Installing js-operatorPreview
js-operator is a tool to manage the configuration and installation of TLS Protect for Kubernetes (previously Jetstack Secure) components and resources. Read more about why you would want to use it here.
Preparing the cluster
The js-operator expects to manage all TLS Protect for Kubernetes components and cert-manager [Cluster]Issuers and CertificateRequestPolicys. If the cluster already contains TLS Protect for Kubernetes component installations, they should be uninstalled and reinstalled using the operator's Installation resource.
We are working on additional functionality to make it easier to convert existing resources, such as cert-manager issuer configuration to the operator's configuration format.
Will I have to uninstall my certificates?
The js-operator expects to manage cert-manager CRDs. Currently users have to uninstall cert-manager CRDs when migrating to the operator-managed installation. This means that cert-manager Certificate custom resources will get deleted and will have to be re-applied. Temporarily removing Certificates is possible without losing the actual TLS Certificates stored in Secrets- see cert-manager backup and restore guide[1].
Installing the operator
The js-operator installation consists of Installation CustomResourceDefinition , js-operator and cainjector[2] Deployments, ServiceAccounts and RBAC.
The operator is packaged as a Helm chart.
The operator image used in the manifests are published to the private TLS Protect for Kubernetes Enterprise GCR at eu.gcr.io/jetstack-secure-enterprise/js-operator. Image pull secrets are available from the TLS Protect for Kubernetes web UI. Alternatively, you can use jsctl to obtain the credentials from the command line.
Installing with Helm
Preparation
- Make sure you have JSE GCR credentials available.
- Create a jetstack-secure namespace:
kubectl create ns jetstack-secure
- Create a secret jse-gcr-creds in jetstack-secure namespace with credentials for JSE GCR:
kubectl create -f - <<EOFapiVersion: v1kind: Secretmetadata:name: jse-gcr-credsnamespace: jetstack-securetype: kubernetes.io/dockerconfigjsondata:.dockerconfigjson: ...EOF
- Create a Helm release
helm upgrade --install \js-operator \oci://eu.gcr.io/jetstack-secure-enterprise/charts/js-operator \--registry-config <(jsctl registry auth output --format=dockerconfig) \--namespace jetstack-secure \--set images.secret.enabled=true \--set images.secret.name=jse-gcr-creds \--version v0.0.1-alpha.28
- Wait for js-operator and cainjector Deployments to become ready before proceeding with TLS Protect for Kubernetes component configuration.
kubectl wait deployment \--selector app.kubernetes.io/instance=js-operator \--for=condition=Available=true \--namespace jetstack-secure
With jsctl
The js-operator can also be installed and configured using jsctl.
Compatibility
TLS Protect for Kubernetes Components
The operator supports a range of versions for all components. This table contains the default version of each component that gets installed. To view other available versions refer to the Installation CR spec. We aim to default to the latest version of each component.
| TLS Protect for Kubernetes Operator | cert-manager | approver-policy | approver-policy-enterprise | venafi-enhanced-issuer | trust-manager | cert-manager/csi-driver | istio-csr | cert-manager/csi-driver-spiffe |
|---|---|---|---|---|---|---|---|---|
| v0.0.1-alpha.28 | v1.12.1 | v0.7.0 | v0.9.0 | v0.5.0 | v0.5.0 | v0.5.0 | v0.6.0 | v0.4.0 |
Operator Supported Kubernetes Versions
| TLS Protect for Kubernetes Operator | Kubernetes |
|---|---|
| v0.0.1-alpha.28 | 1.20 - 1.27 |
Next steps
- 1.
- 2.
Deployment of the Jetstack Secure Operator includes cert-manager cainjector. This is used to configure CA certificates for the js-operator validating admission webhook. js-operator also removes cainjector from the cert-manager installation, to avoid a clash. ↩