TLS Protect for Kubernetes
Log inCreate account

Venafi Control Plane integrationsPreview

TLS Protect for Kubernetes offers a number of components and resources for a Venafi TLS Protect user:

These components and resources can be installed using a single TLS Protect for Kubernetes Operator Installation resource

Configure access to the enterprise registry

🔑 Follow the instructions in Access to enterprise components to enable access to the artifacts required for this component. Use jetstack-secure as the namespace.

For the example below, we assume you created the following Kubernetes Secret: namespace: jetstack-secure name: jse-gcr-creds

Configure a VenafiConnection using an Installation resource

Read venafi-connection documentation to learn more about how to configure this VenafiConnection. Fill in the required details in the Installation spec below

apiVersion: operator.jetstack.io/v1alpha1
kind: Installation
metadata:
  name: venafi-setup
spec:
  certManager: {}
  approverPolicyEnterprise: {}
  venafiEnhancedIssuer: {}
  images:
    secret: jse-gcr-creds # see https://platform.jetstack.io/documentation/configuration/js-operator/quickstart


  venafiConnections:
  - name: tpp-connection
    <VenafiConnection spec https://platform.jetstack.io/documentation/reference/venafi-connection/kubernetes-api#venaficonnectionspec>


...
Copy to clipboard

Create an example Installation with a Venafi issuer and a Venafi policy

Read venafi-enhanced-issuer documentation to learn more about how to configure this issuer. Read approver-policy-enterprise documentation to learn more about how to configure this policy. Fill in the required details in the below Installation spec and apply

apiVersion: operator.jetstack.io/v1alpha1
kind: Installation
metadata:
  name: venafi-installation
spec:
  certManager: {}
  approverPolicyEnterprise: {}
  venafiEnhancedIssuer: {}
  images:
    secret: jse-gcr-creds # reference to the existing secret created in the previous step. This will be applied as image pull secret for all component images.


  venafiConnections:
  - name: venafi-connection
    <VenafiConnection spec https://platform.jetstack.io/documentation/reference/venafi-connection/kubernetes-api#venaficonnectionspec>


  issuers:
  - name: web-issuer
    clusterScope: true
    venafiEnhancedIssuer:
      venafiConnectionName: venafi-connection
      zone: "application-1\\web"
    policy:
      subjects:
        certManager: true
      allowed:
        commonName:
          value: "*"
        dnsNames:
          values: [ "*" ]
      plugins:
        venafi:
          venafiConnectionName: venafi-connection
          zone: "application-1\\web"
Copy to clipboard

For this Installation TLS Protect for Kubernetes Operator will create:

  • cert-manager installation in jetstack-secure Namespace with the default approver disabled

  • approver-policy-enterprise installation in jetstack-secure Namespace

  • venafi-enhanced-issuer installation in jetstack-secure Namespace

  • A VenafiClusterIssuer web-issuer

  • a default, 'all allowed' CertificateRequestPolicy for the issuer

  • RBAC that allows cert-manager ServiceAccount to use the created CertificateRequestPolicy

  • Depending on web-issuer configuration, if additional RBAC is required for venafi-enhanced-issuer to read secrets or use token request API, the operator will create this RBAC. See venafi-enhanced-issuer docs for more detail.

ℹī¸ You can mount one or more extra CA certificates into the approver-policy-enterprise Pod by storing the PEM encoded ca.crt file in a ConfigMap in the jetstack-secure namespace, and supplying the name of the ConfigMap via the Installation.spec.approverPolicyEnterprise.caSources field.

You will need to do this if your TPP server uses a serving certificate signed by an internal certificate authority (CA). For example:

approverPolicyEnterprise:
  caSources:
  - name: ca-cert-tpp
    kind: ConfigMap
Copy to clipboard

📖 Read more about Configuring Custom CA Certificates for approver-policy-enterprise.

Wait for the Installation to become ready:

kubectl wait --for=condition=Ready installation/venafi-installation
Copy to clipboard

This should not take more than a few minutes.

Observe information about the created components and resources on Installation spec:

kubectl get installation venafi-installation -ojsonpath='{range .status.conditions[*]}{"type:"}{.type}{" status:"}{.status}{" reason:"}{.reason}{" message:"}{.message}{"\n"}{end}'
Copy to clipboard

Observe created VenafiClusterIssuer and CertificateRequestPolicy:

kubectl get venaficlusterissuer,certificaterequestpolicy -oyaml
Copy to clipboard

Create some Certificate resources:

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: venafi-certificate
spec:
  secretName: venafi-certificate
  commonName: example.com
  issuerRef:
    name: web-issuer
    kind: VenafiClusterIssuer
    group: jetstack.io
EOF
Copy to clipboard

Wait for the certificate to get issued:

kubectl wait --for condition=Ready=True certificate/venafi-certificate
Copy to clipboard

Next steps

On this page