Installing Enterprise Issuer for Next-Gen Trust Security using Helm¶

In this tutorial, you'll install Enterprise Issuer in a Kubernetes cluster using Helm, enabling your cluster to request and manage certificates through Next-Gen Trust Security (NGTS).

Prerequisites¶

Before you begin, prepare your environment and configure authentication.

Prepare your environment¶

To install Enterprise Issuer, you must have:

Access to an NGTS tenant.
kubectl and Helm 3.8.0+ on your local machine.
Permission to install Helm charts and custom resource definitions (CRDs) in your Kubernetes cluster.
cert-manager installed in your cluster.
A pull secret configured for the NGTS private registry.

Configure authentication¶

To authenticate Enterprise Issuer with NGTS:

Create a Built-in Account with the cert-manager Enterprise Issuer use case and scope.
Install Connection for Next-Gen Trust Security (Connection resource). If Enterprise Issuer is the only component using Connection resource, you can also install Connection resource directly from the Helm chart in step 3 of this tutorial.
Configure Connection resource to authenticate with NGTS using private key JWT or Workload Identity Federation (WIF).

Step 1: (Optional) Reconfigure cert-manager¶

Reconfigure cert-manager to approve requests from Enterprise Issuer's VenafiIssuer and VenafiClusterIssuer, as by default it only approves issuers.cert-manager.io/* and clusterissuers.cert-manager.io/*.

Skip this step if you already configured approveSignerNames during cert-manager installation or you are using Approver Policy, which approves certificate requests from all issuers.

Using the built-in approver

These steps require the built-in approver. If you previously set disableAutoApproval: true in your cert-manager Helm values, remove it before proceeding.

Add the following to your cert-manager.values.yaml:

approveSignerNames:
  - issuers.cert-manager.io/*
  - clusterissuers.cert-manager.io/*
  - venafiissuers.jetstack.io/*
  - venaficlusterissuers.jetstack.io/*

Upgrade cert-manager with the updated values:

helm upgrade cert-manager oci://registry.ngts.paloaltonetworks.com/charts/cert-manager \
  --namespace venafi \
  --version v1.20.2 \
  --values cert-manager.values.yaml \
  --reuse-values

Step 2: (Optional) Create trusted CA bundles¶

If egress traffic in your Kubernetes cluster passes through an HTTP or transparent proxy, or if you use Enterprise Issuer with a HashiCorp Vault instance served by a certificate signed by your company's private CA, you must configure Enterprise Issuer to trust the relevant CA certificates.

Using ConfigMap resources

Unlike cert-manager, which has the caBundle field, Enterprise Issuer requires you to mount CA certificates to its file system at /etc/ssl/certs with ConfigMap resources.

Create a ConfigMap for each CA bundle to trust. You'll reference these in the trustedCaBundles field of the Helm values file in the next step.

HashiCorp Vault¶

kubectl --namespace venafi create configmap ca-cert-vault --from-file=ca.crt=<file-name>

HTTP or transparent proxy¶

kubectl --namespace venafi create configmap ca-cert-proxy --from-file=ca.crt=<file-name>

Step 3: Install Enterprise Issuer¶

Install Enterprise Issuer and configure it to use the pull secret and CA bundles from the prerequisites.

Create a file named enterprise-issuer.values.yaml with the following contents.

If you did not install Connection resource separately, set venafiConnection.include to true to install the Connection resource CRD and role-based access control.

enterprise-issuer.values.yaml

global:
  imagePullSecrets:
    - name: ngts-image-pull-secret

venafiConnection:
  include: false # (1)!

venafiEnhancedIssuer:
  manager:
    image:
      repository: registry.ngts.paloaltonetworks.com/enterprise-issuer/enterprise-issuer

Set to true only if you did not install Connection resource in the prerequisites.

Adding trusted CA bundles

If you created ConfigMaps in Step 2, add the trustedCaBundles field to your values file under venafiEnhancedIssuer.manager:

venafiEnhancedIssuer:
  manager:
    trustedCaBundles:
      - configMapName: ca-cert-vault
        configMapKey: ca.crt
      - configMapName: ca-cert-proxy
        configMapKey: ca.crt

Install Enterprise Issuer and wait for it to be ready.
- If you mirror images to your own registry, replace registry.ngts.paloaltonetworks.com with your registry URL in the values file and the Helm command.
- For FIPS-compliant images, append -fips to the chart name and each image path, for example oci://registry.ngts.paloaltonetworks.com/charts/enterprise-issuer-fips.
```
helm upgrade enterprise-issuer oci://registry.ngts.paloaltonetworks.com/charts/enterprise-issuer \
    --install \
    --namespace venafi \
    --values enterprise-issuer.values.yaml \
    --version v0.20.0 \
    --wait
```

Step 4: Verify the installation¶

Confirm that Enterprise Issuer is running in your cluster.

kubectl get pods -n venafi -l app.kubernetes.io/instance=enterprise-issuer

Successful output is similar to the following:

NAME                                        READY   STATUS    RESTARTS   AGE
enterprise-issuer-6f4b5c8d9f-abcde     1/1     Running   0          2m

What's next?¶

After installing Enterprise Issuer, create a VenafiIssuer or VenafiClusterIssuer resource to start issuing certificates. See Configuring Enterprise Issuer.