Skip to content

Installing Enterprise Issuer for Next-Gen Trust Security using Helm

In this tutorial, you'll install Enterprise Issuer in a Kubernetes cluster using Helm, enabling your cluster to request and manage certificates through Next-Gen Trust Security (NGTS).

Prerequisites

Before you begin, prepare your environment and configure authentication.

Prepare your environment

To install Enterprise Issuer, you must have:

  • Access to an NGTS tenant.
  • kubectl and Helm 3.8.0+ on your local machine.
  • Permission to install Helm charts and custom resource definitions (CRDs) in your Kubernetes cluster.
  • cert-manager installed in your cluster.
  • A pull secret configured for the NGTS private registry.

Configure authentication

To authenticate Enterprise Issuer with NGTS:

Step 1: (Optional) Reconfigure cert-manager

Reconfigure cert-manager to approve requests from Enterprise Issuer's VenafiIssuer and VenafiClusterIssuer, as by default it only approves issuers.cert-manager.io/* and clusterissuers.cert-manager.io/*.

Skip this step if you already configured approveSignerNames during cert-manager installation or you are using Approver Policy, which approves certificate requests from all issuers.

Using the built-in approver

These steps require the built-in approver. If you previously set disableAutoApproval: true in your cert-manager Helm values, remove it before proceeding.

  1. Add the following to your cert-manager.values.yaml:

    approveSignerNames:
      - issuers.cert-manager.io/*
      - clusterissuers.cert-manager.io/*
      - venafiissuers.jetstack.io/*
      - venaficlusterissuers.jetstack.io/*
    
  2. Upgrade cert-manager with the updated values:

    helm upgrade cert-manager oci://registry.ngts.paloaltonetworks.com/charts/cert-manager \
      --namespace venafi \
      --version v1.21.0 \
      --values cert-manager.values.yaml \
      --reuse-values
    

Step 2: (Optional) Create trusted CA bundles

If egress traffic in your Kubernetes cluster passes through an HTTP or transparent proxy, or if you use Enterprise Issuer with a HashiCorp Vault instance served by a certificate signed by your company's private CA, you must configure Enterprise Issuer to trust the relevant CA certificates.

Using ConfigMap resources

Unlike cert-manager, which has the caBundle field, Enterprise Issuer requires you to mount CA certificates to its file system at /etc/ssl/certs with ConfigMap resources.

Create a ConfigMap for each CA bundle to trust. You'll reference these in the trustedCaBundles field of the Helm values file in the next step.

HashiCorp Vault

kubectl --namespace venafi create configmap ca-cert-vault --from-file=ca.crt=<file-name>

HTTP or transparent proxy

kubectl --namespace venafi create configmap ca-cert-proxy --from-file=ca.crt=<file-name>

Step 3: Install Enterprise Issuer

Install Enterprise Issuer and configure it to use the pull secret and CA bundles from the prerequisites.

  1. Create a file named enterprise-issuer.values.yaml with the following contents.

    • If you did not install Connection resource separately, set venafiConnection.include to true to install the Connection resource CRD and role-based access control.
    • If you created ConfigMaps in Step 2, uncomment the trustedCaBundles section.
    enterprise-issuer.values.yaml
    global:
      imagePullSecrets:
        - name: ngts-image-pull-secret
    
    venafiConnection:
      include: false # (1)!
    
    venafiEnhancedIssuer:
      manager:
        image:
          repository: registry.ngts.paloaltonetworks.com/enterprise-issuer/enterprise-issuer
    
        # Add trusted CA bundles created in Step 2:
        #
        # trustedCaBundles:
        #   - configMapName: ca-cert-vault
        #     configMapKey: ca.crt
        #   - configMapName: ca-cert-proxy
        #     configMapKey: ca.crt
    
    1. Set to true only if you did not install Connection resource in the prerequisites.
  2. Install Enterprise Issuer and wait for it to be ready.

    • If you mirror images to your own registry, replace registry.ngts.paloaltonetworks.com with your registry URL in the values file and the Helm command.
    • For FIPS-compliant images, append -fips to the chart name and each image path, for example oci://registry.ngts.paloaltonetworks.com/charts/enterprise-issuer-fips.
    helm upgrade enterprise-issuer oci://registry.ngts.paloaltonetworks.com/charts/enterprise-issuer \
        --install \
        --namespace venafi \
        --values enterprise-issuer.values.yaml \
        --version v0.21.0 \
        --wait
    

Step 4: Verify the installation

Confirm that Enterprise Issuer is running in your cluster.

kubectl get pods -n venafi -l app.kubernetes.io/instance=enterprise-issuer

Successful output is similar to the following:

NAME                                        READY   STATUS    RESTARTS   AGE
enterprise-issuer-6f4b5c8d9f-abcde     1/1     Running   0          2m

What's next?

After installing Enterprise Issuer, create a VenafiIssuer or VenafiClusterIssuer resource to start issuing certificates. See Configuring Enterprise Issuer.