TLS Protect for Kubernetes
Log inCreate account
Important Announcement!

This deprecated version of TLS Protect for Kubernetes, originally known as Jetstack Secure, will be PERMANENTLY SHUTDOWN on May 19, 2025. If you're still using this version, please work with your CyberArk/Venafi account team to transition to the current version of TLS Protect for Kubernetes.

Venafi Control Plane integrationsPreview

TLS Protect for Kubernetes offers a number of components and resources for a Venafi TLS Protect user:

These components and resources can be installed using a single TLS Protect for Kubernetes Operator Installation resource

Configure access to the enterprise registry

🔑 Follow the instructions in Access to enterprise components to enable access to the artifacts required for this component. Use jetstack-secure as the namespace.

For the example below, we assume you created the following Kubernetes Secret: namespace: jetstack-secure name: jse-gcr-creds

Configure a VenafiConnection using an Installation resource

Read venafi-connection documentation to learn more about how to configure this VenafiConnection. Fill in the required details in the Installation spec below

apiVersion: operator.jetstack.io/v1alpha1
kind: Installation
metadata:
  name: venafi-setup
spec:
  certManager: {}
  approverPolicyEnterprise: {}
  venafiEnhancedIssuer: {}
  images:
    secret: jse-gcr-creds # see https://platform.jetstack.io/documentation/configuration/js-operator/quickstart


  venafiConnections:
  - name: tpp-connection
    <VenafiConnection spec https://platform.jetstack.io/documentation/reference/venafi-connection/kubernetes-api#venaficonnectionspec>


...
Copy to clipboard

Create an example Installation with a Venafi issuer and a Venafi policy

Read venafi-enhanced-issuer documentation to learn more about how to configure this issuer. Read approver-policy-enterprise documentation to learn more about how to configure this policy. Fill in the required details in the below Installation spec and apply

apiVersion: operator.jetstack.io/v1alpha1
kind: Installation
metadata:
  name: venafi-installation
spec:
  certManager: {}
  approverPolicyEnterprise: {}
  venafiEnhancedIssuer: {}
  images:
    secret: jse-gcr-creds # reference to the existing secret created in the previous step. This will be applied as image pull secret for all component images.


  venafiConnections:
  - name: venafi-connection
    <VenafiConnection spec https://platform.jetstack.io/documentation/reference/venafi-connection/kubernetes-api#venaficonnectionspec>


  issuers:
  - name: web-issuer
    clusterScope: true
    venafiEnhancedIssuer:
      venafiConnectionName: venafi-connection
      zone: "application-1\\web"
    policy:
      subjects:
        certManager: true
      allowed:
        commonName:
          value: "*"
        dnsNames:
          values: [ "*" ]
      plugins:
        venafi:
          venafiConnectionName: venafi-connection
          zone: "application-1\\web"
Copy to clipboard

For this Installation TLS Protect for Kubernetes Operator will create:

  • cert-manager installation in jetstack-secure Namespace with the default approver disabled

  • approver-policy-enterprise installation in jetstack-secure Namespace

  • venafi-enhanced-issuer installation in jetstack-secure Namespace

  • A VenafiClusterIssuer web-issuer

  • a default, 'all allowed' CertificateRequestPolicy for the issuer

  • RBAC that allows cert-manager ServiceAccount to use the created CertificateRequestPolicy

  • Depending on web-issuer configuration, if additional RBAC is required for venafi-enhanced-issuer to read secrets or use token request API, the operator will create this RBAC. See venafi-enhanced-issuer docs for more detail.

ℹī¸ You can mount one or more extra CA certificates into the approver-policy-enterprise Pod by storing the PEM encoded ca.crt file in a ConfigMap in the jetstack-secure namespace, and supplying the name of the ConfigMap via the Installation.spec.approverPolicyEnterprise.caSources field.

You will need to do this if your TPP server uses a serving certificate signed by an internal certificate authority (CA). For example:

approverPolicyEnterprise:
  caSources:
  - name: ca-cert-tpp
    kind: ConfigMap
Copy to clipboard

📖 Read more about Configuring Custom CA Certificates for approver-policy-enterprise.

Wait for the Installation to become ready:

kubectl wait --for=condition=Ready installation/venafi-installation
Copy to clipboard

This should not take more than a few minutes.

Observe information about the created components and resources on Installation spec:

kubectl get installation venafi-installation -ojsonpath='{range .status.conditions[*]}{"type:"}{.type}{" status:"}{.status}{" reason:"}{.reason}{" message:"}{.message}{"\n"}{end}'
Copy to clipboard

Observe created VenafiClusterIssuer and CertificateRequestPolicy:

kubectl get venaficlusterissuer,certificaterequestpolicy -oyaml
Copy to clipboard

Create some Certificate resources:

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: venafi-certificate
spec:
  secretName: venafi-certificate
  commonName: example.com
  issuerRef:
    name: web-issuer
    kind: VenafiClusterIssuer
    group: jetstack.io
EOF
Copy to clipboard

Wait for the certificate to get issued:

kubectl wait --for condition=Ready=True certificate/venafi-certificate
Copy to clipboard

Next steps

On this page