Skip to content

Next-Gen Trust Security Kubernetes components overview

Next-Gen Trust Security (NGTS) supports the following Kubernetes components to manage certificates and machine identities in your clusters.

Approver Policy

Approver Policy is a cert-manager approver that approves or denies certificate requests based on policies defined in your cluster.

Latest release: v0.24.0 — 9 March, 2026

cert-manager

cert-manager is an enterprise Kubernetes component that adds certificates and issuers as resource types in your clusters. It can request certificates from CAs configured in Next-Gen Trust Security or manage them independently.

Latest release: v1.20.0 — 9 March, 2026

CSI Driver

CSI Driver is a Container Storage Interface (CSI) driver that provisions X.509 certificate key pairs to pods using cert-manager. Private keys and signed certificates are stored on the node where the pod runs and match the pod's lifecycle.

Latest release: v0.14.0 — 9 March, 2026

CSI Driver for SPIFFE

CSI Driver for SPIFFE is a CSI driver that provisions SPIFFE Verifiable Identity Documents (SVIDs) as X.509 certificate key pairs to pods using cert-manager. It includes a built-in approver that replaces cert-manager's approver, and embeds identities from a configured SPIFFE trust domain into each pod's certificate.

Latest release: v0.12.0 — 9 March, 2026

Connection for Next-Gen Trust Security

Connection for Next-Gen Trust Security (or Connection resource) is a custom resource that manages authentication between components in your cluster and Next-Gen Trust Security. Discovery Agent, Distributed Issuer, and Enterprise Issuer all use Connection resource to authenticate.

Latest release: v0.6.0 — 30 April, 2026

Distributed Issuer

Distributed Issuer is a lightweight certificate issuer that operates in Kubernetes, OpenShift, and other cloud-native environments to deliver X.509 certificates over gRPC or REST with no external dependencies. Distributed Issuer is formerly known as Firefly.

Latest release: v1.11.0 — 14 April, 2026

Discovery Agent

Discovery Agent for Next-Gen Trust Security connects your clusters to Next-Gen Trust Security and continuously gathers certificate, ingress, and other data about machine identities. You view the discovered data in the Next-Gen Trust Security user interface.

Latest release: 1.10.0 — 7 May, 2026

Enterprise Issuer for Next-Gen Trust Security

Enterprise Issuer for Next-Gen Trust Security is a cert-manager issuer that allows your clusters to request certificates from CAs managed in Next-Gen Trust Security, following centrally managed policies. It supports cluster-wide or per-namespace issuance.

Latest release: v0.19.1 — 8 May, 2026

Istio CSR

Istio CSR is an alternative to Istio's built-in CA server that delegates certificate signing to cert-manager. This allows Istio workloads to use any cert-manager-supported issuer, including enterprise CAs that store sensitive signing keys outside the cluster.

Latest release: v0.16.0 — 9 March, 2026

OpenShift Routes for cert-manager

OpenShift Routes for cert-manager automatically provisions and renews certificates for OpenShift routes from any cert-manager issuer when you annotate a route, similar to how ingress or gateway resources work in Kubernetes.

Latest release: v0.9.0 — 9 March, 2026

Trust Manager

Trust Manager is a Kubernetes operator that combines trusted X.509 certificates from various sources into bundles and distributes them as ConfigMaps across your cluster. It works alongside cert-manager but can also operate independently.

Latest release: v0.22.0 — 9 March, 2026