About custom CA bundles¶
Some Next-Gen Trust Security (NGTS) components connect to internal services such as HashiCorp Vault, or to external services including NGTS itself or public CAs. If these services use certificates issued by a private CA, you must configure a custom CA bundle so that the components trust those certificates.
If your clusters route egress traffic through an HTTP proxy or transparent proxy that terminates TLS with a private CA, you also need a custom CA bundle so the components trust the certificates your proxy presents. Otherwise, external connections are trusted automatically.
Components using internal or external services¶
The following table lists NGTS components that require access to an external internet service or an internal service:
| Component | Uses external service? | Uses internal service? | CA configuration |
|---|---|---|---|
| cert-manager | Yes for external CAs such as Let's Encrypt | Yes for HashiCorp Vault | Not required for enterprise use cases. |
| Enterprise Issuer for Next-Gen Trust Security | Yes (NGTS) | No | Yes, see configuration steps |
| Distributed Issuer | Yes (NGTS) | No | Yes, see configuration steps |
| Discovery Agent | Yes (NGTS) | No | Yes, see configuration steps |