Configuring authentication to Certificate Manager - SaaS using workload identity federation¶

Workload identity federation allows CyberArk components for Kubernetes, such as Enterprise Issuer for CyberArk Certificate Manager, to authenticate with CyberArk Certificate Manager - SaaS securely without having to manage and secure long-lived credentials (like passwords or API keys). Instead, Kubernetes can function as an OIDC provider such that Certificate Manager - SaaS can validate its service account tokens using JWT/OIDC authentication.

Prerequisites¶

• You must have access to a Certificate Manager - SaaS instance.
• You must install Connection for CyberArk Certificate Manager in your cluster.
• You must have kubectl and Helm 3.8.0 or later on your workstation.
• You must have jq tool on your workstation.

Step 1: Creating a service account in Certificate Manager - SaaS for workload identity federation¶

Before creating a service account in Certificate Manager - SaaS, you must complete the following tasks on your Kubernetes cluster.

1. Obtain the OIDC Issuer URL: To get the OIDC Issuer URL, run the command below

   kubectl get --raw /.well-known/openid-configuration | jq -r '.issuer'
   

2. Obtain the OIDC JWKS URI: To get the OIDC JWKS URI, run the command below

   kubectl get --raw /.well-known/openid-configuration | jq -r '.jwks_uri'
   

   IMPORTANT!

   The JWKS URI must be a publicly accessible, unprotected HTTP endpoint. This allows Certificate Manager - SaaS to retrieve authentication information. If the JWKS URI isn't publicly accessible or protected, you must establish an alternative location that is kept in constant synchronization with the original JWKS URI of your cluster.

To create a service account with Custom API Integration use case¶

1. Sign in to Certificate Manager - SaaS.
2. Click Settings > Service Accounts.
3. Click New.
4. Choose the desired use case from the Use case list, and click Continue. The use cases available for you to choose depend on which Certificate Manager - SaaS components you have licenses for.
5. Enter a Name for your new service account.

6. Select an Owning Team. This team owns the machine you want to create the service account for.

7. Select the applications that you want to issue certificates in the Applications field.

8. Select Certificate Issuance as Scope, and then click Continue.

9. Fill in the credentials with the specific information required for authentication:

   • Issuer URL: Enter the OIDC Issuer URL of the cluster obtained in the previous section.

     • Example: https://kubernetes.default.svc

   • JWKS URI: Enter the OIDC JWKS URI of the cluster or the public location where the JSON Web Key Set (JWKS) data is replicated.

     • Example: https://www.example.com:6443/.well-known/jwks.json

   • Subject Identifier: Enter the unique identifier for the subject within the issuing authority's namespace. Kubernetes uses the format system:serviceaccount:<NAMESPACE>:<SERVICE ACCOUNT NAME> for the Subject Identifier field.

     • Example: system:serviceaccount:venafi:application-team-1

   • Audience: Enter the intended audience for the token, which is usually the API or resource that the token is intended to access.

     • Example: api.venafi.cloud

Step 2: Configuring the Kubernetes resources¶

The following example shows a cluster issuer resource which uses a Kubernetes Service Account to authenticate to CyberArk Certificate Manager - SaaS.

1. Create a Kubernetes service account that the Connection resource can use to authenticate to Certificate Manager - SaaS.

   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: application-team-1 # (1)!
     namespace: venafi
   

   1. This value is included in the Subject Identifier field of the service account in Certificate Manager - SaaS.

2. Give the Connection resource the permission to acquire tokens for this service account.

   1. Create a role that allows the creation of service account tokens for application-team-1:

      apiVersion: rbac.authorization.k8s.io/v1
      kind: Role
      metadata:
        name: create-tokens-for-application-team-1
        namespace: venafi
      rules:
      - apiGroups: [ "" ]
        resources: [ "serviceaccounts/token" ]
        verbs: [ "create" ]
        resourceNames: [ "application-team-1" ]
      

   2. Link the controller's service account to the create-tokens-for-application-team-1 role:

      apiVersion: rbac.authorization.k8s.io/v1
      kind: RoleBinding
      metadata:
        name: application-team-1-sa-rolebinding
        namespace: venafi
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: Role
        name: create-tokens-for-application-team-1
      subjects:
      - kind: ServiceAccount
        name: venafi-connection
        namespace: venafi
      

3. Create a Connection resource that has a reference to the service account in your Certificate Manager - SaaS tenant:

   apiVersion: jetstack.io/v1alpha1
   kind: VenafiConnection
   metadata:
     name: application-team-1
     namespace: venafi
   spec:
     vcp:
       accessToken:
         - serviceAccountToken:
             name: application-team-1
             audiences: [ "api.venafi.cloud" ] # (1)!
         - vcpOAuth:
             tenantID: xxxxx-xxxxxx-xxxxxx-xxxxxx # (2)!
   

   1. The values set here must contain the audience value in the service account in Certificate Manager - SaaS.

   2. To find your Tenant ID in Certificate Manager - SaaS:

      1. Sign in to the CyberArk Certificate Manager - SaaS.

      2. Navigate to Settings > Licensing.

         Your Tenant ID will be displayed under Account information on the Licensing page.