Configuring venafi-enhanced-issuer

Learn about different ways to configure venafi-enhanced-issuer using VenafiClusterIssuer and VenafiIssuer custom resources.

Introduction

venafi-enhanced-issuer has two custom resources: VenafiIssuer and VenafiClusterIssuer.

VenafiClusterIssuer is a cluster-scoped resource and does not have a namespace. Any VenafiConnection CR referenced by a VenafiClusterIssuer MUST be in the jetstack-secure namespace, or which ever namespace you installed venafi-enhanced-issuer in.

VenafiIssuer is a "namespaced" resource. Any VenafiConnection CR referenced by a VenafiIssuer MUST be in the same namespace as the VenafiIssuer resource or MUST be in a namespace explicitly allowed in the VenafiConnection CR definition.

The custom resources definitions for VenafiIssuer and VenafiClusterIssuer are added to your Kubernetes API server when you install venafi-enhanced-issuer.

Configuring how venafi-enhanced-issuer connects to the Venafi Control Plane

venafi-enhanced-issuer uses VenafiConnection CRs to determine how to connect to the Venafi Control Plane. The configuring venafi-connection documentation explains how to create these VenafiConnection CRs.

VenafiClusterIssuer

For the snippet below, we assume that the following VenafiConnection CR exist:
namespace: jetstack-secure name: application-team-1-connection

apiVersion: jetstack.io/v1alpha1
kind: VenafiClusterIssuer
metadata:
  name: application-team-1-ingress-certs
spec:
  venafiConnectionName: application-team-1-connection
  zone: \VED\Policy\Teams\application-team-1\ingress-certs

VenafiIssuer - same namespace

For the snippet below, we assume that the following VenafiConnection CR exist:
namespace: application-team-1 name: application-team-1-connection

apiVersion: jetstack.io/v1alpha1
kind: VenafiIssuer
metadata:
  name: ingress-certs
  namespace: application-team-1
spec:
  venafiConnectionName: application-team-1-connection
  zone: \VED\Policy\Teams\application-team-1\ingress-certs

VenafiIssuer - cross namespace

For the snippet below, we assume that the following VenafiConnection CR exist:
namespace: jetstack-secure name: application-team-1-connection
The allowReferencesFrom field of this VenafiConnection must be configured to allow VenafiIssuer resources in the application-team-1 namespace to use it, cross namespace VenafiConnection references describe how to configure the VenafiConnection CR for this use case.

apiVersion: jetstack.io/v1alpha1
kind: VenafiIssuer
metadata:
  name: ingress-certs
  namespace: application-team-1
spec:
  venafiConnectionName: application-team-1-connection
  venafiConnectionNamespace: jetstack-secure
  zone: \VED\Policy\Teams\application-team-1\ingress-certs

Customize the CertificateName logic

In Venafi TLS Protect Datacenter, each certificate object has a unique name. Two certificates with the same name are grouped in the same certificate object. The last requested certificate is seen as the current state of the certificate object. Older certificates are put in the history of the certificate object. This is very handy to track the history of a certificate. However, it is crucial that certificates are correctly grouped. Therefore, the unique name has to be chosen carefully. The certificateNameExpression field allows you to specify a custom expression for determining the appropriate certificate object name.

For example, the certificateName can be based on the namespace and name of the CertificateRequest/ Kubernetes CSR:

apiVersion: jetstack.io/v1alpha1
kind: VenafiClusterIssuer
metadata:
  name: my-venafi-issuer
spec:
  venafiConnectionName: my-venafi-connection
  certificateNameExpression: >-
    request.namespace + "_" + request.name

It can also be based on the attributes of the CSR and/ or the annotations of the resource:

apiVersion: jetstack.io/v1alpha1
kind: VenafiClusterIssuer
metadata:
  name: my-venafi-issuer
spec:
  venafiConnectionName: my-venafi-connection
  certificateNameExpression: >-
    optional.none().
      or(
        request.
          annotations[?"venafi.cert-manager.io/custom-fields"].
          orValue("[]").
          parseJSON().
          filter(x, x.name == "field-name-2")[?0].
          value
      ).
      or(request.?commonName).
      or(request.subject.organization[?0]).
      or(request.dnsNames[?0]).
      or(request.uris[?0]).
      or(request.emailAddresses[?0]).
      or(request.ipAddresses[?0]).
      value()

You can find more information using the following command:

kubectl explain venafiissuer.spec.certificateNameExpression

Next Steps

• Read more Reference Documentation for venafi-connection to learn about different configuration use-cases and to read the full API documentation and CLI documentation.