Installing Distributed Issuer on Kubernetes using Helm¶

In this tutorial, you'll use Helm to install Distributed Issuer on Kubernetes and connect it to Next-Gen Trust Security (NGTS), from which it will bootstrap its security settings.

Prerequisites¶

Before you begin, prepare your environment, complete pre-installation in the NGTS user interface, and configure authentication.

Prepare your environment¶

To install Distributed Issuer, you must have:

A cluster with permissions to create namespaces and secrets.
Outbound access from your cluster to the NGTS API, so Distributed Issuer can connect for authentication and configuration. See network requirements.
helm, kubectl, and cmctl on your local machine.

Complete pre-installation¶

Complete the steps in Getting started with Distributed Issuer. This includes creating a Built-in Account, CA account, and subordinate CA, adding policies, and adding a bootstrap configuration.

Configure authentication¶

To authenticate Distributed Issuer with NGTS:

Install Connection for Next-Gen Trust Security (Connection resource). If Distributed Issuer is the only component using Connection resource, you can also install Connection resource directly from the Helm chart in step 1 of this tutorial.
Configure Connection resource to authenticate with NGTS using your Built-in Account credentials. Choose private key JWT or Workload Identity Federation (WIF).

Step 1: Install Distributed Issuer with a Helm chart¶

If needed, review and agree to the Palo Alto Networks End User License Agreement.
Create a Kubernetes namespace:
```
kubectl create ns venafi
```
Create a distributed-issuer.values.yaml file.
- If you did not install Connection resource separately, set venafiConnection.include to true to install the Connection resource CRD and role-based access control.
Generate a starter file

To generate a starter Helm values file with comments for installing Distributed Issuer, run:
```
helm show values oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer --version v1.12.0 > distributed-issuer-values.yaml
```
distributed-issuer.values.yaml
```
venafiConnection:
  include: false # (1)!

deployment:
  config:
    bootstrap:
      ngts:
        connection:
          create: false
          name: ngts-connection # (2)!
          # Or set create: true and replace name with:
          #
          # tsgID: "0000000000"
          # privateKeySecret:
          #   enabled: true
          #   clientID: 00000000-0000-0000-0000-000000000000
crd:
  approver:
    subject:
      name: cert-manager # (3)!
      namespace: venafi
```
1. Set to true only if you did not install Connection resource in the prerequisites.
2. The name of the Connection resource created in the prerequisites. To have the Helm chart create the Connection resource instead, see the commented example.
3. ServiceAccount allowed to approve CertificateRequests, which must be approved before Distributed Issuer signs them. This example uses cert-manager directly, instead of a separate approver-policy. Also see CertificateRequest resource in the open source documentation.

Install the Helm chart. The --version flag is required.

For FIPS, replace distributed-issuer-public with distributed-issuer-fips and make sure you have the NGTS pull secret configured in your cluster.

helm upgrade di-install oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer-public \
  --install \
  --create-namespace \
  --namespace venafi \
  --values distributed-issuer.values.yaml \
  --version v1.12.0

Step 2: Verify the installation¶

Verify the installation using cmctl.

Create a certificate.yaml file containing a test certificate:
certificate.yaml
```
kind: Certificate
apiVersion: cert-manager.io/v1
metadata:
  annotations:
    firefly.venafi.com/policy-name: my-web-policy # (1)!
spec:
  commonName: app.example.com # (2)!
  issuerRef:
    name: firefly
    kind: Issuer
    group: firefly.venafi.com
```
1. Replace this example with your Distributed Issuer policy name, from the NGTS Workload Issuance Policies page.
2. Supply a domain allowed by your Distributed Issuer policy, from the Workload Issuance Policies page under Subject > Common Name.
Use cmctl to create a cert-manager CertificateRequest and wait for the signed certificate:
```
cmctl create certificaterequest my-cr \
  --from-certificate-file certificate.yaml \
  --fetch-certificate
```
If successful, cmctl prints the names of a .key and a .crt file.
Confirm the signed X.509 certificate with OpenSSL:
```
openssl x509 -in my-cr.crt -noout -text
```

What's next?¶

Distributed Issuer is now installed, and can issue and manage certificates in your cluster. Review certificates on the Issuer Certificates page in NGTS.