TLS Protect for Kubernetes
Log inCreate account
Important Announcement!

This deprecated version of TLS Protect for Kubernetes, originally known as Jetstack Secure, will be PERMANENTLY SHUTDOWN on May 19, 2025. If you're still using this version, please work with your CyberArk/Venafi account team to transition to the current version of TLS Protect for Kubernetes.

Installing venafi-enhanced-issuer

Learn about the different ways to install venafi-enhanced-issuer in your cluster using Helm.



Introduction

venafi-enhanced-issuer is a software component of TLS Protect for Kubernetes. It has a Docker image and a Helm chart which are hosted at the TLS Protect for Kubernetes enterprise OCI registry. In this section you will learn about the different ways to install venafi-enhanced-issuer in your cluster using Helm.

Docker Images

  • Private Docker image: eu.gcr.io/jetstack-secure-enterprise/venafi-enhanced-issuer.
  • Private Helm registry: oci://eu.gcr.io/jetstack-secure-enterprise/charts.

Prerequisites

  • You will need access to a Venafi Control Plane (VaaS or TPP) instance.
  • And you will need permission to install Helm charts and CRDs on your Kubernetes cluster.
  • You should install cert-manager in your cluster.
  • You should install kubectl and helm >= 3.8.0 on your local computer.

Configure access to the enterprise registry

🔑 Follow the instructions in Access to enterprise components to enable access to the artifacts required for this component. Use jetstack-secure as the namespace.

For the example below, we assume you created the following Kubernetes Secret: namespace: jetstack-secure name: jse-gcr-creds

Create trusted CA bundles

If you aim to use venafi-enhanced-issuer with a Venafi Control Plane instance or HashiCorp Vault instance that is served by a certificate that was signed by your company's private CA, you will want to tell venafi-enhanced-issuer which CA certificates to trust.

📝 Unlike cert-manager, which has the caBundle field, venafi-enhanced-issuer requires you to mount the CA certificates to be trusted in venafi-enhanced-issuer's file system (at /etc/ssl/certs) using ConfigMap resources.

In order to configure the CA certificates to trust, you will first want to create a ConfigMap in the jetstack-secure namespace. Then, you will want to reference them in the trustedCaBundles field in the Helm chart. That field tells which ConfigMap resources should be mounted at /etc/ssl/certs in the pod.

For the example below, we assume you created the following Kubernetes ConfigMap resources: namespace: jetstack-secure name: ca-cert-tpp namespace: jetstack-secure name: ca-cert-vault

Upgrade

To upgrade from a pre-v0.3.0 installation to a version >= v0.3.0, some migration steps are required. An ad-hoc migration plan can be obtained by contacting the development team.

Deploying venafi-enhanced-issuer using Helm

Here we install venafi-enhanced-issuer in the jetstack-secure namespace and configure it to use the pull-secret that we created earlier. Additionally, we specify the CA bundles venafi-enhanced-issuer should trust.

Create a file called: venafi-enhanced-issuer.values.yaml containing the following content:

# venafi-enhanced-issuer.values.yaml
global:
  imagePullSecrets:
    - name: jse-gcr-creds


venafiConnection:
  include: true # set to `false` if VenafiConnection CRDs & RBAC are already installed


venafiEnhancedIssuer:
  manager:
    # The trustedCaBundles allows you to specify additional CA certificate
    # bundles that will be mounted to /etc/ssl/certs/. Note that Mozilla's CA
    # certificates are present in the image by default at
    # /etc/ssl/certs/ca-certificates.crt, and cannot be disabled.
    trustedCaBundles:
      - configMapName: ca-cert-tpp
        configMapKey: ca.crt
      - configMapName: ca-cert-vault
        configMapKey: ca.crt
Copy to clipboard

Use Helm to install the software and wait for it to be ready:

helm upgrade venafi-enhanced-issuer oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-enhanced-issuer \
    --registry-config <(jsctl registry auth output --format=dockerconfig) \
    --install \
    --wait \
    --namespace jetstack-secure \
    --values venafi-enhanced-issuer.values.yaml \
    --version v0.8.0
Copy to clipboard

🔰 Read about Helm 3 support for OCI package distribution.

If you will be using approver-policy or approver-policy-enterprise, no further action is required. Otherwise, you will need to let cert-manager auto-approve the CertificateRequests that reference the VenafiClusterIssuer and VenafiIssuer types with the following RBAC:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-controller-approve:venafi-enhanced-issuer
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["signers"]
    verbs: ["approve"]
    resourceNames: ["venafiissuers.jetstack.io/*", "venaficlusterissuers.jetstack.io/*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-controller-approve:venafi-enhanced-issuer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-approve:venafi-enhanced-issuer
subjects:
  - name: cert-manager
    namespace: jetstack-secure
    kind: ServiceAccount
Copy to clipboard

Next Steps

On this page