Installing venafi-oauth-helper
Prerequisites
This assumes that you have access to a Venafi Trust Protection Platform (TPP) instance. venafi-oauth-helper is known to work with Venafi TPP 20.4 and above.
To be able to use venafi-oauth-helper, you need to have access to a Kubernetes cluster. venafi-oauth-helper will require access to all Secret resources in your cluster.
You should Install cert-manager in your cluster. This will later be configured to use the access-token generated by venafi-oauth-helper.
You should Install kubectl, helm >= 3.8.0, and vcert >= 4.19.0 on your local machine.
Docker Images
The Docker images for venafi-oauth-helper are published to a private Docker registry at eu.gcr.io/jetstack-secure-enterprise/venafi-oauth-helper and there is a Helm chart published to a private Helm registry at oci://eu.gcr.io/jetstack-secure-enterprise/charts.
There are Multi-architecture Docker images with image indexes for the following platforms: linux/amd64 linux/arm linux/arm64 linux/ppc64le linux/s390x
There are also FIPS compliant Docker images available at eu.gcr.io/jetstack-secure-enterprise/venafi-oauth-helper-fips and these have the same version tags as the main Docker images.
Configure access to the enterprise registry
🔑 Follow the instructions in Access to enterprise components to enable access to the artifacts required for this component. Use jetstack-secure as the namespace.
Deploying venafi-oauth-helper using Helm
There is a Helm chart for venafi-oauth-helper in a private registry at oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-oauth-helper.
Here we install it in the jetstack-secure namespace and configure it to use the pull-secret that we created earlier.
helm upgrade --install venafi-oauth-helper \oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-oauth-helper \--registry-config <(jsctl registry auth output --format=dockerconfig) \--wait \--create-namespace \--namespace jetstack-secure \--set 'global.imagePullSecrets[0].name=jse-gcr-creds' \--version v0.3.1
⚠️ Helm 3.8.0 or above is required to be able to use the oci:// protocol. If you are using Helm 3.7, you can still use the feature by setting HELM_EXPERIMENTAL_OCI=1. Alternatively, you can download the cert-discovery-venafi.tgz Helm package on the releases page.
🔰 Read about Helm 3 support for OCI package distribution.
Use FIPS compliant Docker images
You can use the FIPS Docker compliant images by overriding the controllerManager.manager.image.repository value of the Helm chart. E.g.:
VERSION=v0.3.0helm upgrade venafi-oauth-helper oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-oauth-helper \--registry-config <(jsctl registry auth output --format=dockerconfig) \--wait \--install \--create-namespace \--namespace jetstack-secure \--set 'global.imagePullSecrets[0].name=jse-gcr-creds' \--version $VERSION \--set controllerManager.manager.image.repository=eu.gcr.io/jetstack-secure-enterprise/venafi-oauth-helper-fips
You should see that venafi-oauth-helper logs a version number with suffix -fips when it starts up:
kubectl -n venafi-oauth-helper-system logs deploy/demo-venafi-oauth-helper-controller-manager | jl
[2022-03-17 13:25:54] INFO: starting [client-id=cert-manager.io enable-leader-election=true features= logger=setup metrics-addr=127.0.0.1:8080 version=v0.3.0-fips]
Next Steps
Continue with our Academy course for venafi-oauth-helper: