Authenticate to Next-Gen Trust Security with private key JWT¶
In this tutorial, you'll configure Connection for Next-Gen Trust Security (Connection resource) to authenticate to Next-Gen Trust Security (NGTS) using a Built-in Account and a private key JSON Web Token (JWT).
Once these steps are complete, Connection resource will be able to authenticate to NGTS on behalf of your cluster components, such as Discovery Agent, Distributed Issuer, and Enterprise Issuer.
Prerequisites¶
Before you begin, prepare your environment, create a Built-in Account, and save the credentials.
Prepare your environment¶
To configure Connection for Next-Gen Trust Security, you need:
- Access to an NGTS tenant.
kubectlinstalled on your workstation.- The Connection resource custom resource definition (CRD) installed in your cluster. To confirm, run
kubectl get crd venaficonnections.jetstack.io. If not present, see Installing Connection for Next-Gen Trust Security using Helm.
Create a Built-in Account¶
Create a Built-in Account in NGTS using key pair authentication. Choose the Use Case and Scope for your component as follows:
- Discovery Agent: Select the
Discovery AgentUse Case andKubernetes DiscoveryScope. - Distributed Issuer: Select the
Distributed IssuerUse Case andDistributed IssuanceScope. - Enterprise Issuer: Select the
cert-manager Enterprise IssuerUse Case and Scope.
Save the following credentials:
- Private key: The private key from your key pair.
- Client ID: The
clientIDfor your Built-in Account, for example00000000-0000-0000-0000-000000000000. - Tenant Service Group ID: Your tenant's
tsgID, for example0000000000.
Step 1: Configure the private key¶
Store your Built-in Account private key in a Kubernetes Secret and grant Connection resource permission to read it.
About cross-namespace access
These steps use the venafi namespace, which is the recommended location. To use application namespaces instead, enable cross-namespace access with allowReferencesFrom.
-
Create a Kubernetes Secret containing your private key:
ngts-credentials-secret.yamlapiVersion: v1 kind: Secret metadata: name: ngts-credentials namespace: venafi stringData: privateKey: | -----BEGIN EC PRIVATE KEY----- <your private key content> -----END EC PRIVATE KEY-----Apply the manifest:
kubectl apply -f ngts-credentials-secret.yaml -
Create a Role that grants Connection resource read access to the
ngts-credentialsSecret:ngts-credentials-role.yamlapiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: get-ngts-credentials namespace: venafi rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get"] resourceNames: ["ngts-credentials"]Apply the manifest:
kubectl apply -f ngts-credentials-role.yaml -
Create a RoleBinding that binds the Role to the Connection resource controller:
ngts-credentials-rolebinding.yamlapiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: ngts-credentials-rolebinding namespace: venafi roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: get-ngts-credentials subjects: - kind: ServiceAccount name: venafi-connection namespace: venafiApply the manifest:
kubectl apply -f ngts-credentials-rolebinding.yaml
Step 2: Create the connection resource¶
Create a Connection resource that authenticates to NGTS using the private key stored in Step 1.
-
Create the Connection resource:
ngts-connection.yamlapiVersion: jetstack.io/v1alpha1 kind: VenafiConnection metadata: name: ngts-connection namespace: venafi spec: ngts: tsgID: "<your-tsgID>" # (1)! jwt: # (2)! - secret: # (3)! name: ngts-credentials fields: - privateKey - privateKeyJWT: # (4)! clientID: "<your-client-id>"- Replace with your Tenant Service Group ID.
- Defines a two-step authentication chain.
- Reads the private key from the Kubernetes Secret.
- Signs a JWT and exchanges it for an OAuth bearer token.
Apply the manifest:
kubectl apply -f ngts-connection.yaml