Installing Trust Manager using Helm¶

In this tutorial, you'll use Helm to install Trust Manager, which distributes trust bundles across your Kubernetes cluster. The Helm chart includes a publicly trusted certificate bundle derived from Debian containers.

Prerequisites¶

To complete these steps, you must have:

A Kubernetes cluster.
On your local machine, kubectl and Helm 3.8.0+.
Permission to install Helm charts in your cluster.
cert-manager installed in your cluster. cert-manager handles rotation of the certificates used by Trust Manager's webhook. To run Trust Manager standalone in a non-production environment, see the install step.
As described in Configuring Next-Gen Trust Security registry access, private registry access through a Built-in Account with the OCI Registry Use Case and cert-manager Components Scope, using kubectl to create a pull secret.
Access to a Next-Gen Trust Security tenant.

Step 1: Install Trust Manager¶

Create a file named trust-manager.values.yaml to configure the image sources and pull secret.

If using your own registry, uncomment and set imageRegistry and imageNamespace for the Helm chart to resolve image references.

trust-manager.values.yaml

app:
  trust:
    namespace: venafi
image:
  repository: registry.ngts.paloaltonetworks.com/trust-manager/trust-manager
defaultPackageImage:
  repository: registry.ngts.paloaltonetworks.com/trust-manager/trust-pkg-debian-bookworm
imagePullSecrets:
  - name: ngts-image-pull-secret

# Add if using your own registry
# imageRegistry: myregistry.example.com
# imageNamespace: trust-manager

Installing versions older than v0.16.0

For v0.16.0 or earlier, specify a tag for the default package image:

defaultPackageImage:
  repository: registry.ngts.paloaltonetworks.com/trust-manager/trust-pkg-debian-bookworm
  tag: "20230311.0"

Install Trust Manager and wait for it to be ready.
- If you mirror images to your own registry, replace registry.ngts.paloaltonetworks.com with your registry URL in the values file and the Helm command.
- For FIPS-compliant images, use the chart trust-manager-fips and set the image repository to registry.ngts.paloaltonetworks.com/trust-manager/trust-manager-fips.
With cert-managerWithout cert-manager
helm upgrade trust-manager oci://registry.ngts.paloaltonetworks.com/charts/trust-manager \ --install \ --wait \ --namespace venafi \ --version v0.22.0 \ --values trust-manager.values.yaml
As of v0.12.0, you can install Trust Manager without cert-manager with Helm's built-in certificate generation for the webhook. This is not recommended for production because Helm does not automatically rotate the certificate.
helm upgrade trust-manager oci://registry.ngts.paloaltonetworks.com/charts/trust-manager \ --install \ --wait \ --namespace venafi \ --version v0.22.0 \ --values trust-manager.values.yaml \ --set app.webhook.tls.helmCert.enabled=true
To verify a successful installation, check that the Trust Manager pod is running in the venafi namespace and that it reaches a ready state.

Additional configuration¶

The following options are available after installing Trust Manager.

Secret targets¶

Secret targets are supported in Trust Manager v0.7.0 or later, but you must explicitly enable them on the controller. Enable this feature using the --set secretTargets.enabled=true Helm value. Because the controller needs RBAC to read and update secrets, you also need to set secretTargets.authorizedSecretsAll or secretTargets.authorizedSecrets.

Approver Policy integration¶

If you're running Approver Policy, the cert-manager's default approver will be disabled. This means that Trust Manager's webhook certificate will - by default - block when you install the Helm chart until it's manually approved.

As of Trust Manager v0.6.0, you can choose to automatically add an Approver Policy CertificateRequestPolicy that will approve the Trust Manager webhook certificate by adding the --set app.webhook.tls.approverPolicy.enabled=true flag to the Helm upgrade command if using Approver Policy.