Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. Cohesity Cloud Scale Technology Manual Deployment Guide for Kubernetes Clusters
  3. Section II. Deployment
  4. Deploying Cloud Scale
  5. Prerequisites for Cloud Scale deployment
Cohesity Cloud Scale Technology Manual Deployment Guide for Kubernetes Clusters

Prerequisites for Cloud Scale deployment

Ensure that the following steps are performed before deploying the operators:

  1. Install cert-manager by using the following command:

    helm repo add jetstack https://charts.jetstack.io

    helm repo update jetstack

    helm upgrade -i -n cert-manager cert-manager jetstack/cert-manager \ --version 1.18.2 \ --set webhook.timeoutSeconds=30 \ --set installCRDs=true \ --wait --create-namespace

    For details, see cert-manager Documentation.

  2. Create NetBackup namespace by using the following command:

    kubectl create ns netbackup

  3. Install trust-manager by using the following command:

    kubectl create namespace trust-manager

    helm upgrade -i -n trust-manager trust-manager jetstack/trust-manager --set app.trust.namespace=netbackup --version v0.19.0 --wait

    For details, see trust-manager Documentation.

  4. (If using private registry) Create kubernetes secret for using the private registries as follows:

    Create operator namespace by using the following command:

    kubectl create ns netbackup-operator-system

    kubectl create secret docker-registry <secret-name> \ --namespace <namespace> \ --docker-server=<container-registry-name> \ --docker-username=<service-principal-ID> \ --docker-password=<service-principal-password>

    For example (AKS): kubectl create secret docker-registry demo-secret --namespace netbackup-operator-system --docker-server=cpautomation.azurecr.io --docker-username=c1d03169-6f35-4c29-b527-995bbad3b608 --docker-password=<password_here>

  5. (For Cloud Scale) Create kubernetes secret for using the private registries as follows:

    kubectl create secret docker-registry <secret-name> \ --namespace <namespace> \ --docker-server=<container-registry-name> \ --docker-username=<service-principal-ID> \ --docker-password=<service-principal-password>

    For example (AKS): kubectl create secret docker-registry demo-secret --namespace netbackup --docker-server=cpautomation.azurecr.io --docker-username=c1d03169-6f35-4c29-b527-995bbad3b608 --docker-password=<password_here>

Air-Gapped installation procedure for cert-manager and trust-manager in AKS

This section provides step-by-step instructions for deploying cert-manager and trust-manager in an air-gapped or partially air-gapped Azure Kubernetes Service (AKS) environment. It enables installation without direct internet access, using JFrog Artifactory as the container registry (adaptable for ACR or ECR). The tools are installed in separate namespaces (cert-manager and trust-manager) for compatibility, with trust-manager configured to manage trust bundles in the NetBackup namespace.

Prerequisites

  • Internet-connected and air-gapped environments

  • Secure file transfer method between environments

  • Access to a private container registry (for example, JFrog Artifactory)

  • Docker/Podman and Helm installed on both environments

  • kubectl configured for the AKS cluster

  • Registry credentials

Air-Gapped installation procedure

  1. Gather Helm charts locally (Internet-connected environment):

    Download the cert-manager and trust-manager charts:

    • # Add the Jetstack Helm repository
      helm repo add jetstack https://charts.jetstack.io --force-update
      
      # Update your local Helm repository indexes
      helm repo update
      
      # Pull the cert-manager chart
      helm pull jetstack/cert-manager --version v1.17.0 --untar --untardir ./cert-manager-chart
      
      # Pull the trust-manager chart
      helm pull jetstack/trust-manager --untar --untardir ./trust-manager-chart --replace

      This creates folders ./cert-manager-chart and ./trust-manager-chart containing the Helm chart files.

