Installing cert-manager using Helm and CyberArk OCI registries¶

Note

For information about different installation options, see the cert-manager open-source documentation Installing cert-manager with Helm.

This section discusses installing cert-manager using Helm.

Step 1: Configure access to the CyberArk OCI registry¶

Configure access to the CyberArk OCI registry. Follow the instructions in Configuring access to the CyberArk OCI Registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.

The sample file below, for example, assumes you created a Kubernetes Secret using venafi as the namespace and venafi-image-pull-secret as the name of the secret.

Step 2: (Optional) Configure custom CA bundles¶

If you are using the open-source issuer rather than Enterprise Issuer for CyberArk Certificate Manager, there are two ways of setting up a custom CA bundle for use with Certificate Manager - Self-Hosted or Certificate Manager - SaaS.

You can add the base64-encoded CA bundle directly into the Issuer or ClusterIssuer manifest:

apiVersion: cert-manager.io/v1
kind: Issuer
spec:
  venafi:
    tpp:
      caBundle: <base64 encoded string of caBundle PEM file>

Alternatively, you can load the CA bundle from a ConfigMap:

First, use kubectl to add the custom CA bundle to a ConfigMap:

kubectl --namespace venafi create configmap ca-cert --from-file=ca-cert=<file-name>

Configure the volumes and volumeMounts in a cert-manager-ca-certificates.values.yaml file:

cert-manager-ca-certificates.values.yaml

volumes:
  - name: ca-cert
    configMap:
      name: ca-cert
volumeMounts:
  - name: ca-cert
    mountPath: /etc/ssl/certs/ca-cert.crt
    subPath: ca-cert.crt
    readOnly: true

Step 3: Install cert-manager using Helm¶

v1.20+Pre-v1.20

To install cert-manager in the venafi namespace and configure it to use a pull secret, create cert-manager.values.yaml.

If using your own registry, uncomment and set imageRegistry and imageNamespace for the Helm chart to resolve image references.
cert-manager.values.yaml
```
global:
  imagePullSecrets:
    - name: venafi-image-pull-secret

crds:
  enabled: true

# Add the following only if using your own registry
# imageRegistry: myregistry.example.com
# imageNamespace: cert-manager
```

Use Helm to install cert-manager and wait for it to be ready.

Registry URL: In the Helm command, replace registry-example.com with either the CyberArk OCI registry URL for your region or your own registry URL.

helm upgrade cert-manager oci://registry-example.com/charts/cert-manager \
  --install \
  --wait \
  --create-namespace \
  --namespace venafi \
  --values cert-manager.values.yaml \
  --version v1.20.0

Prior to cert-manager v1.20, you specify the full image repository path for each component in the values file and enter a registry URL.

To install cert-manager in the venafi namespace and configure it to use a pull secret, create `cert-manager.values.yaml.

In the following example, replace each instance of <registry-url.com> with either the CyberArk OCI registry URL for your region or your own registry URL.

cert-manager.values.yaml

global:
  imagePullSecrets:
    - name: venafi-image-pull-secret

crds:
  enabled: true

image:
  repository: <registry-url.com>/cert-manager/cert-manager-controller

acmesolver:
  image:
    repository: <registry-url.com>/cert-manager/cert-manager-acmesolver

webhook:
  image:
    repository: <registry-url.com>/cert-manager/cert-manager-webhook

cainjector:
  image:
    repository: <registry-url.com>/cert-manager/cert-manager-cainjector

startupapicheck:
  image:
    repository: <registry-url.com>/cert-manager/cert-manager-startupapicheck

Use Helm to install cert-manager and wait for it to be ready:

helm upgrade cert-manager oci://<registry-url.com>/charts/cert-manager \
  --install \
  --wait \
  --create-namespace \
  --namespace venafi \
  --values cert-manager.values.yaml \
  --version v1.19.4

Deploying cert-manager with custom CA trust bundles

If you want to deploy cert-manager with custom CA bundles (as shown in Step 2 above), replace the manifest generate command in step 3.2 with the following:

helm upgrade cert-manager oci://<registry-url.com>/charts/cert-manager \
--install \
--wait \
--create-namespace \
--namespace venafi \
--values cert-manager.values.yaml \
--values cert-manager-ca-certificates.values.yaml \
--version v1.20.0

Next Steps¶

See Installing Enterprise Issuer to learn how to install the Enterprise Issuer for CyberArk Certificate Manager.
See Installing Enterprise Approver Policy to learn how to install the Enterprise Approver Policy for CyberArk Certificate Manager.