Configuring authentication to Venafi Control Plane using workload identity federation¶

Workload identity federation allows Venafi components for Kubernetes, such as Venafi Enhanced Issuer, to authenticate with Venafi Control Plane securely without having to manage and secure long-lived credentials (like passwords or API keys). Instead, Kubernetes can function as an OIDC provider such that Venafi Control Plane can validate its service account tokens using JWT/OIDC authentication.

Prerequisites¶

• You must have access to a Venafi Control Plane instance.
• You must install Venafi Connection in your cluster.
• You must have kubectl and Helm 3.8.0 or later on your workstation.
• You must have jq tool on your workstation.

Step 1: Creating a service account in Venafi Control Plane for workload identity federation¶

Before creating a service account in Venafi Control Plane, you must complete the following tasks on your Kubernetes cluster.

1. Obtain the OIDC Issuer URL: To get the OIDC Issuer URL, run the command below

   kubectl get --raw /.well-known/openid-configuration | jq -r '.issuer'
   

2. Obtain the OIDC JWKS URI: To get the OIDC JWKS URI, run the command below

   kubectl get --raw /.well-known/openid-configuration | jq -r '.jwks_uri'
   

   IMPORTANT!

   The JWKS URI must be a publicly accessible, unprotected HTTP endpoint. This allows Venafi Control Plane to retrieve authentication information. If the JWKS URI isn't publicly accessible or protected, you must establish an alternative location that is kept in constant synchronization with the original JWKS URI of your cluster.

To create a service account with Custom API Integration use case¶

1. Sign in to Venafi Control Plane.
2. Click Settings > Service Accounts.
3. Click New.
4. Choose the desired use case from the Use case list, and click Continue. The use cases available for you to choose depend on which Venafi Control Plane components you have licenses for.
5. Enter a Name for your new service account.

6. Select an Owning Team. This team owns the machine you want to create the service account for.

7. Select the applications that you want to issue certificates in the Applications field.

8. Select Certificate Issuance as Scope, and then click Continue.

9. Fill in the credentials with the specific information required for authentication:

   • Issuer URL: Enter the OIDC Issuer URL of the cluster obtained in the previous section.

     • Example: https://kubernetes.default.svc

   • JWKS URI: Enter the OIDC JWKS URI of the cluster or the public location where the JSON Web Key Set (JWKS) data is replicated.

     • Example: https://www.example.com:6443/.well-known/jwks.json

   • Subject Identifier: Enter the unique identifier for the subject within the issuing authority's namespace. Kubernetes uses the format system:serviceaccount:<NAMESPACE>:<SERVICE ACCOUNT NAME> for the Subject Identifier field.

     • Example: system:serviceaccount:venafi:application-team-1

   • Audience: Enter the intended audience for the token, which is usually the API or resource that the token is intended to access.

     • Example: api.venafi.cloud

Step 2: Configuring the Kubernetes resources¶

The following example shows a cluster issuer resource which uses a Kubernetes Service Account to authenticate to Venafi Control Plane.

1. Create a Kubernetes service account that the Venafi Connection can use to authenticate to Venafi Control Plane.

   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: application-team-1 # (1)!
     namespace: venafi
   

   1. This value is included in the Subject Identifier field of the service account in Venafi Control Plane.

2. Give the Venafi Connection the permission to acquire tokens for this service account.

   1. Create a role that allows the creation of service account tokens for application-team-1:

      apiVersion: rbac.authorization.k8s.io/v1
      kind: Role
      metadata:
        name: create-tokens-for-application-team-1
        namespace: venafi
      rules:
      - apiGroups: [ "" ]
        resources: [ "serviceaccounts/token" ]
        verbs: [ "create" ]
        resourceNames: [ "application-team-1" ]
      

   2. Link the controller's service account to the create-tokens-for-application-team-1 role:

      apiVersion: rbac.authorization.k8s.io/v1
      kind: RoleBinding
      metadata:
        name: application-team-1-sa-rolebinding
        namespace: venafi
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: Role
        name: create-tokens-for-application-team-1
      subjects:
      - kind: ServiceAccount
        name: venafi-connection
        namespace: venafi
      

3. Create a Venafi Connection that has a reference to the service account in your Venafi Control Plane tenant:

   apiVersion: jetstack.io/v1alpha1
   kind: VenafiConnection
   metadata:
     name: application-team-1
     namespace: venafi
   spec:
     vcp:
       accessToken:
         - serviceAccountToken:
             name: application-team-1
             audiences: [ "api.venafi.cloud" ] # (1)!
         - vcpOAuth:
             tenantID: xxxxx-xxxxxx-xxxxxx-xxxxxx # (2)!
   

   1. The values set here must contain the audience value in the service account in Venafi Control Plane.

   2. To find your Tenant ID in Venafi Control Plane:

      1. Sign in to the Venafi Control Plane.

      2. Navigate to Settings > Licensing.

         Your Tenant ID will be displayed under Account information on the Licensing page.