    • Identify the container images in each chart:

      • Method 1: Generate and examine the manifests:

        helm template ./cert-manager-chart/cert-manager --namespace cert-manager > cert-manager-manifest.yaml
        helm template ./trust-manager-chart/trust-manager --namespace trust-manager > trust-manager-manifest.yaml
        
        # Find all images used in the manifests
        grep "image:" cert-manager-manifest.yaml
        grep "image:" trust-manager-manifest.yaml

        Example output:

        # cert-manager images
        image: "quay.io/jetstack/cert-manager-cainjector:v1.17.0"
        image: "quay.io/jetstack/cert-manager-controller:v1.17.0"
        image: "quay.io/jetstack/cert-manager-webhook:v1.17.0"
        image: "quay.io/jetstack/cert-manager-startupapicheck:v1.17.0"
        
        # trust-manager images
        image: "quay.io/jetstack/trust-pkg-debian-bookworm:20230311.0"
        image: "quay.io/jetstack/trust-manager:v0.16.0"
      • Method 2: Examine the values.yaml files directly:

        For cert-manager: Look for .image.repository, .image.tag, and so on.

        For trust-manager: Look for app.image.repository, app.image.tag, and so on.

        The default images are typically pulled from quay.io/jetstack/.

  2. Pull and save the images (Internet-connected environment):
    # Pull cert-manager images
    docker pull quay.io/jetstack/cert-manager-controller:v1.17.0
    docker pull quay.io/jetstack/cert-manager-webhook:v1.17.0
    docker pull quay.io/jetstack/cert-manager-cainjector:v1.17.0
    docker pull quay.io/jetstack/cert-manager-startupapicheck:v1.17.0
    
    # Pull trust-manager images
    docker pull quay.io/jetstack/trust-manager:v0.16.0
    docker pull quay.io/jetstack/trust-pkg-debian-bookworm:20230311.0
    
    # Save all images into a single tarball
    docker save \
      quay.io/jetstack/cert-manager-controller:v1.17.0 \
      quay.io/jetstack/cert-manager-webhook:v1.17.0 \
      quay.io/jetstack/cert-manager-cainjector:v1.17.0 \
      quay.io/jetstack/cert-manager-startupapicheck:v1.17.0 \
      quay.io/jetstack/trust-manager:v0.16.0 \
      quay.io/jetstack/trust-pkg-debian-bookworm:20230311.0 \
      -o cert-manager-trust-manager-images.tar
  3. Copy the files to the offline/restricted host:
    • Transfer the image tarball:

      Transfer cert-manager-trust-manager-images.tar file to your air-gapped environment using an approved method (for example, SCP, secure file transfer, or physical media).

    • Transfer the Helm charts:

      Transfer the Helm charts to the air-gapped environment using one of the following approaches:

      • Option 1: Pack and transfer the extracted chart directories:

        # Create archive of the chart directories
        tar -czf helm-charts.tar.gz ./cert-manager-chart ./trust-manager-chart
        
        # Transfer helm-charts.tar.gz to the air-gapped environment
        # Then on the air-gapped host:
        tar -xzf helm-charts.tar.gz
      • Option 2: Create Helm package archives and transfer those:

        # Package the charts
        helm package ./cert-manager-chart/cert-manager -d ./packages
        helm package ./trust-manager-chart/trust-manager -d ./packages
        
        # Transfer the ./packages directory to the air-gapped environment

        Use the same secure file transfer method as used for the container images.

  4. Load and push images into your private registry (Air-Gapped environment):
    # Load the images into Docker
    docker load -i cert-manager-trust-manager-images.tar
    
    # Login to your private Artifactory registry
    # You'll be prompted to enter your password securely
    # If using ACR/ECR replace the docker login command below with (Ex: az acr login -n myacr)
    docker login my-artifactory.mycompany.com -u <your-username>
    
    # Tag the images for your private registry (replace my-artifactory.mycompany.com with your registry URL)
    docker tag quay.io/jetstack/cert-manager-controller:v1.17.0 \
      my-artifactory.mycompany.com/jetstack/cert-manager-controller:v1.17.0
    
    docker tag quay.io/jetstack/cert-manager-webhook:v1.17.0 \
      my-artifactory.mycompany.com/jetstack/cert-manager-webhook:v1.17.0
    
    docker tag quay.io/jetstack/cert-manager-cainjector:v1.17.0 \
      my-artifactory.mycompany.com/jetstack/cert-manager-cainjector:v1.17.0
    
    docker tag quay.io/jetstack/cert-manager-startupapicheck:v1.17.0 \
      my-artifactory.mycompany.com/jetstack/cert-manager-startupapicheck:v1.17.0
    
    docker tag quay.io/jetstack/trust-manager:v0.16.0 \
      my-artifactory.mycompany.com/jetstack/trust-manager:v0.16.0
    
    docker tag quay.io/jetstack/trust-pkg-debian-bookworm:20230311.0 \
      my-artifactory.mycompany.com/jetstack/trust-pkg-debian-bookworm:20230311.0
    
