Skip to content

Installing Enterprise Issuer for Next-Gen Trust Security using Helm

In this tutorial, you'll install Enterprise Issuer in a Kubernetes cluster using Helm, enabling your cluster to request and manage certificates through Next-Gen Trust Security.

Prerequisites

To complete these steps, you must have:

  • On your local machine, kubectl and Helm 3.8.0+.
  • Permission to install Helm charts and custom resource definitions (CRDs) in your Kubernetes cluster.
  • cert-manager installed in your cluster.
  • As described in Configuring Next-Gen Trust Security registry access, private registry access through a Built-in Account with the cert-manager Enterprise Issuer Use Case and Scope, using kubectl to create a pull secret.
  • Access to a Next-Gen Trust Security tenant.

Step 1: (Optional) Reconfigure cert-manager

Reconfigure cert-manager to approve requests from Enterprise Issuer's VenafiIssuer and VenafiClusterIssuer, as by default it only approves issuers.cert-manager.io/* and clusterissuers.cert-manager.io/*.

Skip this step if you already configured approveSignerNames during cert-manager installation or you are using Approver Policy, which approves certificate requests from all issuers.

Using the built-in approver

These steps require the built-in approver. If you previously set disableAutoApproval: true in your cert-manager Helm values, remove it before proceeding.

  1. Add the following to your cert-manager.values.yaml:

    approveSignerNames:
  - issuers.cert-manager.io/*
  - clusterissuers.cert-manager.io/*
  - venafiissuers.jetstack.io/*
  - venaficlusterissuers.jetstack.io/*

  2. Upgrade cert-manager with the updated values:

    helm upgrade cert-manager oci://registry.ngts.paloaltonetworks.com/charts/cert-manager \
  --namespace venafi \
  --version v1.20.0 \
  --values cert-manager.values.yaml \
  --reuse-values

Step 2: (Optional) Create trusted CA bundles

If egress traffic in your Kubernetes cluster passes through an HTTP or transparent proxy, or if you use Enterprise Issuer with a HashiCorp Vault instance served by a certificate signed by your company's private CA, you must configure Enterprise Issuer to trust the relevant CA certificates.

Using ConfigMap resources

Unlike cert-manager, which has the caBundle field, Enterprise Issuer requires you to mount CA certificates to its file system at /etc/ssl/certs with ConfigMap resources.

Create a ConfigMap for each CA bundle to trust. You'll reference these in the trustedCaBundles field of the Helm values file in the next step.

HashiCorp Vault

kubectl --namespace venafi create configmap ca-cert-vault --from-file=ca.crt=<file-name>

HTTP or transparent proxy

kubectl --namespace venafi create configmap ca-cert-proxy --from-file=ca.crt=<file-name>

Step 3: Deploy Enterprise Issuer

This step installs Enterprise Issuer and configures it to use the pull secret and CA bundles from the prerequisites.

  1. Create a file named enterprise-issuer.values.yaml with the following contents:

    enterprise-issuer.values.yaml
    global:
  imagePullSecrets:
    - name: ngts-image-pull-secret

venafiConnection:
  include: true # (1)!

venafiEnhancedIssuer:
  manager:
    image:
      repository: registry.ngts.paloaltonetworks.com/enterprise-issuer/enterprise-issuer
    1. Set to false if Connection for Next-Gen Trust Security CRDs and RBAC are already installed in your cluster.
    Adding trusted CA bundles

    If you created ConfigMaps in Step 2, add the trustedCaBundles field to your values file under venafiEnhancedIssuer.manager:

    venafiEnhancedIssuer:
  manager:
    trustedCaBundles:
      - configMapName: ca-cert-vault
        configMapKey: ca.crt
      - configMapName: ca-cert-proxy
        configMapKey: ca.crt

  2. Install Enterprise Issuer and wait for it to be ready.

    • If you mirror images to your own registry, replace registry.ngts.paloaltonetworks.com with your registry URL in the values file and the Helm command.
    • For FIPS-compliant images, append -fips to the chart name and each image path, for example oci://registry.ngts.paloaltonetworks.com/charts/enterprise-issuer-fips.
    helm upgrade enterprise-issuer oci://registry.ngts.paloaltonetworks.com/charts/enterprise-issuer \
    --install \
    --namespace venafi \
    --values enterprise-issuer.values.yaml \
    --version v0.19.1 \
    --wait

Step 4: Verify the installation

Confirm that Enterprise Issuer is running in your cluster.

kubectl get pods -n venafi -l app.kubernetes.io/instance=enterprise-issuer

Successful output is similar to the following:

NAME                                        READY   STATUS    RESTARTS   AGE
enterprise-issuer-6f4b5c8d9f-abcde     1/1     Running   0          2m

What's next?

After installing Enterprise Issuer, configure it to connect to your Next-Gen Trust Security tenant. See Configuring Enterprise Issuer.