:
certManager: {}
approverPolicy: {}
images:
secret: jse-gcr-creds # see https://platform.jetstack.io/documentation/configuration/js-operator/quickstart
issuers:
- name: quickstart-issuer
clusterScope: true
selfSigned: {}
EOF
Copy to clipboard

For this Installation TLS Protect for Kubernetes Operator will create:

  • cert-manager installation in jetstack-secure Namespace

  • approver-policy installation in jetstack-secure Namespace

  • a self-signed [1] cert-manager ClusterIssuer quickstart-issuer

  • a default, 'all allowed' CertificateRequestPolicy for the issuer

  • RBAC that allows cert-manager ServiceAccount to use the CertificateRequestPolicy

Wait for the Installation to become ready:

kubectl wait --for=condition=Ready installation/quickstart-example
Copy to clipboard

This should not take more than a minute or a few.

Observe information about the created components and resources on Installation spec:

kubectl get installation quickstart-example -ojsonpath='{range .status.conditions[*]}{"type:"}{.type}{" status:"}{.status}{" reason:"}{.reason}{" message:"}{.message}{"\n"}{end}'
Copy to clipboard

Observe created ClusterIssuer:

kubectl get clusterissuer/quickstart-issuer -oyaml
Copy to clipboard

Create a Certificate resource:

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: quickstart-cert
spec:
secretName: quickstart-cert
dnsNames:
- "example.com"
issuerRef:
name: quickstart-issuer
kind: ClusterIssuer
group: cert-manager.io
EOF
Copy to clipboard

Observe the Certificate to become ready:

kubectl get certificate/quickstart-cert
Copy to clipboard

Next steps

View more detailed configuration guides:

  • 1.

    self-signed issuer type is not recommended to be used in production ↩

On this page