Skip to content

Installing Enterprise Issuer for Next-Gen Trust Security using Helm

In this tutorial, you'll install Enterprise Issuer in a Kubernetes cluster using Helm, enabling your cluster to request and manage certificates through Next-Gen Trust Security.

Prerequisites

To complete these steps, you must have:

  • On your local machine, kubectl and Helm 3.8.0+.
  • Permission to install Helm charts and custom resource definitions (CRDs) in your Kubernetes cluster.
  • cert-manager installed in your cluster.
  • As described in Configuring Next-Gen Trust Security registry access, private registry access through a Built-in Account with the cert-manager Enterprise Issuer Use Case and Scope, using kubectl to create a pull secret.
  • Access to a Next-Gen Trust Security tenant.

Step 1: (Optional) Create trusted CA bundles

If egress traffic in your Kubernetes cluster passes through an HTTP or transparent proxy, or if you use Enterprise Issuer with a HashiCorp Vault instance served by a certificate signed by your company's private CA, you must configure Enterprise Issuer to trust the relevant CA certificates.

Using ConfigMap resources

Unlike cert-manager, which has the caBundle field, Enterprise Issuer requires you to mount CA certificates to its file system at /etc/ssl/certs with ConfigMap resources.

Create a ConfigMap for each CA bundle to trust. You'll reference these in the trustedCaBundles field of the Helm values file in the next step.

HashiCorp Vault

kubectl --namespace venafi create configmap ca-cert-vault --from-file=ca.crt=<file-name>

HTTP or transparent proxy

kubectl --namespace venafi create configmap ca-cert-proxy --from-file=ca.crt=<file-name>

Step 2: Deploy Enterprise Issuer

This step installs Enterprise Issuer and configures it to use the pull secret and CA bundles from the prerequisites.

  1. Create a file named enterprise-issuer.values.yaml with the following contents:

    enterprise-issuer.values.yaml
    global:
  imagePullSecrets:
    - name: ngts-image-pull-secret

venafiConnection:
  include: true # (1)!

venafiEnhancedIssuer:
  manager:
    image:
      repository: registry.ngts.paloaltonetworks.com/enterprise-issuer/enterprise-issuer
    1. Set to false if Connection for Next-Gen Trust Security CRDs and RBAC are already installed in your cluster.
    Adding trusted CA bundles

    If you created ConfigMaps in Step 1, add the trustedCaBundles field to your values file under venafiEnhancedIssuer.manager:

    venafiEnhancedIssuer:
  manager:
    trustedCaBundles:
      - configMapName: ca-cert-vault
        configMapKey: ca.crt
      - configMapName: ca-cert-proxy
        configMapKey: ca.crt

  2. Install Enterprise Issuer and wait for it to be ready.

    • If you mirror images to your own registry, replace registry.ngts.paloaltonetworks.com with your registry URL in the values file and the Helm command.
    • For FIPS-compliant images, append -fips to the chart name and each image path, for example oci://registry.ngts.paloaltonetworks.com/charts/enterprise-issuer-fips.
    helm upgrade enterprise-issuer oci://registry.ngts.paloaltonetworks.com/charts/enterprise-issuer \
    --install \
    --namespace venafi \
    --values enterprise-issuer.values.yaml \
    --version v0.19.1 \
    --wait

Step 3: Configure certificate request approval

If you are using Approver Policy, no further action is required because Approver Policy handles approval of certificate requests that reference the VenafiClusterIssuer and VenafiIssuer types.

If you are not using Approver Policy, you must let cert-manager auto-approve the certificate requests that reference the VenafiClusterIssuer and VenafiIssuer types with the following RBAC:

  1. Create a file named enterprise-issuer.rbac.yaml with the following content:

    enterprise-issuer.rbac.yaml
    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-controller-approve:enterprise-issuer
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["signers"]
    verbs: ["approve"]
    resourceNames: ["venafiissuers.jetstack.io/*", "venaficlusterissuers.jetstack.io/*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-controller-approve:enterprise-issuer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-approve:enterprise-issuer
subjects:
  - name: cert-manager
    namespace: venafi
    kind: ServiceAccount

  2. Apply the RBAC configuration:

    kubectl apply -f enterprise-issuer.rbac.yaml

Step 4: Verify the installation

Confirm that Enterprise Issuer is running in your cluster.

kubectl get pods -n venafi -l app.kubernetes.io/instance=enterprise-issuer

Successful output is similar to the following:

NAME                                        READY   STATUS    RESTARTS   AGE
enterprise-issuer-6f4b5c8d9f-abcde     1/1     Running   0          2m

What's next?

After installing Enterprise Issuer, configure it to connect to your Next-Gen Trust Security tenant. See Configuring Enterprise Issuer.