Workload Identity Manager Authentication Methods with Certificate Manager - Self-Hosted¶
In order for Workload Identity Manager to operate with Certificate Manager - Self-Hosted, it must be represented as a user identity within the Certificate Manager - Self-Hosted system. This identity can then authenticate using various methods, such as a JSON Web Token (JWT) or a username and password. Below, you will find more details about the available authentication methods and how to configure them.
Configuring Workload Identity Manager to use OIDC authentication with Certificate Manager - Self-Hosted¶
Workload Identity Manager can be configured to use OIDC authentication with a JSON Web Token (JWT) signed by the Kubernetes platform and verified by Certificate Manager - Self-Hosted. This method leverages short-lived, dynamic credentials that are issued on demand and are not stored on the Kubernetes platform.
Although this is a more complex setup, it is the recommended authentication method, as it aligns with modern security best practices.
To learn how to configure Workload Identity Manager to use OIDC authentication with JWT, follow the instructions in Authenticating to Certificate Manager - Self-Hosted
Configuring Workload Identity Manager to use username and password authentication with Certificate Manager - Self-Hosted¶
There are cases where OIDC authentication is not applicable, and an alternative authentication method must be used. One example is when Workload Identity Manager is not deployed on a Kubernetes platform. In such scenarios, the username and password approach can be used instead.
Security Considerations
This method requires a static credential to be stored on the platform where Workload Identity Manager is deployed, and it must be manually rotated in accordance with the organization's security policies.
There are two options for storing the credentials: as a Kubernetes Secret or as a file on the filesystem.
Using credentials stored as a Kubernetes Secret¶
The following is an example of a values file that can be used when deploying Workload Identity Manager with Helm. In this scenario, a Connection resource will be created after deployment and configured to use username and password authentication to Certificate Manager - Self-Hosted. Before deploying Workload Identity Manager, you should create a Kubernetes Secret containing the credentials:
kubectl create secret generic firefly-credentials \
--namespace=venafi \
--from-literal=username='firefly' \
--from-literal=password='topsecret'
Below is an example of a values file showing a sample configuration where the username and password will be loaded from a Kubernetes Secret:
acceptTerms: true
deployment:
extraVolumes: # (1)!
- name: ca-bundle-cert
secret:
secretName: ca-bundle-cert
extraVolumeMounts: # (2)!
- mountPath: /etc/ssl/certs/
name: ca-bundle-cert
config:
bootstrap:
tpp:
enabled: true
csr:
instanceNaming: Instance1 Location1 # (3)!
configurationDN: firefly\\security-config # (4)!
connection:
create: true # (5)!
name: tpp-connection
url: https://tpp.example.com/ # (6)!
usernamePassword: # (7)!
enabled: true
name: firefly-credentials # (8)!
controller:
enabled: true # (9)!
certManager:
caRootChainPopulation: false # (10)!
checkApproval: true # (11)!
- Omit this section if Certificate Manager - Self-Hosted is using a publicly trusted TLS certificate for its API.
- Omit this section if Certificate Manager - Self-Hosted is using a publicly trusted TLS certificate for its API.
- The naming pattern for the Workload Identity Manager instances.
- The name of the Workload Identity Manager security configuration.
- If set to
true, a Connection resource will be created with the specified name and authentication method. - The Certificate Manager - Self-Hosted URL.
- The authentication method.
- You must store the credentials in a Secret with the name specified here, within the same namespace as Workload Identity Manager, using the following keys:
usernameandpassword. - Set to
falseif you don't want Workload Identity Manager to act as a Kubernetes Controller and process cert-manager Certificate resources. - Set to
trueif you want to automatically populate thestatus.cafield with the CA information. - Set to
falseif you want Workload Identity Manager to process CertificateRequest resources without waiting for approval.
To install Workload Identity Manager using Helm, run the following command:
helm install prod oci://registry.venafi.cloud/public/venafi-images/helm/firefly \
--namespace venafi \
--values firefly.values.yaml \
--version v1.9.0
Using credentials stored as a file¶
The following is an example of a bootstrap configuration file that can be used when Workload Identity Manager is run in non-Kubernetes environments, such as a standalone application on a Linux machine. In this scenario, a Connection resource will not be created, as the credentials will be loaded from a YAML file stored alongside Workload Identity Manager.
Before running Workload Identity Manager, you should create a YAML file containing the credentials:
(umask 377 && cat > firefly-credentials.yaml << EOF
username: firefly
password: topsecret
EOF
)
Security Considerations
The umask ensures that the file has read-only permissions for the current user. If needed, adjust the file permissions so that only the Workload Identity Manager user can read the credentials.
Below is an example bootstrap configuration file that can be passed to Workload Identity Manager to read the credentials from a YAML file named firefly-credentials.yaml.
bootstrap:
tpp:
configurationDN: firefly\\security-config
connection:
inline:
url: https://tpp.example.com/
accessToken:
- file:
path: firefly-credentials.yaml
fields: ["username", "password"]
- tppOAuth:
authInputType: UsernamePassword
clientId: firefly
csr:
instanceNaming: Instance1 Location1
server:
rest:
port: 8281
tls:
dnsNames:
- rest.firefly.local
To start Workload Identity Manager, run:
ACCEPT_TERMS=Y ./firefly-pkcs11 run --config bootstrap.yaml