jetstack · inteon · Jun 4, 2026 · Jun 4, 2026
diff --git a/deploy/charts/discovery-agent/README.md b/deploy/charts/discovery-agent/README.md
@@ -6,6 +6,21 @@ The Discovery Agent connects your Kubernetes or OpenShift cluster to Palo Alto N
 
 <!-- AUTO-GENERATED -->
 
+### Venafi Connection
+
+#### **venafiConnection.include** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+When set to false, the rendered output does not contain the VenafiConnection CRDs and RBAC. This is useful for when the Venafi Connection resoures are already installed separately.
+#### **venafiConnection.serviceAccountNamespace** ~ `string`
+
+The namespace in which the 'venafi-connection' service account lives. This is the service account that is used to create JWT tokens for SAs or read credential secrets. (defaults to the namespace in which the controller is running)
+
+### Discovery Agent
+
 #### **config.tsgID** ~ `number,string`
 > Default value:
 > ```yaml

diff --git a/deploy/charts/discovery-agent/crd_bases/crd.footer.yaml b/deploy/charts/discovery-agent/crd_bases/crd.footer.yaml
@@ -0,0 +1,2 @@
+{{ end }}
+{{ end }}
diff --git a/deploy/charts/discovery-agent/crd_bases/crd.header-without-validations.yaml b/deploy/charts/discovery-agent/crd_bases/crd.header-without-validations.yaml
@@ -0,0 +1,13 @@
+{{/* DO NOT EDIT. Use 'make generate-crds-venconn' to regenerate. */}}
+{{- if .Values.venafiConnection.include }}
+{{- if (semverCompare "<1.25" .Capabilities.KubeVersion.GitVersion) }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: "venaficonnections.jetstack.io"
+  annotations:
+    # This annotation prevents the CRD from being pruned by Helm when this chart
+    # is deleted.
+    helm.sh/resource-policy: keep
+  labels:
+  {{- include "venafi-connection.labels" . | nindent 4 }}
diff --git a/deploy/charts/discovery-agent/crd_bases/crd.header.yaml b/deploy/charts/discovery-agent/crd_bases/crd.header.yaml
@@ -0,0 +1,13 @@
+{{/* DO NOT EDIT. Use 'make generate-crds-venconn' to regenerate. */}}
+{{- if .Values.venafiConnection.include }}
+{{- if not (semverCompare "<1.25" .Capabilities.KubeVersion.GitVersion) }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: "venaficonnections.jetstack.io"
+  annotations:
+    # This annotation prevents the CRD from being pruned by Helm when this chart
+    # is deleted.
+    helm.sh/resource-policy: keep
+  labels:
+  {{- include "venafi-connection.labels" . | nindent 4 }}
diff --git a/deploy/charts/discovery-agent/crd_bases/jetstack.io_venaficonnections.yaml b/deploy/charts/discovery-agent/crd_bases/jetstack.io_venaficonnections.yaml
diff --git a/deploy/charts/discovery-agent/templates/_venafi-connection.tpl b/deploy/charts/discovery-agent/templates/_venafi-connection.tpl
@@ -0,0 +1,26 @@
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "venafi-connection.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "venafi-connection.labels" -}}
+helm.sh/chart: {{ include "venafi-connection.chart" . }}
+{{ include "venafi-connection.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "venafi-connection.selectorLabels" -}}
+app.kubernetes.io/name: "venafi-connection"
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
diff --git a/deploy/charts/discovery-agent/templates/deployment.yaml b/deploy/charts/discovery-agent/templates/deployment.yaml
@@ -91,6 +91,10 @@ spec:
             - {{ .Values.config.venafiConnection.name | quote }}
             - --venafi-connection-namespace
             - {{ .Values.config.venafiConnection.namespace | quote }}
+            {{- with .Values.venafiConnection.serviceAccountNamespace }}
+            - --install-namespace
+            - {{ . | quote }}
+            {{- end }}
             {{- else }}
             - --ngts
             {{- if and .Values.config.tsgID .Values.config.serverURL }}

