EJBCA Overview

The EJBCA container set is deployed using Helm, a Kubernetes package manager for deploying Helm charts. Deploying EJBCA using our Helm chart reduces setup complexity and simplifies the process of setting up EJBCA in your environment.

With Helm, a variety of optional resources may be customized to be deployed along with EJBCA.

EJBCA Enterprise is often deployed as a cluster of multiple CA, RA, and VA instances. In Kubernetes, namespaces provide a mechanism for isolating groups of resources within a single cluster. It is recommended to deploy EJBCA CA instances in a separate namespace from the RA and VA instances.

It is also recommended to use a sidecar container to connect an EJBCA CA instance to the peer RA or VA instance. This is only possible if the EJBCA instances are running in the same cluster. If the EJBCA instances are running in different clusters, ingress is must be used.

Containers

• EJBCA - EJBCA Enterprise is available as a Certificate Authority (CA), Registration Authority (RA), and Validation Authority (VA). The EJBCA CA image is deployed by default. For more information on included components, see EJBCA Container Set.

• NGINX - Optional sidecar container to enable strict cluster internal communication. The latest nginx:alpine image from DockerHub is used. Note that the NGINX sidecar is recommended but an optional component.

• HSM sidecar containers - Optional sidecar containers to allow EJBCA Enterprise to communicate with Hardware Security Modules (HSMs). HSM sidecars are optional components, only required in CA and VA instances. For more information, see HSM Integration.

Services and Ingresses

The following optional ingress and service can be directly connected to EJBCA.

When used, secure communication and authentication using TLS are required.

• Ingress - Optional NGINX ingress to allow cluster external access. For more information, refer to the documentation for the Ingress NGINX Controller. Further references may be found in https://kubernetes.github.io/ingress-nginx/

• Internal NGINX service - Optional service enabled when the NGINX sidecar is used.

• LoadBalancer service with NGINX sidecar (optional) to allow cluster external access.

Various environment variables, secrets, ConfigMaps, and volume mounts can be used to configure the resources using a Helm chart. For more information on how to configure the components, see the following sections.

• EJBCA Container Set - List of EJBCA container components and supported dependencies.

• Getting Started - Test EJBCA by deploying the container using a single command.

• Deploy CA in Kubernetes - How to deploy EJBCA CA in a production instance.

• Deploy RA and VA in Kubernetes - How to deploy EJBCA RA and VA container instances.

• Advanced Deployments - How to deploy EJBCA Enterprise with automation.