Connection for CyberArk Certificate Manager authentication to Certificate Manager - Self-Hosted or Venafi Control Plane¶
Connection for CyberArk Certificate Manager (formerly known as Venafi Connection) provides a variety of authentication options to connect your Kubernetes cluster to the CyberArk. The following table gives a basic overview of these options compared with each other.
| Product | Authentication Method | Credential Storage | Maintenance |
|---|---|---|---|
| Connection for CyberArk Certificate Manager | Workload Identity Federation using the OIDC protocol. | Dynamically generated short-lived tokens. | One-time set-up per cluster (scriptable). |
| Access Token | Long-lived access tokens stored in Kubernetes secrets or HashiCorp Vault | Requires periodic token rotation. | |
| Username/Password | Long-lived username and password credentials stored in Kubernetes secrets or HashiCorp Vault. | Requires periodic password rotation. | |
| Open-source cert-manager | Access Token | Long-lived access tokens stored in Kubernetes secrets. | Requires periodic token rotation |
The following sections describe the advantages and disadvantages of each approach Connection resource uses.
Configuring authentication using workload identity federation¶
Workload identity federation allows CyberArk components for Kubernetes, such as Enterprise Issuer for CyberArk Certificate Manager, to authenticate with Venafi Control Plane securely without having to manage and secure long-lived credentials (like passwords or API keys). Instead, Kubernetes can function as an OIDC provider such that Venafi Control Plane can validate its service account tokens using JWT/OIDC authentication.
This is a secretless method for authenticating with Certificate Manager - Self-Hosted or Venafi Control Plane. With this method, you don't require an access token or password. In the case of Certificate Manager - Self-Hosted this method is limited to Certificate Manager - Self-Hosted 22.4 or later.
This method also has the advantage of being a one-time setup and no credentials need to be passed between your teams.
This option offers the best choice for managing authentication as there are no long-lived credentials at all. Learn more
Configuring authentication using HashiCorp Vault¶
You have two other options when configuring Connection for CyberArk Certificate Manager to work with HashiCorp Vault:
- Authenticating to Certificate Manager - Self-Hosted using a username and password stored in HashiCorp Vault.
- Authenticating to Certificate Manager - Self-Hosted using a username and password stored in LDAP by means of HashiCorp Vault's LDAP Secret Engine.
This method however also requires periodic manual rotation of passwords. Learn more
Configuring authentication using Kubernetes Secrets¶
This is the simplest authentication mechanism. In this case, the Certificate Manager - Self-Hosted access token, Certificate Manager - Self-Hosted username and password, or Venafi-as-a-Service API Key are loaded from a Kubernetes secret.
This method however requires manual rotation of tokens/passwords. Learn more