Issuer Network Requirements¶
Issuer needs to connect to the TLS Protect Cloud REST API, so you may have to configure your firewall or egress proxy accordingly.
Introduction¶
If Issuer is deployed in a secure environment that limits connection to external sites or services, you may need to configure your firewall with the following egress rule:
Rule | Host | Protocol | Port |
---|---|---|---|
ALLOW | api.venafi.cloud | TCP | 443 |
If you use an egress proxy you can assign the proxy address to an environment variable called HTTPS_PROXY
, in the environment of the Issuer process. Issuer uses the Go HTTP library, which allows getting the proxy from the process environment.
The steps will be different, depending on whether you deploy Issuer on Kubernetes or on a VM using Docker.
Modifying network settings for Kubernetes¶
Egress using NetworkPolicy
¶
Many Kubernetes clusters and most OpenShift clusters have NetworkPolicy
enabled. NetworkPolicies allow you to limit how a Pod communicates over the network. NetworkPolicies apply to a connections between Pods in a cluster and also apply to connections between Pods and the Internet.
Learn more about network policies
Read the Kubernetes Network Policies documentation and about Network Policies on OpenShift clusters.
Here is an example of NetworkPolicy
which will allow Issuer to connect to the TLS Protect Cloud REST API.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-firefly-egress
namespace: venafi
spec:
podSelector:
matchLabels:
app: firefly
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 443
Proxy Server Considerations¶
Some Kubernetes clusters are configured to only allow Internet connections via an HTTP(S) proxy. If that applies to you:
- Add
api.venafi.cloud
(orhttps://api.venafi.eu/
if you are in Europe) to the allowed domain list of your egress proxy. - Add an
HTTPS_PROXY
environment variable to the PodTemplate of the Issuer Deployment resource.