Venafi Kubernetes components that connect to other services¶

Venafi Kubernetes components may need to connect to your internal services such as TLS Protect Datacenter or HashiCorp Vault. To establish a secure HTTPS connection, it is critical that the certificates used by any service integrated with Venafi Kubernetes components are trusted by those components. In many cases, these internal services use certificates issued by private CAs. In such instances, you will need to configure a custom CA bundle to ensure that the Venafi Kubernetes components can trust your private CAs.

Venafi Kubernetes components may also need to connect to HTTPS services on the Internet, such as the Venafi Control Plane or public CAs for certificate issuance. These connections are usually automatically trusted by the Venafi Kubernetes components unless your Kubernetes clusters are configured to use some form of egress traffic control that terminates TLS connections using a private CA. Egress traffic control can be an HTTP proxy or a transparent proxy. In such cases, you will need to configure a custom CA bundle to connect to your internal HTTP or transparent proxy.

The following table lists those Venafi Kubernetes components that currently require access to an external internet service, or an internal service:

Component	Uses external internet service	Uses Internal service
Enterprise Approver Policy	Yes (Venafi Control Plane)	No
cert-manager	Yes (external CAs such as Let's Encrypt)	Yes (TLS Protect Datacenter, HashiCorp Vault)
Enterprise Issuer for CyberArk Certificate Manager	Yes (Venafi Control Plane)	No
Discovery Agent	Yes (Venafi Control Plane)	No

For deployments that use transparent proxies or HTTP proxies used to control egress traffic, the configuration of a CA bundle for services connecting to Venafi services is required.

Follow the links below for instructions on configuring Venafi Kubernetes components to use custom CA bundles: