Distributed Issuer network requirements¶

Distributed Issuer needs to connect to the Next-Gen Trust Security REST API, so you may need to configure your firewall or egress proxy accordingly.

Firewall and proxy requirements¶

If Distributed Issuer is deployed in a secure environment that limits connection to external sites or services, add the following egress rule to your firewall:

If you use an egress proxy, assign the proxy address to an environment variable called HTTPS_PROXY, in the environment of the Distributed Issuer process.

Distributed Issuer uses the Go HTTP library, which allows getting the proxy from the process environment.

How you configure these options depends on whether you're using Kubernetes or Docker with a Linux host.

Modifying network settings for Kubernetes¶

You may need to add a network policy to allow outbound traffic, configure a proxy server, or both.

Egress using a network policy¶

Many Kubernetes and OpenShift clusters have NetworkPolicy enabled. Network policies allow you to limit how a Pod communicates over a network. They apply to connections between Pods in a cluster and also to connections between Pods and the internet.

Network policy example¶

The following example shows a NetworkPolicy which enables Distributed Issuer to connect to the Next-Gen Trust Security REST API.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-distributed-issuer-egress
  namespace: venafi
spec:
  podSelector:
    matchLabels:
      app: distributed-issuer
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
    ports:
    - protocol: TCP
      port: 443

Configuring a proxy server¶

Some Kubernetes clusters are configured to only allow internet connections through an HTTP(S) proxy. If that applies to you:

1. Add ngts.paloaltonetworks.com to the allowed domain list of your egress proxy.
2. Add an HTTPS_PROXY environment variable to the PodTemplate of the Distributed Issuer Deployment resource.