    # Push the images to your private registry
    docker push my-artifactory.mycompany.com/jetstack/cert-manager-controller:v1.17.0
    docker push my-artifactory.mycompany.com/jetstack/cert-manager-webhook:v1.17.0
    docker push my-artifactory.mycompany.com/jetstack/cert-manager-cainjector:v1.17.0
    docker push my-artifactory.mycompany.com/jetstack/cert-manager-startupapicheck:v1.17.0
    docker push my-artifactory.mycompany.com/jetstack/trust-manager:v0.16.0
    docker push my-artifactory.mycompany.com/jetstack/trust-pkg-debian-bookworm:20230311.0
  5. Create image pull secret and update Helm charts:
    • Create a kubernetes secret for registry authentication:

      # Create the cert-manager namespace if it doesn't exist yet
      kubectl create namespace cert-manager --dry-run=client -o yaml | kubectl apply -f -
      
      # Create a secret with your registry credentials
      # Create secret for cert-manager
      kubectl create secret docker-registry artifactory-registry-secret \
        --namespace cert-manager \
        --docker-server=my-artifactory.mycompany.com \
        --docker-username=<your-username> \
        --docker-password=<your-password> \
        --docker-email=<your-email>
      
      # Create the same secret for trust-manager
      kubectl create secret docker-registry artifactory-registry-secret \
        --namespace trust-manager \
        --docker-server=my-artifactory.mycompany.com \
        --docker-username=<your-username> \
        --docker-password=<your-password> \
        --docker-email=<your-email>
    • Update the Helm charts to use your private registry using one of the following options:

      • Option 1: Modify values.yaml files:

        For cert-manager, update the following sections in cert-manager-chart/cert-manager/values.yaml file:

        image:
          repository: my-artifactory.mycompany.com/jetstack/cert-manager-controller
          tag: v1.17.0
          # ...
        
        webhook:
          image:
            repository: my-artifactory.mycompany.com/jetstack/cert-manager-webhook
            tag: v1.17.0
          # ...
        
        cainjector:
          image:
            repository: my-artifactory.mycompany.com/jetstack/cert-manager-cainjector
            tag: v1.17.0
          # ...
        
          # Add imagePullSecrets
          imagePullSecrets:
          - name: artifactory-registry-secret
        For trust-manager, update the following in trust-manager-chart/trust-manager/values.yaml:
        
        app:
          image:
            repository: my-artifactory.mycompany.com/jetstack/trust-manager
            tag: v0.16.0
          trust:
            namespace: netbackup
          # ...
        
        pkgImporter:
          image:
            repository: my-artifactory.mycompany.com/jetstack/trust-pkg-debian-bookworm
            tag: "20230311.0"
        
        # Add imagePullSecrets
        imagePullSecrets:
        - name: artifactory-registry-secret
      • Option 2: Use --set parameters during installation:

        Instead of modifying the values.yaml files directly, you can use --set parameters during installation.

        For more information, see the commented lines in the step 6 below.

