Configuring venafi-enhanced-issuer

Learn about different ways to configure venafi-enhanced-issuer using VenafiClusterIssuer and VenafiIssuer custom resources.



Introduction

venafi-enhanced-issuer has two custom resources: VenafiIssuer and VenafiClusterIssuer.

VenafiClusterIssuer is a cluster-scoped resource and does not have a namespace. Any VenafiConnection CR referenced by a VenafiClusterIssuer MUST be in the jetstack-secure namespace, or which ever namespace you installed venafi-enhanced-issuer in.

VenafiIssuer is a "namespaced" resource. Any VenafiConnection CR referenced by a VenafiIssuer MUST be in the same namespace as the VenafiIssuer resource or MUST be in a namespace explicitly allowed in the VenafiConnection CR definition.

The custom resources definitions for VenafiIssuer and VenafiClusterIssuer are added to your Kubernetes API server when you install venafi-enhanced-issuer.

Configuring how venafi-enhanced-issuer connects to the Venafi Control Plane

venafi-enhanced-issuer uses VenafiConnection CRs to determine how to connect to the Venafi Control Plane. The configuring venafi-connection documentation explains how to create these VenafiConnection CRs.

VenafiClusterIssuer

For the snippet below, we assume that the following VenafiConnection CR exist:
namespace: jetstack-secure name: application-team-1-connection

apiVersion: jetstack.io/v1alpha1
kind: VenafiClusterIssuer
metadata:
name: application-team-1-ingress-certs
spec:
venafiConnectionName: application-team-1-connection
zone: \VED\Policy\Teams\application-team-1\ingress-certs
Copy to clipboard

VenafiIssuer - same namespace

For the snippet below, we assume that the following VenafiConnection CR exist:
namespace: application-team-1 name: application-team-1-connection

apiVersion: jetstack.io/v1alpha1
kind: VenafiIssuer
metadata:
name: ingress-certs
namespace: application-team-1
spec:
venafiConnectionName: application-team-1-connection
zone: \VED\Policy\Teams\application-team-1\ingress-certs
Copy to clipboard

VenafiIssuer - cross namespace

For the snippet below, we assume that the following VenafiConnection CR exist:
namespace: jetstack-secure name: application-team-1-connection
The allowReferencesFrom field of this VenafiConnection must be configured to allow VenafiIssuer resources in the application-team-1 namespace to use it, cross namespace VenafiConnection references describe how to configure the VenafiConnection CR for this use case.

apiVersion: jetstack.io/v1alpha1
kind: VenafiIssuer
metadata:
name: ingress-certs
namespace: application-team-1
spec:
venafiConnectionName: application-team-1-connection
venafiConnectionNamespace: jetstack-secure
zone: \VED\Policy\Teams\application-team-1\ingress-certs
Copy to clipboard

Customize the CertificateName logic

In Venafi TLS Protect Datacenter, each certificate object has a unique name. Two certificates with the same name are grouped in the same certificate object. The last requested certificate is seen as the current state of the certificate object. Older certificates are put in the history of the certificate object. This is very handy to track the history of a certificate. However, it is crucial that certificates are correctly grouped. Therefore, the unique name has to be chosen carefully. The certificateNameExpression field allows you to specify a custom expression for determining the appropriate certificate object name.

For example, the certificateName can be based on the namespace and name of the CertificateRequest/ Kubernetes CSR:

apiVersion: jetstack.io/v1alpha1
kind: VenafiClusterIssuer
metadata:
name: my-venafi-issuer
spec:
venafiConnectionName: my-venafi-connection
certificateNameExpression: >-
request.namespace + "_" + request.name
Copy to clipboard

It can also be based on the attributes of the CSR and/ or the annotations of the resource:

apiVersion: jetstack.io/v1alpha1
kind: VenafiClusterIssuer
metadata:
name: my-venafi-issuer
spec:
venafiConnectionName: my-venafi-connection
certificateNameExpression: >-
optional.none().
or(
request.
annotations[?"venafi.cert-manager.io/custom-fields"].
orValue("[]").
parseJSON().
filter(x, x.name == "field-name-2")[?0].
value
).
or(request.?commonName).
or(request.subject.organization[?0]).
or(request.dnsNames[?0]).
or(request.uris[?0]).
or(request.emailAddresses[?0]).
or(request.ipAddresses[?0]).
value()
Copy to clipboard

You can find more information using the following command:

kubectl explain venafiissuer.spec.certificateNameExpression
Copy to clipboard

Next Steps

On this page