Many Red Hat OpenShift customers today rely on Venafi’s TLS Protect for Kubernetes to enforce vital policy controls for vast numbers of machine identities in large-scale Kubernetes environments. As these organizations increase their clusters using Red Hat OpenShift, maintaining high automation levels with full security governance can become increasingly complex. To reduce this complexity and improve governance, Red Hat OpenShift admins can use the newly available Venafi Control Plane Operator to deliver highly automated security controls using dedicated Venafi components to provide policy approval and consistency for certificate issuance inside clusters.
What is the Venafi Control Plane Operator?
The Venafi Control Plane Operator is purpose-built to help Red Hat OpenShift customers install, maintain, and upgrade the Venafi cluster components which are essential to delivering a smooth and streamlined operation for managing machine identities in clusters. These components include add-ons to help improve how cert-manager is operated across multiple clusters; Venafi Enhanced Issuer for more secure developer automation using cert-manager; deploying Venafi Firefly for more crypto-agility and security in environments that require highly ephemeral workload identity issuance.
Built using the very popular Operator Framework, a Kubernetes-native approach for managing application deployment and operations, the Venafi Control Plane Operator simplifies the orchestration and improves overall security for machine identities in Kubernetes environments. Operators are a popular way to easily manage and deploy resources on Red Hat OpenShift environments, enabling platform admins to achieve greater operational consistency, enhance security measures and manage applications more efficiently. The Venafi Control Plane Operator is a certified Red Hat OpenShift Operator available in the Red Hat Ecosystem Catalog and can be easily accessed and installed by platform administrators.
Security-optimized cert-manager operation
Using Venafi’s add-ons for open source cert-manager is essential to give platform teams more flexibility over the way cert-manager is used to automate and deploy certificates in clusters more easily. Using the Venafi Control Plane Operator helps to ensure all instances of cert-manager are maintained securely across ever-expanding cluster environments with certificates that are policy-managed using Venafi’s Kubernetes custom resources.
Key Components of the Venafi Control Plane
The Venafi Control Plane offers essential enterprise components that can be deployed in Kubernetes environments to ensure highly streamlined machine identity security:
- cert-manager: An enterprise distribution for managing application certificates within clusters.
- Venafi Enhanced Issuer: Enables seamless certificate enrolment directly from the Venafi Control Plane.
- Venafi Firefly: A high-performance, lightweight workload identity issuer for ephemeral, high-scale workload environments.
- Venafi Kubernetes Agent: Provides real-time visibility into certificates and Kubernetes resources.
- Approver Policy: Approves or denies certificate requests based on predefined policies that are maintained using TLS Protect.
- Approver Policy Enterprise: Centralizes certificate policy definitions and evaluates them on clusters.
- cert-manager CSI Driver: A storage plugin for cert-manager for handling volume requests specified on pods.
- Trust Manager: Manages trust bundles in Kubernetes and Red Hat OpenShift clusters, reducing the overhead of managing TLS trust bundles.
Installing Kubernetes components on Red Hat OpenShift
Venafi is committed to meeting all requirements for platform operation teams by offering multiple options for installing these components in Kubernetes environments. This provides platform teams with the flexibility to choose the option that suits their deployment preferences and needs.
- Helm Charts: Helm charts are a popular choice for platform teams to manage installations. Venafi provides Helm charts for all its enterprise components, allowing for easy and flexible installations using tools like Flux CD, Argo CD, or Customize. However, Helm has limitations regarding installation order, dependencies, and resource cleanup.
- Venafi Kubernetes Manifest and venctl CLI: This approach uses a CLI and manifest generator tool to define the desired state of deployments, making installation, maintenance, and upgrades straightforward. It supports distributed releases across multiple clusters, making it ideal for complex multi-cluster deployments.
- Venafi Control Plane Operator: This new operator framework-based approach simplifies the installation, maintenance, and upgrades of Venafi enterprise components on Kubernetes.
Simplified installation with the Venafi Control Plane Operator
The Venafi Control Plane Operator makes the installation and management of Venafi components on Kubernetes easier than ever. By leveraging VenafiInstall manifests, it defines the desired deployment state and applies it to the cluster. The operator offers several benefits:
- Deployment Packages: Platform operators can easily select and deploy necessary Venafi components tailored to their needs.
- Version Compatibility: Each release includes a set of default component versions tested together, ensuring compatibility.
- Version Pinning: Allows specifying precise component versions for consistent deployments across different environments.
- Distributed Releases: Manages releases across multiple Kubernetes clusters, facilitating complex multi-environment deployments.
- Seamless Upgrades: Ensures smooth transitions between component versions.
Getting started with the Venafi Control Plane Operator
The Venafi Control Plane Operator is available on the Red Hat OpenShift OperatorHub, allowing for straightforward deployment to OpenShift clusters. You can also find the Venafi Control Plane Operator in the Venafi Marketplace.
To deploy the certified Venafi Control Plane Operator, access your cluster’s web interface, navigate to Operators then to OperatorHub, and filter by "Venafi Control Plane Operator." Install the Operator, configure it to deploy the desired Venafi components using the provided “VenafiInstall” Custom Resource (CR) instance, and verify the deployment through the Topology page in the Developer perspective of the "venafi" namespace.
Cover every cluster with ease and efficiency.
Free trial and documentation
The Venafi Control Plane Operator is available to all Venafi TLS Protect for Kubernetes customers. For those not yet customers, a free trial is available to experience how easy it is to manage TLS certificates in Kubernetes environments. Alternatively, contact the Venafi team to try out all the Kubernetes components discussed.
By introducing the Venafi Control Plane Operator, Venafi is empowering enterprises to manage their machine identities more efficiently, delivering added security measures and simplified operations in large-scale Kubernetes environments.