Installing venafi-enhanced-issuer
Learn about the different ways to install venafi-enhanced-issuer in your cluster using Helm.
Introduction
venafi-enhanced-issuer is a software component of TLS Protect for Kubernetes. It has a Docker image and a Helm chart which are hosted at the TLS Protect for Kubernetes enterprise OCI registry. In this section you will learn about the different ways to install venafi-enhanced-issuer in your cluster using Helm.
Docker Images
- Private Docker image: eu.gcr.io/jetstack-secure-enterprise/venafi-enhanced-issuer.
- Private Helm registry: oci://eu.gcr.io/jetstack-secure-enterprise/charts.
Prerequisites
- You will need access to a Venafi Control Plane (VaaS or TPP) instance.
- And you will need permission to install Helm charts and CRDs on your Kubernetes cluster.
- You should install cert-manager in your cluster.
- You should install kubectl and helm >= 3.8.0 on your local computer.
Configure access to the enterprise registry
🔑 Follow the instructions in Access to enterprise components to enable access to the artifacts required for this component. Use jetstack-secure as the namespace.
For the example below, we assume you created the following Kubernetes Secret: namespace: jetstack-secure name: jse-gcr-creds
Create trusted CA bundles
If you aim to use venafi-enhanced-issuer with a Venafi Control Plane instance or HashiCorp Vault instance that is served by a certificate that was signed by your company's private CA, you will want to tell venafi-enhanced-issuer which CA certificates to trust.
📝 Unlike cert-manager, which has the caBundle field, venafi-enhanced-issuer requires you to mount the CA certificates to be trusted in venafi-enhanced-issuer's file system (at /etc/ssl/certs) using ConfigMap resources.
In order to configure the CA certificates to trust, you will first want to create a ConfigMap in the jetstack-secure namespace. Then, you will want to reference them in the trustedCaBundles field in the Helm chart. That field tells which ConfigMap resources should be mounted at /etc/ssl/certs in the pod.
For the example below, we assume you created the following Kubernetes ConfigMap resources: namespace: jetstack-secure name: ca-cert-tpp namespace: jetstack-secure name: ca-cert-vault
Upgrade
To upgrade from a pre-v0.3.0 installation to a version >= v0.3.0, some migration steps are required. An ad-hoc migration plan can be obtained by contacting the development team.
Deploying venafi-enhanced-issuer using Helm
Here we install venafi-enhanced-issuer in the jetstack-secure namespace and configure it to use the pull-secret that we created earlier. Additionally, we specify the CA bundles venafi-enhanced-issuer should trust.
Create a file called: venafi-enhanced-issuer.values.yaml containing the following content:
# venafi-enhanced-issuer.values.yamlglobal:imagePullSecrets:- name: jse-gcr-credsvenafiConnection:include: true # set to `false` if VenafiConnection CRDs & RBAC are already installedvenafiEnhancedIssuer:manager:# The trustedCaBundles allows you to specify additional CA certificate# bundles that will be mounted to /etc/ssl/certs/. Note that Mozilla's CA# certificates are present in the image by default at# /etc/ssl/certs/ca-certificates.crt, and cannot be disabled.trustedCaBundles:- configMapName: ca-cert-tppconfigMapKey: ca.crt- configMapName: ca-cert-vaultconfigMapKey: ca.crt
Use Helm to install the software and wait for it to be ready:
helm upgrade venafi-enhanced-issuer oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-enhanced-issuer \--registry-config <(jsctl registry auth output --format=dockerconfig) \--install \--wait \--namespace jetstack-secure \--values venafi-enhanced-issuer.values.yaml \--version v0.8.0
🔰 Read about Helm 3 support for OCI package distribution.
If you will be using approver-policy or approver-policy-enterprise, no further action is required. Otherwise, you will need to let cert-manager auto-approve the CertificateRequests that reference the VenafiClusterIssuer and VenafiIssuer types with the following RBAC:
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: cert-manager-controller-approve:venafi-enhanced-issuerrules:- apiGroups: ["cert-manager.io"]resources: ["signers"]verbs: ["approve"]resourceNames: ["venafiissuers.jetstack.io/*", "venaficlusterissuers.jetstack.io/*"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: cert-manager-controller-approve:venafi-enhanced-issuerroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: cert-manager-controller-approve:venafi-enhanced-issuersubjects:- name: cert-managernamespace: jetstack-securekind: ServiceAccount
Next Steps
- Read Reference Documentation for venafi-enhanced-issuer to learn about different configuration use-cases and to read the full API documentation and CLI documentation.
- Read Self Service SSL Certificates for Application Teams (Without Storing Credentials in Kubernetes Secrets), an academy course for venafi-enhanced-issuer.