Configuring Enterprise Issuer for Next-Gen Trust Security¶
Once Enterprise Issuer is installed, configure it to issue certificates by creating a VenafiIssuer or VenafiClusterIssuer resource in your cluster.
Prerequisites¶
To configure Enterprise Issuer, you must have:
- Enterprise Issuer installed in your cluster.
- Connection for Next-Gen Trust Security (Connection resource) configured to authenticate with Next-Gen Trust Security (NGTS).
- An Issuing Template created in NGTS.
Step 1: Create an issuer¶
Choose an issuer type, create a manifest that references Connection resource and your Issuing Template, and apply the manifest.
Namespaced vs cluster-scoped issuers
- VenafiClusterIssuer is cluster-scoped and has no namespace. Any Connection resource referenced by a VenafiClusterIssuer must be in the same namespace as Enterprise Issuer.
- VenafiIssuer is namespaced. Any Connection resource referenced by a VenafiIssuer must be in the same namespace as the VenafiIssuer resource or in a namespace explicitly allowed in the Connection resource resource definition.
-
Create one of the following issuers that references your VenafiConnection and specifies the Issuing Template to use:
VenafiClusterIssuer¶
Use
VenafiClusterIssuerfor cluster-wide access. The example below assumes a Connection resource namedngts-connectionis in thevenafinamespace.ngts-cluster-issuer.yamlapiVersion: jetstack.io/v1alpha1 kind: VenafiClusterIssuer metadata: name: ngts-cluster-issuer spec: venafiConnectionName: ngts-connection zone: "Issuing Template Name" # (1)!- Replace with the name of your NGTS Issuing Template.
VenafiIssuer — same namespace¶
Use
VenafiIssuerfor a single namespace. The example below assumes a Connection resource namedngts-connectionis in the same namespace.ngts-issuer.yamlapiVersion: jetstack.io/v1alpha1 kind: VenafiIssuer metadata: name: ngts-issuer namespace: venafi spec: venafiConnectionName: ngts-connection zone: "Issuing Template Name" # (1)!- Replace with the name of your Issuing Template in NGTS.
VenafiIssuer — cross namespace¶
Use
VenafiIssuerwhen the issuer and Connection resource are in different namespaces. The example below assumes a Connection resource namedngts-connectionin thevenafinamespace.Grant cross-namespace access
Configure Connection resource's
allowReferencesFromfield to allow access from the target namespace. See About cross-namespace access.ngts-issuer-cross-ns.yamlapiVersion: jetstack.io/v1alpha1 kind: VenafiIssuer metadata: name: ngts-issuer namespace: application-team-1 spec: venafiConnectionName: ngts-connection venafiConnectionNamespace: venafi zone: "Issuing Template Name" # (1)!- Replace with the name of your Issuing Template in NGTS.
-
Apply the manifest:
kubectl apply -f <manifest-file>.yaml
Step 2: Request a test certificate¶
Create a cert-manager Certificate resource that references the issuer you created:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-cert
namespace: venafi
spec:
secretName: example-cert-tls
commonName: example.com
dnsNames:
- example.com
- www.example.com
issuerRef:
name: ngts-issuer # (1)!
kind: VenafiIssuer # (2)!
group: jetstack.io
- Replace with the name of the VenafiIssuer or VenafiClusterIssuer you created.
- Use
VenafiClusterIssuerif you created a cluster-scoped resource.
Apply the manifest:
kubectl apply -f example-cert.yaml
Once applied, cert-manager requests a certificate from NGTS through Enterprise Issuer and Connection resource.
Step 3: Verify certificate issuance¶
-
Check the status of the certificate:
kubectl get certificate example-cert -n venafiWhen the certificate has been issued, the
READYcolumn showsTrue:NAME READY SECRET AGE example-cert True example-cert-tls 30sIf the certificate isn't ready after a few minutes, inspect the resources and see Troubleshooting Enterprise Issuer.
-
To verify the issued certificate, inspect the leaf certificate in the Secret:
kubectl get secret example-cert-tls -n venafi -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -text -nooutVerify the Subject, Issuer, and Subject Alternative Names.