>
    Strata Copilot
    Connect a Kubernetes Cluster Manually
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Discovery Overview
    6. Discover Certificates in Kubernetes Clusters
    7. Connect a Kubernetes Cluster Manually
    Next‑Gen Trust Security

    Connect a Kubernetes Cluster Manually

    Table of Contents

    Connect a Kubernetes Cluster Manually

    Connect a Kubernetes cluster to Next-Gen Trust Security by installing the Discovery Agent with a Helm chart. Once connected, the cluster appears on the Kubernetes Clusters page and discovered certificates appear in the Certificate Inventory.
    Note:When connecting clusters to Next-Gen Trust Security, deploy only one instance of the Discovery Agent for each cluster. Each instance must use a dedicated built-in account. Using the same built-in account across multiple clusters isn't supported.

    Prerequisites

    Before you connect a cluster, complete the following steps and prepare your environment.

    Preconfiguration

    Save your credentials:
    • From a Built-In Account created with the Discovery Agent use case and Kubernetes Discovery scope, save the following:
      • Private key: Generate a key pair during account creation or upload your own public key. Save the private key as discovery-agent-private-key.pem. Supported algorithms are: RSA (2048, 3072, 4096), ECDSA (P256, P384, P521), and EdDSA (Ed25519).
      • Client ID: Save the client ID to clientid.txt.
    • In Next-Gen Trust Security at bottom left, click your user profile. In the pane that appears, copy and save your TSG ID, for example 0000000000.

    Prepare Your Environment

    To connect a cluster manually, you must have:
    • A Kubernetes cluster with permission to create namespaces and secrets. Supported flavors are:
      • AWS Elastic Kubernetes Service (EKS).
      • Azure Kubernetes Service (AKS).
      • Google Kubernetes Engine (GKE).
      • Red Hat OpenShift.
      • Self-hosted Kubernetes distributions such as vanilla Kubernetes or Rancher.
    • helm and kubectl installed on your local machine.
    • Access to the public Discovery Agent chart at oci://registry.ngts.paloaltonetworks.com/charts/discovery-agent.

    Step 1: Connect the Cluster

    To connect your cluster to Next-Gen Trust Security, create a namespace, store your credentials in a Kubernetes Secret, and install the Discovery Agent Helm chart.
    1. Create the venafi namespace:
      kubectl create namespace venafi
    2. Create a Kubernetes Secret with your credentials:
      kubectl create secret generic discovery-agent-credentials \
  --namespace=venafi \
  --from-file=clientID=clientid.txt
  --from-file=privatekey.pem=discovery-agent-private-key.pem
    3. Create a discovery-agent.values.yaml file with the cluster name and your TSG ID, using double quotes so that it's interpreted as a string:
      config:
  clusterName: my-cluster-name
  clusterDescription: "My cluster description"
  tsgID: "0000000000"
  claimableCerts: false
      Set claimableCerts based on how you want to handle discovered certificates:
      • false (default): Discovered certificates are automatically claimed by the tenant that created the Built-In Account, even if it is a child tenant.
      • true: Certificates remain unclaimed, making them available for other tenants to claim.
    4. (Optional) To use a custom CA bundle, create a ConfigMap with your trusted certificates:
      kubectl --namespace venafi create configmap ca-cert \
  --from-file=ca-cert.crt=<file-name>
      Add the following to your discovery-agent.values.yaml to mount the trust bundle into the Agent pod:
      volumes:
- name: ca-cert
  configMap:
    name: ca-cert
volumeMounts:
- name: ca-cert
  mountPath: /etc/ssl/certs/ca-cert.crt
  subPath: ca-cert.crt
  readOnly: true
    5. (Optional) If your cluster requires a proxy, add the following to your discovery-agent.values.yaml and update them for your environment:
      http_proxy: "http://proxy.example.com:8080"
https_proxy: "https://proxy.example.com:8443"
no_proxy: "127.0.0.1,localhost,kubernetes.default.svc,kubernetes.default.svc.cluster.local"
      Add <tsgID>.ngts.paloaltonetworks.com to your egress proxy allowlist, for example 1234567891.ngts.paloaltonetworks.com.
    6. Install Discovery Agent and wait for it to be ready:
      helm upgrade discovery-agent \
  oci://registry.ngts.paloaltonetworks.com/charts/discovery-agent \
  --install \
  --namespace "venafi" \
  --values discovery-agent.values.yaml

    Step 2: Verify the Cluster Connection

    1. In Next-Gen Trust Security, click Insights > Kubernetes Clusters and confirm that your cluster appears.
    2. In Next-Gen Trust Security, click Insights > Certificates and confirm that any discovered certificates appear.
    3. Check the Discovery Agent logs to confirm a successful connection:
      kubectl logs -n venafi -l app.kubernetes.io/instance=discovery-agent
      A successful connection produces output similar to the following:
      {"msg":"Starting","version":"v1.10.0","logger":"Run"}
{"msg":"Starting DataGatherer","name":"k8s/discovery"}
{"msg":"Starting DataGatherer","name":"k8s/secrets"}
{"msg":"Starting DataGatherer","name":"k8s/deployments"}
{"msg":"Starting DataGatherer","name":"k8s/pods"}
{"msg":"Successfully gathered","count":6,"name":"k8s/secrets"}
{"msg":"Successfully gathered","count":6,"name":"k8s/deployments"}
{"msg":"Successfully gathered","count":13,"name":"k8s/pods"}
{"msg":"uploading data readings to NGTS","cluster_name":"my-cluster-name","data_readings_count":8}
{"msg":"Data sent successfully","logger":"postData"}

    © 2026 Palo Alto Networks, Inc. All rights reserved.