diff --git a/deploy/charts/discovery-agent/templates/venafi-connection-crd.without-validations.yaml b/deploy/charts/discovery-agent/templates/venafi-connection-crd.without-validations.yaml
diff --git a/deploy/charts/discovery-agent/templates/venafi-connection-crd.yaml b/deploy/charts/discovery-agent/templates/venafi-connection-crd.yaml
diff --git a/deploy/charts/discovery-agent/templates/venafi-connection-rbac.yaml b/deploy/charts/discovery-agent/templates/venafi-connection-rbac.yaml
@@ -0,0 +1,47 @@
+{{- if .Values.venafiConnection.include }}
+{{- $saNamespace := .Values.venafiConnection.serviceAccountNamespace | default $.Release.Namespace }}
+# The 'venafi-connection' service account is used by multiple
+# controllers. When configuring which resources a VenafiConnection
+# can access, the RBAC rules you create manually must point to this SA.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: venafi-connection
+  namespace: {{ $saNamespace | quote }}
+  labels:
+  {{- include "venafi-connection.labels" $ | nindent 4 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: venafi-connection-role
+  labels:
+  {{- include "venafi-connection.labels" $ | nindent 4 }}
+rules:
+- apiGroups: [ "" ]
+  resources: [ "namespaces" ]
+  verbs: [ "get", "list", "watch" ]
+
+- apiGroups: [ "jetstack.io" ]
+  resources: [ "venaficonnections" ]
+  verbs: [ "get", "list", "watch" ]
+
+- apiGroups: [ "jetstack.io" ]
+  resources: [ "venaficonnections/status" ]
+  verbs: [ "get", "patch" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: venafi-connection-rolebinding
+  labels:
+  {{- include "venafi-connection.labels" $ | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: venafi-connection-role
+subjects:
+- kind: ServiceAccount
+  name: venafi-connection
+  namespace: {{ $saNamespace | quote }}
+{{- end }}
diff --git a/deploy/charts/discovery-agent/templates/venafi-rbac.yaml b/deploy/charts/discovery-agent/templates/venafi-rbac.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.config.venafiConnection.enabled }}
+{{- $saNamespace := .Values.venafiConnection.serviceAccountNamespace | default $.Release.Namespace }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "discovery-agent.fullname" . }}-impersonate-role
+  namespace: {{ $saNamespace | quote }}
+  labels:
+  {{- include "discovery-agent.labels" . | nindent 4 }}
+rules:
+- apiGroups: [ "" ]
+  resources: [ "serviceaccounts" ]
+  verbs: [ "impersonate" ]
+  resourceNames: [ "venafi-connection" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "discovery-agent.fullname" . }}-impersonate-rolebinding
+  namespace: {{ $saNamespace | quote }}
+  labels:
+  {{- include "discovery-agent.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "discovery-agent.fullname" . }}-impersonate-role
+subjects:
+- kind: ServiceAccount
+  name: {{ include "discovery-agent.serviceAccountName" . }}
+  namespace: {{ $.Release.Namespace | quote }}
+{{- end }}
diff --git a/deploy/charts/discovery-agent/tests/deployment_test.yaml b/deploy/charts/discovery-agent/tests/deployment_test.yaml
@@ -501,3 +501,54 @@ tests:
     asserts:
       - isKind:
           of: Deployment
+
+  # When venafiConnection.serviceAccountNamespace is set in VenafiConnection
+  # mode, the chart should pass --install-namespace to the agent so it knows
+  # which namespace holds the 'venafi-connection' service account used for
+  # token issuance / credential reads.
+  - it: VenafiConnection mode passes --install-namespace when serviceAccountNamespace is set
+    set:
+      config.clusterName: test-cluster
+      config.venafiConnection.enabled: true
+      venafiConnection.serviceAccountNamespace: venafi
+    template: deployment.yaml
+    asserts:
+      - isKind:
+          of: Deployment
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: --install-namespace
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: venafi
+
+  # When venafiConnection.serviceAccountNamespace is unset (the default), the
+  # --install-namespace flag must NOT be passed; the agent falls back to
+  # POD_NAMESPACE in that case.
+  - it: VenafiConnection mode omits --install-namespace when serviceAccountNamespace is unset
+    set:
+      config.clusterName: test-cluster
+      config.venafiConnection.enabled: true
+    template: deployment.yaml
+    asserts:
+      - isKind:
+          of: Deployment
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: --install-namespace
+
+  # --install-namespace is only emitted in VenafiConnection mode. In keypair
+  # (NGTS/TSG) mode it must be omitted even if venafiConnection.serviceAccountNamespace
+  # is set, since that value only applies to the VenafiConnection flow.
+  - it: keypair mode omits --install-namespace even when serviceAccountNamespace is set
+    set:
+      config.clusterName: test-cluster
+      config.tsgID: "123456"
+      venafiConnection.serviceAccountNamespace: venafi
+    template: deployment.yaml
+    asserts:
+      - isKind:
+          of: Deployment
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: --install-namespace
diff --git a/deploy/charts/discovery-agent/values.schema.json b/deploy/charts/discovery-agent/values.schema.json
@@ -78,6 +78,9 @@
         "tolerations": {
           "$ref": "#/$defs/helm-values.tolerations"
         },
+        "venafiConnection": {
+          "$ref": "#/$defs/helm-values.venafiConnection"
+        },
         "volumeMounts": {
           "$ref": "#/$defs/helm-values.volumeMounts"
         },
@@ -512,6 +515,27 @@
       "items": {},
       "type": "array"
     },
+    "helm-values.venafiConnection": {
+      "additionalProperties": false,
+      "properties": {
+        "include": {
+          "$ref": "#/$defs/helm-values.venafiConnection.include"
+        },
+        "serviceAccountNamespace": {
+          "$ref": "#/$defs/helm-values.venafiConnection.serviceAccountNamespace"
+        }
+      },
+      "type": "object"
+    },
+    "helm-values.venafiConnection.include": {
+      "default": false,
+      "description": "When set to false, the rendered output does not contain the VenafiConnection CRDs and RBAC. This is useful for when the Venafi Connection resoures are already installed separately.",
+      "type": "boolean"
+    },
+    "helm-values.venafiConnection.serviceAccountNamespace": {
+      "description": "The namespace in which the 'venafi-connection' service account lives. This is the service account that is used to create JWT tokens for SAs or read credential secrets. (defaults to the namespace in which the controller is running)",
+      "type": "string"
+    },
     "helm-values.volumeMounts": {
       "default": [],
       "description": "Additional volumeMounts on the output Deployment definition.",

