Custom CA bundles¶
Next-Gen Trust Security Kubernetes components may need to connect to your internal services, such as HashiCorp Vault. To establish a secure HTTPS connection, it is critical that the certificates used by any service integrated with Next-Gen Trust Security components are trusted by those components.
In many cases, these internal services use certificates issued by private CAs. In such instances, you will need to configure a custom CA bundle to ensure that the components can trust your private CAs.
The NGTS components may also need to connect to HTTPS services on the internet, such as Next-Gen Trust Security itself, or public CAs. These connections are usually automatically trusted unless your Kubernetes clusters are configured to use egress traffic control that terminates TLS connections using a private CA. Egress traffic control can be an HTTP proxy or a transparent proxy. In such cases, you will need to configure a custom CA bundle so that the components trust the certificates presented by your proxy.
The following table lists NGTS components that require access to an external internet service or an internal service:
| Component | Uses an external internet service? | Uses an internal service? |
|---|---|---|
| cert-manager | Yes (external CAs such as Let's Encrypt) | Yes (HashiCorp Vault) |
| Enterprise Issuer for Next-Gen Trust Security | Yes (Next-Gen Trust Security) | No |
| Discovery Agent | Yes (Next-Gen Trust Security) | No |
For deployments that use transparent proxies or HTTP proxies used to control egress traffic, the configuration of a CA bundle for services connecting to Palo Alto Networks services is required.