Skip to content

Installing Distributed Issuer on Kubernetes using Helm

In this tutorial, you'll use Helm to install Distributed Issuer on Kubernetes and connect it to Next-Gen Trust Security, from which it will bootstrap its security settings.

Prerequisites

To install Distributed Issuer, first complete pre-installation in the Next-Gen Trust Security user interface and save your credentials. Then, prepare your environment.

Complete pre-installation

Complete the steps in Getting started with Distributed Issuer, which include creating a CA account and subordinate CA, adding policies, creating a Built-in Account for authentication, and adding a bootstrap configuration.

Save the following credentials:

  • Private key: The private key from your Built-in Account.
  • Client ID: The clientID for your Built-in Account.
  • Tenant Service Group ID: The tsgID for your tenant, from your user profile at bottom left in Next-Gen Trust Security. For example, 0000000000.

Prepare your environment

To install Distributed Issuer, you must have:

  • A cluster with permissions to create namespaces and secrets.
  • Outbound access from your cluster to the Next-Gen Trust Security API, so Distributed Issuer can connect for authentication and configuration. See network requirements.
  • helm, kubectl, and cmctl on your local machine.
  • cert-manager installed in your cluster, since Distributed Issuer operates as a cert-manager issuer and interacts with its custom resources.
  • To authenticate with NGTS, the VenafiConnection CRD installed in your cluster. To confirm, run kubectl get crd venaficonnections.jetstack.io. If not present, see Installing Connection for Next-Gen Trust Security using Helm.

Step 1: Install Distributed Issuer with a Helm chart

  1. If needed, review and agree to the Palo Alto Networks End User License Agreement.

  2. Create a Kubernetes namespace:

    kubectl create ns venafi

  3. Create a secret containing the private key from your Built-in Account.

    kubectl create secret generic ngts-credentials \
  --namespace venafi \
  --from-file=svc-acct.key=/path/to/private-key.pem # (1)!
    1. Path to the private key saved when creating your Built-in Account.

  4. Create a distributed-issuer.values.yaml file.

    In the file, the tsgID you supply enables the Helm chart to construct the Next-Gen Trust Security API URL that Distributed Issuer uses for authentication and configuration.

    Generate a starter file

    To generate a starter Helm values file with comments for installing Distributed Issuer, run: 

    helm show values oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer --version v1.11.0 > distributed-issuer-values.yaml

    distributed-issuer.values.yaml
    deployment:
  config:
    bootstrap:
      ngts:
        connection:
          create: true # (1)!

          tsgID: "000000000" # (2)!
          privateKeySecret:
            enabled: true
            clientID: 00000000-0000-0000-0000-000000000000 # (3)!
crd:
  approver:
    subject:
      name: cert-manager # (4)!
      namespace: venafi
    1. To use an existing VenafiConnection resource, set to false and add the resource as a sibling key, for example name: my-venafi-connection.
    2. The Tenant Service Group ID for your Next-Gen Trust Security tenant.
    3. The client ID from your Built-in Account.
    4. ServiceAccount allowed to approve CertificateRequests, which must be approved before Distributed Issuer signs them. This example uses cert-manager directly, instead of a separate approver-policy. Also see CertificateRequest resource in the open source documentation.

  5. Install the Helm chart. The --version flag is required.

    • For FIPS, replace distributed-issuer-public with distributed-issuer-fips and make sure you have the NGTS pull secret configured in your cluster.
    helm upgrade di-install oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer-public \
  --install \
  --create-namespace \
  --namespace venafi \
  --values distributed-issuer.values.yaml \
  --version v1.11.0

Step 2: Verify the installation

Verify the installation using cmctl.

  1. Create a certificate.yaml file containing a test certificate:

    certificate.yaml
    kind: Certificate
apiVersion: cert-manager.io/v1
metadata:
  annotations:
    firefly.venafi.com/policy-name: my-web-policy # (1)!
spec:
  commonName: app.example.com # (2)!
  issuerRef:
    name: firefly
    kind: Issuer
    group: firefly.venafi.com

    1. Replace this example with your Distributed Issuer policy name, from the Next-Gen Trust Security Workload Issuance Policies page.

    2. Supply a domain allowed by your Distributed Issuer policy, from the Workload Issuance Policies page under Subject > Common Name.

  2. Use cmctl to create a cert-manager CertificateRequest and wait for the signed certificate:

    cmctl create certificaterequest my-cr \
  --from-certificate-file certificate.yaml \
  --fetch-certificate

    If successful, cmctl prints the names of a .key and a .crt file.

  3. Confirm the signed X.509 certificate with OpenSSL:

    openssl x509 -in my-cr.crt -noout -text

What's next?

Distributed Issuer is now installed, and can issue and manage certificates in your cluster. Review certificates on the Issuer Certificates page in Next-Gen Trust Security.