Installing Enterprise Issuer for Next-Gen Trust Security using Helm¶
In this tutorial, you'll install Enterprise Issuer in a Kubernetes cluster using Helm, enabling your cluster to request and manage certificates through Next-Gen Trust Security (NGTS).
Prerequisites¶
Before you begin, prepare your environment and configure authentication.
Prepare your environment¶
To install Enterprise Issuer, you must have:
- Access to an NGTS tenant.
kubectland Helm 3.8.0+ on your local machine.- Permission to install Helm charts and custom resource definitions (CRDs) in your Kubernetes cluster.
- cert-manager installed in your cluster.
- A pull secret configured for the NGTS private registry.
Configure authentication¶
To authenticate Enterprise Issuer with NGTS:
- Create a Built-in Account with the
cert-manager Enterprise Issueruse case and scope. - Install Connection for Next-Gen Trust Security (Connection resource). If Enterprise Issuer is the only component using Connection resource, you can also install Connection resource directly from the Helm chart in step 3 of this tutorial.
- Configure Connection resource to authenticate with NGTS using private key JWT or Workload Identity Federation (WIF).
Step 1: (Optional) Reconfigure cert-manager¶
Reconfigure cert-manager to approve requests from Enterprise Issuer's VenafiIssuer and VenafiClusterIssuer, as by default it only approves issuers.cert-manager.io/* and clusterissuers.cert-manager.io/*.
Skip this step if you already configured approveSignerNames during cert-manager installation or you are using Approver Policy, which approves certificate requests from all issuers.
Using the built-in approver
These steps require the built-in approver. If you previously set disableAutoApproval: true in your cert-manager Helm values, remove it before proceeding.
-
Add the following to your
cert-manager.values.yaml:approveSignerNames: - issuers.cert-manager.io/* - clusterissuers.cert-manager.io/* - venafiissuers.jetstack.io/* - venaficlusterissuers.jetstack.io/* -
Upgrade cert-manager with the updated values:
helm upgrade cert-manager oci://registry.ngts.paloaltonetworks.com/charts/cert-manager \ --namespace venafi \ --version v1.21.0 \ --values cert-manager.values.yaml \ --reuse-values
Step 2: (Optional) Create trusted CA bundles¶
If egress traffic in your Kubernetes cluster passes through an HTTP or transparent proxy, or if you use Enterprise Issuer with a HashiCorp Vault instance served by a certificate signed by your company's private CA, you must configure Enterprise Issuer to trust the relevant CA certificates.
Using ConfigMap resources
Unlike cert-manager, which has the caBundle field, Enterprise Issuer requires you to mount CA certificates to its file system at /etc/ssl/certs with ConfigMap resources.
Create a ConfigMap for each CA bundle to trust. You'll reference these in the trustedCaBundles field of the Helm values file in the next step.
HashiCorp Vault¶
kubectl --namespace venafi create configmap ca-cert-vault --from-file=ca.crt=<file-name>
HTTP or transparent proxy¶
kubectl --namespace venafi create configmap ca-cert-proxy --from-file=ca.crt=<file-name>
Step 3: Install Enterprise Issuer¶
Install Enterprise Issuer and configure it to use the pull secret and CA bundles from the prerequisites.
-
Create a file named
enterprise-issuer.values.yamlwith the following contents.- If you did not install Connection resource separately, set
venafiConnection.includetotrueto install the Connection resource CRD and role-based access control. - If you created ConfigMaps in Step 2, uncomment the
trustedCaBundlessection.
enterprise-issuer.values.yamlglobal: imagePullSecrets: - name: ngts-image-pull-secret venafiConnection: include: false # (1)! venafiEnhancedIssuer: manager: image: repository: registry.ngts.paloaltonetworks.com/enterprise-issuer/enterprise-issuer # Add trusted CA bundles created in Step 2: # # trustedCaBundles: # - configMapName: ca-cert-vault # configMapKey: ca.crt # - configMapName: ca-cert-proxy # configMapKey: ca.crt- Set to
trueonly if you did not install Connection resource in the prerequisites.
- If you did not install Connection resource separately, set
-
Install Enterprise Issuer and wait for it to be ready.
- If you mirror images to your own registry, replace
registry.ngts.paloaltonetworks.comwith your registry URL in the values file and the Helm command. - For FIPS-compliant images, append
-fipsto the chart name and each image path, for exampleoci://registry.ngts.paloaltonetworks.com/charts/enterprise-issuer-fips.
helm upgrade enterprise-issuer oci://registry.ngts.paloaltonetworks.com/charts/enterprise-issuer \ --install \ --namespace venafi \ --values enterprise-issuer.values.yaml \ --version v0.21.0 \ --wait - If you mirror images to your own registry, replace
Step 4: Verify the installation¶
Confirm that Enterprise Issuer is running in your cluster.
kubectl get pods -n venafi -l app.kubernetes.io/instance=enterprise-issuer
Successful output is similar to the following:
NAME READY STATUS RESTARTS AGE
enterprise-issuer-6f4b5c8d9f-abcde 1/1 Running 0 2m
What's next?¶
After installing Enterprise Issuer, create a VenafiIssuer or VenafiClusterIssuer resource to start issuing certificates. See Configuring Enterprise Issuer.