Issuer Network Requirements for TLS Protect Datacenter¶
CyberArk Workload Identity Manager (formerly known as Firefly) needs to connect to the WebSDK API of your TLS Protect Datacenter instance in order to fetch the security configuration and enroll subordinate CA certificates. Therefore, you may need to configure your firewall or egress proxy accordingly.
Issuer supports multiple authentication methods when working with TLS Protect Datacenter. When using the OIDC authentication method, TLS Protect Datacenter requires access to the OIDC Discovery endpoint of the Kubernetes cluster where Issuer is deployed. This access is necessary to retrieve the information required to validate the JWT credentials used by Issuer.
If Issuer is deployed in a secure environment that limits connections, you may need to configure your firewall with the following egress rule:
| Rule | Source host | Destination host | Protocol | Port | Notes |
|---|---|---|---|---|---|
| ALLOW | <Your Kubernetes Cluster> | <Your TLS Protect Datacenter> | TCP | 443 | |
| ALLOW | <Your TLS Protect Datacenter> | <Your Kubernetes Cluster> | TCP | 443 | Only needed when OIDC authentication is used. |
If you use an egress proxy you can assign the proxy address to an environment variable called HTTPS_PROXY, in the environment of the Issuer process. Issuer uses the Go HTTP library, which allows getting the proxy from the process environment.
The steps will be different, depending on whether you deploy Issuer on Kubernetes or on a VM using Docker.
Modifying network settings for Kubernetes¶
Egress using NetworkPolicy¶
Many Kubernetes clusters and most OpenShift clusters have NetworkPolicy enabled. NetworkPolicies allow you to limit how a Pod communicates over the network. NetworkPolicies apply to a connections between Pods in a cluster and also apply to connections between Pods and the TLS Protect Datacenter instance.
Here is an example of NetworkPolicy which will allow Issuer to connect to the WebSDK API of your TLS Protect Datacenter instance.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-firefly-egress
namespace: venafi
spec:
podSelector:
matchLabels:
app: firefly
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 1.2.3.4/32 # replace with the CIRD block of your TLS Protect Datacenter instance
ports:
- protocol: TCP
port: 443
Proxy server considerations¶
Some Kubernetes clusters are configured to only allow Internet connections via an HTTP(S) proxy. If that applies to you:
-
Add the URL of your TLS Protect Datacenter instance to the allowed domain list of your egress proxy.
-
Add an
HTTPS_PROXYenvironment variable to the PodTemplate of the Issuer Deployment resource.