Installing Discovery Agent for Next-Gen Trust Security using Helm¶

In this tutorial, you'll install Discovery Agent on a Kubernetes cluster using a Helm chart. This connects your cluster to Next-Gen Trust Security (NGTS) and enables Discovery Agent to find certificates in the cluster.

Connecting multiple clusters

When connecting clusters to NGTS, deploy only one instance of Discovery Agent for each cluster and use a dedicated Built-in Account for each. Using the same Built-in Account for multiple clusters isn't supported.

Prerequisites¶

Before you begin, prepare your environment, complete pre-installation in NGTS, and configure authentication.

Prepare your environment¶

To install Discovery Agent, you must have:

A cluster with permissions to create namespaces and secrets.
Outbound access from your cluster to the public Discovery Agent chart at oci://registry.ngts.paloaltonetworks.com/charts/discovery-agent.
helm and kubectl on your local machine.

Configure authentication¶

To authenticate Discovery Agent with NGTS:

Create a Built-in Account with the Discovery Agent use case and Kubernetes Discovery scope.
Install Connection for Next-Gen Trust Security (Connection resource). If Discovery Agent is the only component using Connection resource, you can also install Connection resource directly from the Helm chart in step 1 of this tutorial.
Configure Connection resource to authenticate with NGTS using private key JWT or Workload Identity Federation (WIF).

Step 1: Connect the cluster¶

To connect your cluster to NGTS, create a namespace, configure the Helm values, and install the Discovery Agent Helm chart.

Create the namespace:
```
kubectl create namespace venafi
```
Create a discovery-agent.values.yaml file with your configuration.
- If you use a multi-tenant environment with sub-tenants, set claimableCerts to true.
- If you did not install Connection resource separately, set venafiConnection.include to true to install the Connection resource CRD and role-based access control.
discovery-agent.values.yaml
```
venafiConnection:
  include: false # (1)!

config:
  clusterName: "your-cluster-name" # (2)!
  clusterDescription: "your-cluster-description"
  claimableCerts: false # (3)!
  venafiConnection:
    enabled: true
    name: ngts-connection # (4)!
    namespace: venafi
```
1. Set to true only if you did not install Connection resource in the prerequisites.
2. Specifying a cluster name and description automatically creates a cluster resource in NGTS.
3. Controls certificate ownership. When false, the default, the tenant that created the Built-in Account claims discovered certificates, even if it's a child tenant. When true, certificates remain unclaimed, making them available for child tenants to claim.
4. The name of the VenafiConnection resource created in the prerequisites.
(Optional) If your cluster requires a proxy, add the following top-level keys to your discovery-agent.values.yaml and update them for your environment:
```
http_proxy: "proxy.example.com:8080"
https_proxy: "proxy.example.com:8443"
no_proxy: "127.0.0.1,localhost,kubernetes.default.svc,kubernetes.default.svc.cluster.local"
```
Add <tsgID>.ngts.paloaltonetworks.com to your egress proxy allowlist, for example 0000000000.ngts.paloaltonetworks.com.

(Optional) If your proxy uses a certificate from a private CA, add the CA to a custom trust bundle by creating a ConfigMap with your trusted certificates:

kubectl --namespace venafi create configmap ca-cert \
  --from-file=ca-cert.crt=<file-name>

Add the following to your discovery-agent.values.yaml to mount the trust bundle into the agent pod:

volumes:
- name: ca-cert
  configMap:
    name: ca-cert
volumeMounts:
- name: ca-cert
  mountPath: /etc/ssl/certs/ca-cert.crt
  subPath: ca-cert.crt
  readOnly: true

Install the Discovery Agent Helm chart:

If you mirror images to your own registry, replace registry.ngts.paloaltonetworks.com with your registry URL.

helm upgrade discovery-agent \
  oci://registry.ngts.paloaltonetworks.com/charts/discovery-agent \
  --install \
  --namespace "venafi" \
  --version 1.11.0 \
  --values discovery-agent.values.yaml

Step 2: Verify the deployment¶

To verify the deployment:

In the NGTS user interface, click Insights > Certificate Installations > Kubernetes Clusters and click your cluster. In the right-hand drawer that appears, confirm that status is ACTIVE and Last Check In was seconds ago.
Click System Settings > Event Log and confirm that Service account access token granted and Login succeeded are present for your Built-in Account.

Check the agent logs

To troubleshoot issues, check the agent logs with kubectl:

kubectl logs -n venafi -l app.kubernetes.io/instance=discovery-agent --tail -1 | grep -A 5 "Running Agent"

Successful output is similar to the following:

2023/01/01 01:01:01 Running Agent...
2023/01/01 01:01:02 Posting data to: https://1234567891.ngts.paloaltonetworks.com/
2023/01/01 01:01:03 Data sent successfully.

What's next?¶

Now that Discovery Agent is installed, configure it for your environment.