Venafi Kubernetes components that connect to other services¶
Venafi Kubernetes components may need to connect to your internal services such as TLS Protect Datacenter or HashiCorp Vault. To establish a secure HTTPS connection, it is critical that the certificates used by any service integrated with Venafi Kubernetes components are trusted by those components. In many cases, these internal services use certificates issued by private CAs. In such instances, you will need to configure a custom CA bundle to ensure that the Venafi Kubernetes components can trust your private CAs.
Venafi Kubernetes components may also need to connect to HTTPS services on the Internet, such as the Venafi Control Plane or public CAs for certificate issuance. These connections are usually automatically trusted by the Venafi Kubernetes components unless your Kubernetes clusters are configured to use some form of egress traffic control that terminates TLS connections using a private CA. Egress traffic control can be an HTTP proxy or a transparent proxy. In such cases, you will need to configure a custom CA bundle to connect to your internal HTTP or transparent proxy.
The following table lists those Venafi Kubernetes components that currently require access to an external internet service, or an internal service:
| Component | Uses external internet service | Uses Internal service |
|---|---|---|
| Approver Policy Enterprise | Yes (Venafi Control Plane) | No |
| cert-manager | Yes (external CAs such as Let's Encrypt) | Yes (TLS Protect Datacenter, HashiCorp Vault) |
| Venafi Enhanced Issuer | Yes (Venafi Control Plane) | No |
| Venafi Kubernetes Agent | Yes (Venafi Control Plane) | No |
For deployments that use transparent proxies or HTTP proxies used to control egress traffic, the configuration of a CA bundle for services connecting to Venafi services is required.
Follow the links below for instructions on configuring Venafi Kubernetes components to use custom CA bundles:
- Installing Approver Policy Enterprise using Helm
- Installing Approver Policy Enterprise using the Venafi CLI tool
- Installing cert-manager using Helm
- Installing cert-manager using the Venafi CLI too
- Venafi CLI tool
- Installing Venafi Enhanced Issuer using Helm
- Installing Venafi Enhanced Issuer using the Venafi CLI too
- Installing Venafi Kubernetes Agent using Helm
- Installing Venafi Kubernetes Agent using the Venafi CLI too