Skip to content

Firefly Authentication Methods with TLS Protect Datacenter

In order for Firefly to operate with TLS Protect Datacenter, it must be represented as a user identity within the TLS Protect Datacenter system. This identity can then authenticate using various methods, such as a JSON Web Token (JWT) or a username and password. Below, you will find more details about the available authentication methods and how to configure them.

Configuring Firefly to use OIDC authentication with TLS Protect Datacenter

Firefly can be configured to use OIDC authentication with a JSON Web Token (JWT) signed by the Kubernetes platform and verified by TLS Protect Datacenter. This method leverages short-lived, dynamic credentials that are issued on demand and are not stored on the Kubernetes platform.

Although this is a more complex setup, it is the recommended authentication method, as it aligns with modern security best practices.

To learn how to configure Firefly to use OIDC authentication with JWT, follow the instructions in Authenticating to TLS Protect Datacenter

Configuring Firefly to use username and password authentication with TLS Protect Datacenter

There are cases where OIDC authentication is not applicable, and an alternative authentication method must be used. One example is when Firefly is not deployed on a Kubernetes platform. In such scenarios, the username and password approach can be used instead.

Security Considerations

This method requires a static credential to be stored on the platform where Firefly is deployed, and it must be manually rotated in accordance with the organization's security policies.

There are two options for storing the credentials: as a Kubernetes Secret or as a file on the filesystem.

Using credentials stored as a Kubernetes Secret

The following is an example of a values file that can be used when deploying Firefly with Helm. In this scenario, a VenafiConnection will be created after deployment and configured to use username and password authentication to TLS Protect Datacenter. Before deploying Firefly, you should create a Kubernetes Secret containing the credentials:

firefly-credentials Secret
kubectl create secret generic firefly-credentials \
  --namespace=venafi \
  --from-literal=username='firefly' \
  --from-literal=password='topsecret'

Below is an example of a values file showing a sample configuration where the username and password will be loaded from a Kubernetes Secret:

firefly.values.yaml
acceptTerms: true
deployment:
  extraVolumes: # (1)!
  - name: ca-bundle-cert
    secret:
      secretName: ca-bundle-cert
  extraVolumeMounts: # (2)!
  - mountPath: /etc/ssl/certs/
    name: ca-bundle-cert
  config:
    bootstrap:
      tpp:
        enabled: true
        csr:
          instanceNaming: Instance1 Location1 # (3)!
        configurationDN: firefly\\security-config # (4)!
        connection:
          create: true # (5)!
          name: tpp-connection
          url: https://tpp.example.com/ # (6)!
          usernamePassword: # (7)!
            enabled: true
            name: firefly-credentials # (8)!
    controller:
      enabled: true # (9)!
      certManager:
        caRootChainPopulation: false # (10)! 
        checkApproval: true # (11)!
  1. Omit this section if TLS Protect Datacenter is using a publicly trusted TLS certificate for its API.
  2. Omit this section if TLS Protect Datacenter is using a publicly trusted TLS certificate for its API.
  3. The naming pattern for the Firefly instances.
  4. The name of the Firefly security configuration.
  5. If set to true, a VenafiConnection will be created with the specified name and authentication method.
  6. The TLS Protect Datacenter URL.
  7. The authentication method.
  8. You must store the credentials in a Secret with the name specified here, within the same namespace as Firefly, using the following keys: username and password.
  9. Set to false if you don't want Firefly to act as a Kubernetes Controller and process cert-manager Certificate resources.
  10. Set to true if you want to automatically populate the status.ca field with the CA information.
  11. Set to false if you want Firefly to process CertificateRequest resources without waiting for approval.

To install Firefly using Helm, run the following command:

helm install prod oci://registry.venafi.cloud/public/venafi-images/helm/firefly \
    --namespace venafi \
    --values firefly.values.yaml \
    --version v1.6.0

Using credentials stored as a file

The following is an example of a bootstrap configuration file that can be used when Firefly is run in non-Kubernetes environments, such as a standalone application on a Linux machine. In this scenario, a VenafiConnection will not be created, as the credentials will be loaded from a YAML file stored alongside Firefly.

Before running Firefly, you should create a YAML file containing the credentials:

firefly-credentials.yaml File
(umask 377 && cat > firefly-credentials.yaml << EOF
username: firefly
password: topsecret
EOF
)

Security Considerations

The umask ensures that the file has read-only permissions for the current user. If needed, adjust the file permissions so that only the Firefly user can read the credentials.

Below is an example bootstrap configuration file that can be passed to Firefly to read the credentials from a YAML file named firefly-credentials.yaml.

bootstrap.yaml
bootstrap:
  tpp:
    configurationDN: firefly\\security-config
    connection:
      inline:
        url: https://tpp.example.com/
        accessToken:
        - file:
            path: firefly-credentials.yaml
            fields: ["username", "password"]
        - tppOAuth:
            authInputType: UsernamePassword
            clientId: firefly
    csr:
      instanceNaming: Instance1 Location1
server:
  rest:
    port: 8281
    tls:
      dnsNames:
      - rest.firefly.local

To start Firefly, run:

Start Firefly
ACCEPT_TERMS=Y ./firefly-pkcs11 run --config bootstrap.yaml