Installing CSI Driver using Helm¶
In this tutorial, you'll use Helm to install CSI Driver, which enables secretless X.509 certificate issuance for pods.
Prerequisites¶
To complete these steps, you must have:
- A Kubernetes 1.19+ cluster.
- On your local machine,
kubectland Helm 3.8.0+. - Permission to install Helm charts on your Kubernetes cluster.
- As described in Configuring Next-Gen Trust Security registry access, private registry access through a Built-in Account with the OCI Registry Use Case and
cert-manager ComponentsScope, usingkubectlto create a pull secret.
Step 1: Install cert-manager¶
CSI Driver requires cert-manager. Choose the method that matches your cert-manager version.
-
To install cert-manager and configure it to use a pull secret, create
cert-manager.values.yaml.cert-manager.values.yamlglobal: imagePullSecrets: - name: ngts-image-pull-secret crds: enabled: true # Add if using your own registry # imageRegistry: myregistry.example.com # imageNamespace: cert-manager -
Install cert-manager and wait for it to be ready:
helm upgrade cert-manager oci://registry.ngts.paloaltonetworks.com/charts/cert-manager \ --install \ --wait \ --create-namespace \ --namespace venafi \ --values cert-manager.values.yaml \ --version v1.20.0
Prior to cert-manager v1.20, you specify the full image path for each component in the values file.
-
To install cert-manager in the
venafinamespace and configure it to use a pull secret, createcert-manager.values.yaml.If using your own registry, replace
registry.ngts.paloaltonetworks.comwith your registry URL.cert-manager.values.yamlglobal: imagePullSecrets: - name: ngts-image-pull-secret crds: enabled: true image: repository: registry.ngts.paloaltonetworks.com/cert-manager/cert-manager-controller acmesolver: image: repository: registry.ngts.paloaltonetworks.com/cert-manager/cert-manager-acmesolver webhook: image: repository: registry.ngts.paloaltonetworks.com/cert-manager/cert-manager-webhook cainjector: image: repository: registry.ngts.paloaltonetworks.com/cert-manager/cert-manager-cainjector startupapicheck: image: repository: registry.ngts.paloaltonetworks.com/cert-manager/cert-manager-startupapicheck -
Install cert-manager and wait for it to be ready:
helm upgrade cert-manager oci://registry.ngts.paloaltonetworks.com/charts/cert-manager \ --install \ --wait \ --create-namespace \ --namespace venafi \ --values cert-manager.values.yaml \ --version vX.X.X
Step 2: Install CSI Driver¶
-
Install CSI Driver and wait for it to be ready.
- If you mirror images to your own registry, replace
registry.ngts.paloaltonetworks.comwith your registry URL. - For FIPS-compliant images, append
-fipsto the chart name and each image path in the command, for exampleregistry.ngts.paloaltonetworks.com/csi-driver/cert-manager-csi-driver-fips
FIPS Helm chart
The FIPS-compliant Helm chart is available starting from v0.14.0+.
helm upgrade cert-manager-csi-driver oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-csi-driver \ --install \ --namespace venafi \ --set image.repository=registry.ngts.paloaltonetworks.com/csi-driver/cert-manager-csi-driver \ --set livenessProbeImage.repository=registry.ngts.paloaltonetworks.com/csi-driver/livenessprobe \ --set nodeDriverRegistrarImage.repository=registry.ngts.paloaltonetworks.com/csi-driver/csi-node-driver-registrar \ --set 'imagePullSecrets[0].name=ngts-image-pull-secret' \ --version v0.14.0 \ --wait - If you mirror images to your own registry, replace
Step 3: Verify the installation¶
-
Check for the CSIDriver resource:
kubectl get csidriversSuccessful output is similar to the following:
NAME CREATED AT csi.cert-manager.io 2025-09-06T16:55:19Z -
Check that a CSINode resource exists for each node:
kubectl get csinodes -o yamlSuccessful output is similar to the following:
apiVersion: v1 items: - apiVersion: storage.k8s.io/v1beta1 kind: CSINode metadata: name: kind-control-plane ownerReferences: - apiVersion: v1 kind: Node name: kind-control-plane ... spec: drivers: - name: csi.cert-manager.io nodeID: kind-control-plane topologyKeys: null ...