Skip to content

Next-Gen Trust Security Kubernetes components overview

Next-Gen Trust Security (NGTS) supports the following Kubernetes components to manage certificates and machine identities in your clusters.

Approver Policy

Approver Policy is a cert-manager approver that approves or denies certificate requests based on policies defined in your cluster.

Latest release: v0.25.1 — 1 May, 2026

cert-manager

cert-manager is an enterprise Kubernetes component that adds certificates and issuers as resource types in your clusters. It can request certificates from CAs configured in NGTS or manage them independently.

Latest release: v1.20.2 — 11 April, 2026

CSI Driver

CSI Driver is a Container Storage Interface (CSI) driver that provisions X.509 certificate key pairs to pods using cert-manager. Private keys and signed certificates are stored on the node where the pod runs and match the pod's lifecycle.

Latest release: v0.15.0 — 21 May, 2026

CSI Driver for SPIFFE

CSI Driver for SPIFFE is a CSI driver that provisions SPIFFE Verifiable Identity Documents (SVIDs) as X.509 certificate key pairs to pods using cert-manager. It includes a built-in approver that replaces cert-manager's approver, and embeds identities from a configured SPIFFE trust domain into each pod's certificate.

Latest release: v0.12.0 — 9 March, 2026

Connection for Next-Gen Trust Security

Connection for Next-Gen Trust Security (or Connection resource) is a custom resource that manages authentication between components in your cluster and NGTS. Discovery Agent, Distributed Issuer, and Enterprise Issuer all use Connection resource to authenticate.

Latest release: v0.6.0 — 30 April, 2026

Distributed Issuer

Distributed Issuer is a lightweight certificate issuer that operates in Kubernetes, OpenShift, and other cloud-native environments to deliver X.509 certificates over gRPC or REST with no external dependencies. Distributed Issuer is formerly known as Firefly.

Latest release: v1.12.0 — 9 June, 2026

Discovery Agent

Discovery Agent for Next-Gen Trust Security connects your clusters to NGTS and continuously gathers certificate, ingress, and other data about machine identities. You view the discovered data in the NGTS user interface.

Latest release: 1.11.0 — 4 June, 2026

Enterprise Issuer for Next-Gen Trust Security

Enterprise Issuer for Next-Gen Trust Security is a cert-manager issuer that allows your clusters to request certificates from CAs managed in NGTS, following centrally managed policies. It supports cluster-wide or per-namespace issuance.

Latest release: v0.20.0 — 1 June, 2026

Istio CSR

Istio CSR is an alternative to Istio's built-in CA server that delegates certificate signing to cert-manager. This allows Istio workloads to use any cert-manager-supported issuer, including enterprise CAs that store sensitive signing keys outside the cluster.

Latest release: v0.16.0 — 9 March, 2026

OpenShift Routes for cert-manager

OpenShift Routes for cert-manager automatically provisions and renews certificates for OpenShift routes from any cert-manager issuer when you annotate a route, similar to how ingress or gateway resources work in Kubernetes.

Latest release: v0.9.0 — 9 March, 2026

Trust Manager

Trust Manager is a Kubernetes operator that combines trusted X.509 certificates from various sources into bundles and distributes them as ConfigMaps across your cluster. It works alongside cert-manager but can also operate independently.

Latest release: v0.22.1 — 17 April, 2026