diff --git a/deploy/charts/discovery-agent/values.yaml b/deploy/charts/discovery-agent/values.yaml
@@ -1,3 +1,18 @@
+# +docs:section=Venafi Connection
+
+venafiConnection:
+  # When set to false, the rendered output does not contain the VenafiConnection CRDs
+  # and RBAC. This is useful for when the Venafi Connection resoures are already installed separately.
+  include: false
+
+  # The namespace in which the 'venafi-connection' service account lives. This is the service account
+  # that is used to create JWT tokens for SAs or read credential secrets. (defaults to the namespace
+  # in which the controller is running)
+  # +docs:property
+  # serviceAccountNamespace: venafi
+
+# +docs:section=Discovery Agent
+
 # Configuration for the Discovery Agent
 config:
   # The TSG (Tenant Service Group) ID to use when connecting to SCM.

diff --git a/klone.yaml b/klone.yaml
@@ -10,55 +10,55 @@ targets:
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 42a2144a693992d84601456410428735d96f49cf
+      repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 42a2144a693992d84601456410428735d96f49cf
+      repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 42a2144a693992d84601456410428735d96f49cf
+      repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 42a2144a693992d84601456410428735d96f49cf
+      repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 42a2144a693992d84601456410428735d96f49cf
+      repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 42a2144a693992d84601456410428735d96f49cf
+      repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c
       repo_path: modules/klone
     - folder_name: licenses
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 42a2144a693992d84601456410428735d96f49cf
+      repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c
       repo_path: modules/licenses
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 42a2144a693992d84601456410428735d96f49cf
+      repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 42a2144a693992d84601456410428735d96f49cf
+      repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 42a2144a693992d84601456410428735d96f49cf
+      repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 42a2144a693992d84601456410428735d96f49cf
+      repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c
       repo_path: modules/tools
diff --git a/make/02_mod.mk b/make/02_mod.mk
@@ -31,7 +31,7 @@ $(helm_chart_source_dir)/crd_bases/jetstack.io_venaficonnections.yaml: go.mod |
 	echo "# DO NOT EDIT: Use 'make generate-crds-venconn' to regenerate." >$@
 	$(GO) run ./make/connection_crd >>$@
 
