Workload Identity Manager Network Requirements for Certificate Manager - Self-Hosted¶
CyberArk Workload Identity Manager (formerly known as Firefly) needs to connect to the WebSDK API of your Certificate Manager - Self-Hosted instance in order to fetch the security configuration and enroll subordinate CA certificates. Therefore, you may need to configure your firewall or egress proxy accordingly.
Workload Identity Manager supports multiple authentication methods when working with Certificate Manager - Self-Hosted. When using the OIDC authentication method, Certificate Manager - Self-Hosted requires access to the OIDC Discovery endpoint of the Kubernetes cluster where Workload Identity Manager is deployed. This access is necessary to retrieve the information required to validate the JWT credentials used by Workload Identity Manager.
If Workload Identity Manager is deployed in a secure environment that limits connections, you may need to configure your firewall with the following egress rule:
| Rule | Source host | Destination host | Protocol | Port | Notes |
|---|---|---|---|---|---|
| ALLOW | <Your Kubernetes Cluster> | <Your Certificate Manager - Self-Hosted> | TCP | 443 | |
| ALLOW | <Your Certificate Manager - Self-Hosted> | <Your Kubernetes Cluster> | TCP | 443 | Only needed when OIDC authentication is used. |
If you use an egress proxy you can assign the proxy address to an environment variable called HTTPS_PROXY, in the environment of the Workload Identity Manager process. Workload Identity Manager uses the Go HTTP library, which allows getting the proxy from the process environment.
The steps will be different, depending on whether you deploy Workload Identity Manager on Kubernetes or on a VM using Docker.
Modifying network settings for Kubernetes¶
Egress using NetworkPolicy¶
Many Kubernetes clusters and most OpenShift clusters have NetworkPolicy enabled. NetworkPolicies allow you to limit how a Pod communicates over the network. NetworkPolicies apply to a connections between Pods in a cluster and also apply to connections between Pods and the Certificate Manager - Self-Hosted instance.
Here is an example of NetworkPolicy which will allow Workload Identity Manager to connect to the WebSDK API of your Certificate Manager - Self-Hosted instance.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-firefly-egress
namespace: venafi
spec:
podSelector:
matchLabels:
app: firefly
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 1.2.3.4/32 # replace with the CIRD block of your Certificate Manager - Self-Hosted instance
ports:
- protocol: TCP
port: 443
Proxy server considerations¶
Some Kubernetes clusters are configured to only allow Internet connections via an HTTP(S) proxy. If that applies to you:
-
Add the URL of your Certificate Manager - Self-Hosted instance to the allowed domain list of your egress proxy.
-
Add an
HTTPS_PROXYenvironment variable to the PodTemplate of the Workload Identity Manager Deployment resource.