  6. Connect to and install on your AKS cluster (Air-Gapped environment):
    • Authenticate to your AKS cluster:

      Before installing Helm charts, ensure that your kubectl is properly configured to communicate with your AKS cluster:

      # If you have Azure CLI in your air-gapped environment
      az login
      az account set --subscription <your-subscription-id>
      az aks get-credentials --resource-group <your-resource-group> --name <your-aks-cluster-name>
      
      # OR if you've transferred a kubeconfig file
      export KUBECONFIG=/path/to/your/kubeconfig
      
      # Verify connectivity
      kubectl cluster-info
      kubectl get nodes
    • Install cert-manager:

      Based on how you transferred the Helm charts, use one of the following approaches:

      # Create cert-manager namespace kubectl create namespace cert-manager

      Option 1:

      If you transferred the extracted chart directories
      helm install cert-manager ./cert-manager-chart/cert-manager \
        --namespace cert-manager \
        --set crds.enabled=true
        # If you didn't modify values.yaml, add these overrides:
        # --set image.repository=my-artifactory.mycompany.com/jetstack/cert-manager-controller \
        # --set image.tag=v1.17.0 \
        # --set webhook.image.repository=my-artifactory.mycompany.com/jetstack/cert-manager-webhook \
        # --set webhook.image.tag=v1.17.0 \
        # --set cainjector.image.repository=my-artifactory.mycompany.com/jetstack/cert-manager-cainjector \
        # --set cainjector.image.tag=v1.17.0 \
        # --set startupapicheck.image.repository=my-artifactory.mycompany.com/jetstack/cert-manager-startupapicheck \
        # --set startupapicheck.image.tag=v1.17.0 \
        # --set imagePullSecrets[0].name=artifactory-registry-secret

      Option 2:

      If you transferred packaged charts (.tgz files)
      helm install cert-manager ./packages/cert-manager-v1.17.0.tgz \
        --namespace cert-manager \
        --set crds.enabled=true
        # If you didn't modify values.yaml, add these overrides:
        # --set image.repository=my-artifactory.mycompany.com/jetstack/cert-manager-controller \
        # --set image.tag=v1.17.0 \
        # --set webhook.image.repository=my-artifactory.mycompany.com/jetstack/cert-manager-webhook \
        # --set webhook.image.tag=v1.17.0 \
        # --set cainjector.image.repository=my-artifactory.mycompany.com/jetstack/cert-manager-cainjector \
        # --set cainjector.image.tag=v1.17.0 \
        # --set startupapicheck.image.repository=my-artifactory.mycompany.com/jetstack/cert-manager-startupapicheck \
        # --set startupapicheck.image.tag=v1.17.0 \
        # --set imagePullSecrets[0].name=artifactory-registry-secret
    • Install trust-manager:

      Based on how you transferred the Helm charts, use one of the following approaches:

      # Create trust-manager and netbackup namespace kubectl create namespace trust-manager kubectl create namespace netbackup

      Option 1:

      If you transferred the extracted chart directories
      helm install trust-manager ./trust-manager-chart/trust-manager \
        --namespace trust-manager \
        --set app.trust.namespace=netbackup \
        --wait
        # If you didn't modify values.yaml, add these overrides:
        # --set app.image.repository=my-artifactory.mycompany.com/jetstack/trust-manager \
        # --set app.image.tag=v0.16.0 \
        # --set pkgImporter.image.repository=my-artifactory.mycompany.com/jetstack/trust-pkg-debian-bookworm \
        # --set pkgImporter.image.tag=20230311.0 \
        # --set imagePullSecrets[0].name=artifactory-registry-secret

      Option 2:

      If you transferred packaged charts (.tgz files)
      helm install trust-manager ./packages/trust-manager-v0.16.0.tgz \
        --namespace trust-manager \
        --set app.trust.namespace=netbackup \
        --wait
        # If you didn't modify values.yaml, add these overrides:
        # --set app.image.repository=my-artifactory.mycompany.com/jetstack/trust-manager \
        # --set app.image.tag=v0.16.0 \
        # --set pkgImporter.image.repository=my-artifactory.mycompany.com/jetstack/trust-pkg-debian-bookworm \
        # --set pkgImporter.image.tag=20230311.0 \
        # --set imagePullSecrets[0].name=artifactory-registry-secret
  7. Verify the installation:
    # Check if cert-manager pods are running
    kubectl get pods -n cert-manager
    
    # Check if trust-manager pod is running
    kubectl get pods -n trust-manager -l app=trust-manager

Feedback

Was this page helpful?
Previous

How to deploy Cloud Scale

Next

Deploying the operators

Feedback

Was this page helpful?