Configuring venafi-enhanced-issuer
Learn about different ways to configure venafi-enhanced-issuer using VenafiClusterIssuer and VenafiIssuer custom resources.
Introduction
venafi-enhanced-issuer has two custom resources: VenafiIssuer and VenafiClusterIssuer.
VenafiClusterIssuer is a cluster-scoped resource and does not have a namespace. Any VenafiConnection CR referenced by a VenafiClusterIssuer MUST be in the jetstack-secure namespace, or which ever namespace you installed venafi-enhanced-issuer in.
VenafiIssuer is a "namespaced" resource. Any VenafiConnection CR referenced by a VenafiIssuer MUST be in the same namespace as the VenafiIssuer resource or MUST be in a namespace explicitly allowed in the VenafiConnection CR definition.
The custom resources definitions for VenafiIssuer and VenafiClusterIssuer are added to your Kubernetes API server when you install venafi-enhanced-issuer.
Configuring how venafi-enhanced-issuer connects to the Venafi Control Plane
venafi-enhanced-issuer uses VenafiConnection CRs to determine how to connect to the Venafi Control Plane. The configuring venafi-connection documentation explains how to create these VenafiConnection CRs.
VenafiClusterIssuer
For the snippet below, we assume that the following VenafiConnection CR exist:
namespace: jetstack-secure name: application-team-1-connection
apiVersion: jetstack.io/v1alpha1kind: VenafiClusterIssuermetadata:name: application-team-1-ingress-certsspec:venafiConnectionName: application-team-1-connectionzone: \VED\Policy\Teams\application-team-1\ingress-certs
VenafiIssuer - same namespace
For the snippet below, we assume that the following VenafiConnection CR exist:
namespace: application-team-1 name: application-team-1-connection
apiVersion: jetstack.io/v1alpha1kind: VenafiIssuermetadata:name: ingress-certsnamespace: application-team-1spec:venafiConnectionName: application-team-1-connectionzone: \VED\Policy\Teams\application-team-1\ingress-certs
VenafiIssuer - cross namespace
For the snippet below, we assume that the following VenafiConnection CR exist:
namespace: jetstack-secure name: application-team-1-connection
The allowReferencesFrom field of this VenafiConnection must be configured to allow VenafiIssuer resources
in the application-team-1 namespace to use it, cross namespace VenafiConnection references
describe how to configure the VenafiConnection CR for this use case.
apiVersion: jetstack.io/v1alpha1kind: VenafiIssuermetadata:name: ingress-certsnamespace: application-team-1spec:venafiConnectionName: application-team-1-connectionvenafiConnectionNamespace: jetstack-securezone: \VED\Policy\Teams\application-team-1\ingress-certs
Customize the CertificateName logic
In Venafi TLS Protect Datacenter, each certificate object has a unique name. Two certificates with the same name are grouped in the same certificate object. The last requested certificate is seen as the current state of the certificate object. Older certificates are put in the history of the certificate object. This is very handy to track the history of a certificate. However, it is crucial that certificates are correctly grouped. Therefore, the unique name has to be chosen carefully. The certificateNameExpression field allows you to specify a custom expression for determining the appropriate certificate object name.
For example, the certificateName can be based on the namespace and name of the CertificateRequest/ Kubernetes CSR:
apiVersion: jetstack.io/v1alpha1kind: VenafiClusterIssuermetadata:name: my-venafi-issuerspec:venafiConnectionName: my-venafi-connectioncertificateNameExpression: >-request.namespace + "_" + request.name
It can also be based on the attributes of the CSR and/ or the annotations of the resource:
apiVersion: jetstack.io/v1alpha1kind: VenafiClusterIssuermetadata:name: my-venafi-issuerspec:venafiConnectionName: my-venafi-connectioncertificateNameExpression: >-optional.none().or(request.annotations[?"venafi.cert-manager.io/custom-fields"].orValue("[]").parseJSON().filter(x, x.name == "field-name-2")[?0].value).or(request.?commonName).or(request.subject.organization[?0]).or(request.dnsNames[?0]).or(request.uris[?0]).or(request.emailAddresses[?0]).or(request.ipAddresses[?0]).value()
You can find more information using the following command:
kubectl explain venafiissuer.spec.certificateNameExpression
Next Steps
- Read more Reference Documentation for venafi-connection to learn about different configuration use-cases and to read the full API documentation and CLI documentation.