-$(helm_chart_source_dir)/templates/venafi-connection-crd.without-validations.yaml: $(helm_chart_source_dir)/crd_bases/jetstack.io_venaficonnections.yaml $(helm_chart_source_dir)/crd_bases/crd.header.yaml $(helm_chart_source_dir)/crd_bases/crd.footer.yaml | $(NEEDS_YQ)
+$(helm_chart_source_dir)/templates/venafi-connection-crd.without-validations.yaml: $(helm_chart_source_dir)/crd_bases/jetstack.io_venaficonnections.yaml $(helm_chart_source_dir)/crd_bases/crd.header-without-validations.yaml $(helm_chart_source_dir)/crd_bases/crd.footer.yaml | $(NEEDS_YQ)
 	cat $(helm_chart_source_dir)/crd_bases/crd.header-without-validations.yaml >$@
 	$(YQ) -I2 '{"spec": .spec}' $< | $(YQ) 'del(.. | ."x-kubernetes-validations"?) | del(.metadata.creationTimestamp)' | grep -v "DO NOT EDIT" >>$@
 	cat $(helm_chart_source_dir)/crd_bases/crd.footer.yaml >>$@
@@ -41,10 +41,7 @@ $(helm_chart_source_dir)/templates/venafi-connection-crd.yaml: $(helm_chart_sour
 	$(YQ) -I2 '{"spec": .spec}' $< | $(YQ) 'del(.metadata.creationTimestamp)' | grep -v "DO NOT EDIT" >>$@
 	cat $(helm_chart_source_dir)/crd_bases/crd.footer.yaml >>$@
 
-# The generate-crds target doesn't need to be run anymore when running
-# "generate". Let's replace it with "generate-crds-venconn".
-shared_generate_targets := $(filter-out generate-crds,$(shared_generate_targets))
-shared_generate_targets += generate-crds-venconn
+shared_generate_targets_dirty += generate-crds-venconn
 
 .PHONY: test-e2e-gke
 ## Run a basic E2E test on a GKE cluster

diff --git a/make/_shared/generate-verify/02_mod.mk b/make/_shared/generate-verify/02_mod.mk
@@ -12,12 +12,20 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# Literal newline so the $(foreach)es below emit one $(MAKE) per recipe line.
+# Without this the dirty list expands to "make a make b make c" on a single
+# line, which under -j builds every goal in one parallel invocation.
+define _generate_verify_newline
+
+
+endef
+
 .PHONY: generate
 ## Generate all generate targets.
 ## @category [shared] Generate/ Verify
 generate: $$(shared_generate_targets)
 	@echo "The following targets cannot be run simultaneously with each other or other generate scripts:"
-	$(foreach TARGET,$(shared_generate_targets_dirty), $(MAKE) $(TARGET))
+	$(foreach TARGET,$(shared_generate_targets_dirty),$(MAKE) $(TARGET)$(_generate_verify_newline))
 
 verify_script := $(dir $(lastword $(MAKEFILE_LIST)))/util/verify.sh
 
@@ -36,4 +44,4 @@ verify_targets_dirty = $(sort $(verify_generated_targets_dirty) $(shared_verify_
 ## @category [shared] Generate/ Verify
 verify: $$(verify_targets)
 	@echo "The following targets create temporary files in the current directory, that is why they have to be run last:"
-	$(foreach TARGET,$(verify_targets_dirty), $(MAKE) $(TARGET))
+	$(foreach TARGET,$(verify_targets_dirty),$(MAKE) $(TARGET)$(_generate_verify_newline))