Rotating Discovery Agent credentials¶

Discovery Agent for Next-Gen Trust Security uses a Built-in Account to authenticate against Next-Gen Trust Security. To maintain security, rotate the account periodically, or when a credential may have been compromised.

To rotate Discovery Agent credentials¶

1. Identify the Built-in Account that Discovery Agent is using by decoding the client ID in the existing secret:

   kubectl get secret -n=venafi discovery-agent-credentials -o jsonpath="{.data.clientID}" | base64 -d
   

   Save the client ID for the final step.

2. Create a new Built-in Account in Next-Gen Trust Security:

   1. Click System Settings > Built-in Accounts.
   2. Click New and create a new Built-in Account with the use case Discovery Agent and the scope Kubernetes Discovery.
   3. Save the new private key as discovery-agent-private-key.pem.
   4. Save the new client ID to clientID.txt.

3. Delete the old secret from your cluster:

   kubectl delete secret -n=venafi discovery-agent-credentials
   

4. Create a new secret with the new credentials:

   kubectl create secret generic discovery-agent-credentials \
     --namespace=venafi \
     --from-file=clientID=clientID.txt \
     --from-file=privatekey.pem=discovery-agent-private-key.pem
   

5. Restart Discovery Agent:

   kubectl rollout restart deployment agent
   

6. On the Built-in Accounts page in Next-Gen Trust Security, delete the old Built-in Account you identified in step 1.

Related links¶

• Discovery Agent overview
• Discovery Agent releases
• Installing Discovery Agent using Helm
• Configuring Discovery Agent