Venafi Connection authentication to Venafi TLS Protect Datacenter or Venafi Control Plane¶
Venafi Connection provides a variety of authentication options to connect your Kubernetes cluster to the Venafi. The following table gives a basic overview of these options compared with each other.
| Product | Authentication Method | Credential Storage | Maintenance |
|---|---|---|---|
| Venafi Connection | Workload Identity Federation using the OIDC protocol. | Dynamically generated short-lived tokens. | One-time set-up per cluster (scriptable). |
| Access Token | Long-lived access tokens stored in Kubernetes secrets or HashiCorp Vault | Requires periodic token rotation. | |
| Username/Password | Long-lived username and password credentials stored in Kubernetes secrets or HashiCorp Vault. | Requires periodic password rotation. | |
| Open-source cert-manager | Access Token | Long-lived access tokens stored in Kubernetes secrets. | Requires periodic token rotation |
The following sections describe the advantages and disadvantages of each approach Venafi Connection uses.
Configuring authentication using workload identity federation¶
Workload identity federation allows Venafi components for Kubernetes, such as Venafi Enhanced Issuer, to authenticate with Venafi Control Plane securely without having to manage and secure long-lived credentials (like passwords or API keys). Instead, Kubernetes can function as an OIDC provider such that Venafi Control Plane can validate its service account tokens using JWT/OIDC authentication.
This is a secretless method for authenticating with TLS Protect Datacenter or Venafi Control Plane. With this method, you don't require an access token or password. In the case of TLS Protect Datacenter this method is limited to TLS Protect Datacenter 22.4 or later.
This method also has the advantage of being a one-time setup and no credentials need to be passed between your teams.
This option offers the best choice for managing authentication as there are no long-lived credentials at all. Learn more
Configuring authentication using HashiCorp Vault¶
You have two other options when configuring Venafi Connection to work with HashiCorp Vault:
- Authenticating to Venafi TLS Protect Datacenter using a username and password stored in HashiCorp Vault.
- Authenticating to Venafi TLS Protect Datacenter using a username and password stored in LDAP by means of HashiCorp Vault's LDAP Secret Engine.
This method however also requires periodic manual rotation of passwords. Learn more
Configuring authentication using Kubernetes Secrets¶
This is the simplest authentication mechanism. In this case, the Venafi TLS Protect Datacenter access token, Venafi TLS Protect Datacenter username and password, or Venafi-as-a-Service API Key are loaded from a Kubernetes secret.
This method however requires manual rotation of tokens/passwords. Learn more