TLS Protect for Kubernetes
Log inCreate account
Important Announcement!

This deprecated version of TLS Protect for Kubernetes, originally known as Jetstack Secure, will be PERMANENTLY SHUTDOWN on May 19, 2025. If you're still using this version, please work with your CyberArk/Venafi account team to transition to the current version of TLS Protect for Kubernetes.

Installing venafi-oauth-helper

Prerequisites

This assumes that you have access to a Venafi Trust Protection Platform (TPP) instance. venafi-oauth-helper is known to work with Venafi TPP 20.4 and above.

To be able to use venafi-oauth-helper, you need to have access to a Kubernetes cluster. venafi-oauth-helper will require access to all Secret resources in your cluster.

You should Install cert-manager in your cluster. This will later be configured to use the access-token generated by venafi-oauth-helper.

You should Install kubectl, helm >= 3.8.0, and vcert >= 4.19.0 on your local machine.

Docker Images

The Docker images for venafi-oauth-helper are published to a private Docker registry at eu.gcr.io/jetstack-secure-enterprise/venafi-oauth-helper and there is a Helm chart published to a private Helm registry at oci://eu.gcr.io/jetstack-secure-enterprise/charts.

There are Multi-architecture Docker images with image indexes for the following platforms: linux/amd64 linux/arm linux/arm64 linux/ppc64le linux/s390x

There are also FIPS compliant Docker images available at eu.gcr.io/jetstack-secure-enterprise/venafi-oauth-helper-fips and these have the same version tags as the main Docker images.

Configure access to the enterprise registry

🔑 Follow the instructions in Access to enterprise components to enable access to the artifacts required for this component. Use jetstack-secure as the namespace.

Deploying venafi-oauth-helper using Helm

There is a Helm chart for venafi-oauth-helper in a private registry at oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-oauth-helper.

Here we install it in the jetstack-secure namespace and configure it to use the pull-secret that we created earlier.

helm upgrade --install venafi-oauth-helper \
    oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-oauth-helper \
    --registry-config <(jsctl registry auth output --format=dockerconfig) \
    --wait \
    --create-namespace \
    --namespace jetstack-secure \
    --set 'global.imagePullSecrets[0].name=jse-gcr-creds' \
    --version v0.3.1
Copy to clipboard

⚠️ Helm 3.8.0 or above is required to be able to use the oci:// protocol. If you are using Helm 3.7, you can still use the feature by setting HELM_EXPERIMENTAL_OCI=1. Alternatively, you can download the cert-discovery-venafi.tgz Helm package on the releases page.

🔰 Read about Helm 3 support for OCI package distribution.

Use FIPS compliant Docker images

You can use the FIPS Docker compliant images by overriding the controllerManager.manager.image.repository value of the Helm chart. E.g.:

VERSION=v0.3.0
helm upgrade venafi-oauth-helper oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-oauth-helper \
    --registry-config <(jsctl registry auth output --format=dockerconfig) \
    --wait \
    --install \
    --create-namespace \
    --namespace jetstack-secure \
    --set 'global.imagePullSecrets[0].name=jse-gcr-creds' \
    --version $VERSION \
    --set controllerManager.manager.image.repository=eu.gcr.io/jetstack-secure-enterprise/venafi-oauth-helper-fips
Copy to clipboard

You should see that venafi-oauth-helper logs a version number with suffix -fips when it starts up:

kubectl -n venafi-oauth-helper-system logs deploy/demo-venafi-oauth-helper-controller-manager | jl
Copy to clipboard
[2022-03-17 13:25:54] INFO: starting [client-id=cert-manager.io enable-leader-election=true features= logger=setup metrics-addr=127.0.0.1:8080 version=v0.3.0-fips]
Copy to clipboard

Next Steps

Continue with our Academy course for venafi-oauth-helper:

On this page