Skip to content

Installing Discovery Agent for Next-Gen Trust Security using Helm

In this tutorial, you'll install Discovery Agent on a Kubernetes cluster using a Helm chart. This connects your cluster to Next-Gen Trust Security using key pair authentication and allows Discovery Agent to discover certificates in the cluster.

Connecting multiple clusters

When connecting clusters to Next-Gen Trust Security, deploy only one instance of the Discovery Agent for each cluster. Each instance must use a dedicated built-in account. Using the same built-in account across multiple clusters isn't supported.

Prerequisites

To install Discovery Agent, first complete pre-installation steps in the Next-Gen Trust Security user interface and save deployment credentials. Then, prepare your environment.

Complete pre-installation

Create a Built-in Account in Next-Gen Trust Security with the Discovery Agent use case and the Kubernetes Discovery scope.

Save the following credentials:

  • Private key: The private key from your Built-in Account, saved to discovery-agent-private-key.pem.
  • Client ID: The clientID for your Built-in Account, saved to clientid.txt
  • Tenant Service Group ID: The tsgID for your tenant, from your user profile at bottom left in Next-Gen Trust Security. For example, 0000000000.

Prepare your environment

To install Discovery Agent, you must have:

  • A cluster with permissions to create namespaces and secrets.
  • Outbound access from your cluster to the public Discovery Agent chart at oci://registry.ngts.paloaltonetworks.com/charts/discovery-agent.
  • helm and kubectl on your local machine.

Step 1: Connect the cluster

To connect your cluster to Next-Gen Trust Security, create a namespace, store your credentials in a Kubernetes Secret, and install the Discovery Agent Helm chart.

  1. Create the namespace:

    kubectl create namespace venafi

  2. Create a Kubernetes Secret containing the client ID and private key from your Built-in Account:

    kubectl create secret generic discovery-agent-credentials \
  --namespace=venafi \
  --from-file=clientID=clientid.txt \ # (1)!
  --from-file=privatekey.pem=discovery-agent-private-key.pem # (2)!
    1. The client ID for your Built-in Account.
    2. The private key saved when creating your Built-in Account.

  3. Create a discovery-agent.values.yaml file with your configuration.

    If you use a multi-tenant environment with sub-tenants, set claimableCerts to true.

    discovery-agent.values.yaml
    config:
  clusterName: "your-cluster-name" # (1)!
  clusterDescription: "your-cluster-description"
  tsgID: "0000000000" # (2)!
  claimableCerts: false # (3)!
    1. Specifying a cluster name and description automatically creates a cluster resource in Next-Gen Trust Security.
    2. TSG IDs are numeric but must be treated as strings to prevent unexpected YAML behavior. Always wrap your TSG ID in quotes.
    3. Controls certificate ownership. When false, the default, the tenant that created the Built-In Account claims discovered certificates, even if it's a child tenant. When true, certificates remain unclaimed, making them available for child tenants to claim.

  4. (Optional) If your cluster requires a proxy, add the following top-level keys to your discovery-agent.values.yaml and update them for your environment:

    http_proxy: "proxy.example.com:8080"
https_proxy: "proxy.example.com:8443"
no_proxy: "127.0.0.1,localhost,kubernetes.default.svc,kubernetes.default.svc.cluster.local"

    Add <tsgID>.ngts.paloaltonetworks.com to your egress proxy allowlist, for example 0000000000.ngts.paloaltonetworks.com.

  5. (Optional) If your proxy uses a certificate from a private CA, add the CA to a custom trust bundle by creating a ConfigMap with your trusted certificates:

    kubectl --namespace venafi create configmap ca-cert \
  --from-file=ca-cert.crt=<file-name>

    Add the following to your discovery-agent.values.yaml to mount the trust bundle into the agent pod:

    volumes:
- name: ca-cert
  configMap:
    name: ca-cert
volumeMounts:
- name: ca-cert
  mountPath: /etc/ssl/certs/ca-cert.crt
  subPath: ca-cert.crt
  readOnly: true

  6. Install the Discovery Agent Helm chart:

    • If you mirror images to your own registry, replace registry.ngts.paloaltonetworks.com with your registry URL.
    helm upgrade discovery-agent \
  oci://registry.ngts.paloaltonetworks.com/charts/discovery-agent \
  --install \
  --namespace "venafi" \
  --version 1.10.0 \
  --values discovery-agent.values.yaml

Step 2: Verifying the deployment

To verify the deployment:

  1. In the Next-Gen Trust Security user interface, click Installations > Kubernetes Clusters and click your cluster. In the right-hand drawer that appears, confirm that status is ACTIVE and Last Check In was seconds ago.

  2. Click System Settings > Event Log and confirm that Service account access token granted and Login succeeded are present for your Built-in Account.

Check the agent logs

To troubleshoot issues, check the agent logs with kubectl:

kubectl logs -n venafi -l app.kubernetes.io/instance=discovery-agent --tail -1 | grep -A 5 "Running Agent"

Successful output is similar to the following:

2023/01/01 01:01:01 Running Agent...
2023/01/01 01:01:02 Posting data to: https://1234567891.ngts.paloaltonetworks.com/
2023/01/01 01:01:03 Data sent successfully.

Disconnecting a cluster and uninstalling Discovery Agent

To uninstall Discovery Agent and disconnect a cluster, first remove Discovery Agent from the cluster.

helm uninstall -n venafi discovery-agent

Once uninstalled, remove the cluster from Next-Gen Trust Security:

  1. In Next-Gen Trust Security user interface, go to Insights > Kubernetes Clusters.
  2. Click the cluster and click Disconnect.
  3. Go to System Settings > Built-in Accounts.
  4. Click the account and click Delete.

What's next?

Now that Discovery Agent is installed, configure it for your environment.