Skip to content

Authenticate to Next-Gen Trust Security with private key JWT

In this tutorial, you'll configure Connection for Next-Gen Trust Security (Connection resource) to authenticate to Next-Gen Trust Security (NGTS) using a Built-in Account and a private key JSON Web Token (JWT).

Once these steps are complete, Connection resource will be able to authenticate to NGTS on behalf of your cluster components, such as Discovery Agent, Distributed Issuer, and Enterprise Issuer.

Prerequisites

Before you begin, prepare your environment, create a Built-in Account, and save the credentials.

Prepare your environment

To configure Connection for Next-Gen Trust Security, you need:

Create a Built-in Account

Create a Built-in Account in NGTS using key pair authentication. Choose the Use Case and Scope for your component as follows:

  • Discovery Agent: Select the Discovery Agent Use Case and Kubernetes Discovery Scope.
  • Distributed Issuer: Select the Distributed Issuer Use Case and Distributed Issuance Scope.
  • Enterprise Issuer: Select the cert-manager Enterprise Issuer Use Case and Scope.

Save the following credentials:

  • Private key: From your key pair, saved during account creation.
  • Client ID: From your Built-in Account, for example 00000000-0000-0000-0000-000000000000. On the Built-in Accounts page, click the account name and in the details drawer that appears, copy from the Client ID field.
  • Tenant Service Group ID: From your Built-in Account, for example 0000000000. On the Built-in Accounts page, copy the Tenant ID from the same area.

Step 1: Configure the private key

Store your Built-in Account private key in a Kubernetes Secret and grant Connection resource permission to read it.

About cross-namespace access

These steps use the venafi namespace, which is the recommended location. To use application namespaces instead, enable cross-namespace access with allowReferencesFrom.

  1. Create a Kubernetes Secret containing your private key:

    ngts-credentials-secret.yaml
    apiVersion: v1
kind: Secret
metadata:
  name: ngts-credentials
  namespace: venafi
stringData:
  privateKey: |
    -----BEGIN EC PRIVATE KEY-----
    <your private key content>
    -----END EC PRIVATE KEY-----

    Apply the manifest:

    kubectl apply -f ngts-credentials-secret.yaml

  2. Create a Role that grants Connection resource read access to the ngts-credentials Secret:

    ngts-credentials-role.yaml
    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: get-ngts-credentials
  namespace: venafi
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
  resourceNames: ["ngts-credentials"]

    Apply the manifest:

    kubectl apply -f ngts-credentials-role.yaml

  3. Create a RoleBinding that binds the Role to the Connection resource controller:

    ngts-credentials-rolebinding.yaml
    apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ngts-credentials-rolebinding
  namespace: venafi
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: get-ngts-credentials
subjects:
- kind: ServiceAccount
  name: venafi-connection
  namespace: venafi

    Apply the manifest:

    kubectl apply -f ngts-credentials-rolebinding.yaml

Step 2: Create the connection resource

Create a Connection resource that authenticates to NGTS using the private key stored in Step 1.

  1. Create the Connection resource:

    ngts-connection.yaml
    apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: ngts-connection
  namespace: venafi
spec:
  ngts:
    tsgID: "<your-tsgID>" # (1)!
    jwt: # (2)!
    - secret: # (3)!
        name: ngts-credentials
        fields:
        - privateKey
    - privateKeyJWT: # (4)!
        clientID: "<your-client-id>"
    1. Replace with your Tenant Service Group ID.
    2. Defines a two-step authentication chain.
    3. Reads the private key from the Kubernetes Secret.
    4. Signs a JWT and exchanges it for an OAuth bearer token.

    Apply the manifest:

    kubectl apply -f ngts-connection.yaml