Loading Venafi Bearer Token from a Kubernetes Secret¶

This is the simplest authentication mechanism. In this case, the Venafi TPP access-token or Venafi-as-a-Service API Key are loaded from a Kubernetes secret.

1. Create a Kubernetes Secret that contains the Venafi Bearer Token:

   apiVersion: v1
   kind: Secret
   metadata:
     name: application-team-1-tpp-access-token
     namespace: venafi
   data:
     access-token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
   

2. Give the venafi-connection service account the permission to read this secret.

   1. Create a role that allows reading secrets for application-team-1:

      apiVersion: rbac.authorization.k8s.io/v1
      kind: Role
      metadata:
            name: get-application-team-1-tpp-access-token
            namespace: venafi
      rules:
          - apiGroups: [ "" ]
            resources: [ "secrets" ]
            verbs: [ "get" ]
            resourceNames: [ "application-team-1-tpp-access-token" ]
      

   2. Link the connection service account to the get-application-team-1-tpp-access-token role:

      apiVersion: rbac.authorization.k8s.io/v1
      kind: RoleBinding
      metadata:
        name: application-team-1-secret-rolebinding
        namespace: venafi
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: Role
        name: get-application-team-1-tpp-access-token
      subjects:
      - kind: ServiceAccount
        name: venafi-connection
        namespace: venafi
      

3. Create the Venafi Connection certificate request that has a reference to the Venafi Control Plane server and to the Venafi Bearer Token:

   apiVersion: jetstack.io/v1alpha1
   kind: VenafiConnection
   metadata:
     name: application-team-1-connection
     namespace: venafi
   spec:
     tpp:
       url: https://tpp1.example.com
   
       accessToken:
         - secret:
             name: application-team-1-tpp-access-token
             fields: [ "access-token" ] # the field name in the Kubernetes Secret