Installing trust-manager
Installation Steps
1. Update Helm Repository
Helm is the easiest way to install trust-manager and comes with a publicly trusted certificate bundle package
(for theuseDefaultCAs
source) derived from Debian containers.
helm repo add jetstack https://charts.jetstack.io --force-update
2. Install cert-manager (optional)
When installed via Helm, trust-manager has a dependency on cert-manager for provisioning an application certificate unless you explicitly opt to use a Helm-generated certificate instead.
In production, we recommend installing cert-manager first and having trust-manager depend on it.
If you haven't already installed cert-manager, you can install it using the following command:
# Run this command only if you haven't installed cert-manager alreadyhelm install cert-manager jetstack/cert-manager \--namespace cert-manager \--create-namespace \--version v1.16.3 \--set crds.enabled=true
If you're running cert-manager without the default approver, see approver-policy Integration for details on how to avoid a stuck installation.
If you don't want to rely on cert-manager, you can install using a Helm-generated cert; see Installing trust-manager without cert-manager.
3. Install trust-manager
trust-manager is simple to install and is contained in a single Helm chart:
helm upgrade trust-manager jetstack/trust-manager \--install \--namespace cert-manager \--wait
Various options are available, and some are documented below.
Installation Options
Enable Secret targets
Secret
targets are supported as of trust-manager v0.7.0, but need to be explicitly enabled on the controller.
The feature can be enabled with a Helm value --set secretTargets.enabled=true
, but since the controller needs
RBAC to read and update secrets, you also need to set secretTargets.authorizedSecretsAll
or secretTargets.authorizedSecrets
.
Please consult the
trust-manager Helm chart docs
for details and trade-offs.
approver-policy Integration
If you're running approver-policy then cert-manager's default approver will be disabled which will mean that trust-manager's webhook certificate will - by default - block when you install the Helm chart until it's manually approved.
As of trust-manager v0.6.0 you can choose to automatically add an approver-policy CertificateRequestPolicy
which
will approve the trust-manager webhook certificate:
helm upgrade trust-manager jetstack/trust-manager \--install \--namespace cert-manager \--wait \--set app.webhook.tls.approverPolicy.enabled=true \--set app.webhook.tls.approverPolicy.certManagerNamespace=cert-manager
Note that if you've installed cert-manager to a different namespace, you'll need to pass that namespace in app.webhook.tls.approverPolicy.certManagerNamespace
!
Trust Namespace
One of the more important configuration options you might need to consider at install time is which "trust namespace" to use,
which can be set via the Helm value app.trust.namespace
.
By default, the trust namespace is the only namespace whereSecret
s will be read. This restriction is in place
for security reasons - we don't want to give trust-manager the permission to read all Secret
s in all namespaces. With additional configuration, secrets may be read from or written to other namespaces.
The trust namespace defaults to cert-manager
, but there's no need for it to be set to the namespace that cert-manager
is installed in - trust-manager has no runtime dependency on cert-manager at all! - so we'd recommend setting the trust
namespace to whichever is most appropriate for your environment.
An ideal deployment would be a fresh namespace dedicated entirely to trust-manager, to minimize the number of actors in your cluster that can modify your trust sources.
Installing trust-manager without cert-manager
As an alternative to generating a webhook certificate using cert-manager, it's possible to opt to use Helm to generate the webhook certificate instead.
This isn't recommended for production, since Helm-generated certificates might be complicated to monitor or to reason about. The certificate is also rotated every time trust-manager is upgraded, which necessitates pod restarts and may complicate the upgrade process.
Installing without cert-manager can be great for smaller, more resource-constrained deployments such as experiments, demos or home labs.
Using a Helm-generated cert requires a single flag:
helm upgrade trust-manager jetstack/trust-manager \--install \--namespace cert-manager \--wait \--set app.webhook.tls.helmCert.enabled=true
Uninstalling
To uninstall trust-manager installed via Helm, run:
$ helm uninstall trust-manager -n cert-managerThese resources were kept due to the resource policy:[CustomResourceDefinition] bundles.trust.cert-manager.iorelease "trust-manager" uninstalled
As shown in the output, the CustomResourceDefinition
for Bundle
is not removed by the Helm uninstall command.
This is to prevent data loss, as removing the CustomResourceDefinition
would also remove all Bundle
resources.
☢️ This will remove all
Bundle
resources from the cluster:kubectl delete crd bundles.trust.cert-manager.io
⚠️ trust-manager versions prior to
v0.9.0
do not keep theCustomResourceDefinition
on uninstall and will remove allBundle
resources from the cluster. Make sure to back up yourBundle
resources before uninstalling trust-manager if you are using a version prior tov0.9.0
. Or upgrade tov0.9.0
before uninstalling.
Usage
📖 Read the trust-manager docs.