Configuring authentication to TLS Protect Datacenter without storing secrets with JWT mapping¶
This is a secretless method for authenticating with TLS Protect Datacenter. With this method, you don't require an access token or password. This method is limited to TLS Protect Datacenter 22.4 or later.
The following example shows a cluster issuer resource that uses a Kubernetes ServiceAccount Token to authenticate to Venafi TLS Protect Datacenter.
Configuring the Kubernetes resources¶
-
Create a service account that the Venafi Connection can use to authenticate to Venafi TLS Protect Datacenter.
apiVersion: v1 kind: ServiceAccount metadata: name: application-team-1 namespace: venafi -
Give the venafi-connection service account the permission to create tokens for this service account.
-
Create a role that allows the creation of service account tokens for application-team-1:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: create-tokens-for-application-team-1 namespace: venafi rules: - apiGroups: [ "" ] resources: [ "serviceaccounts/token" ] verbs: [ "create" ] resourceNames: [ "application-team-1" ] -
Link the controller's service account to the create-tokens-for-vault-sa role:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: application-team-1-sa-rolebinding namespace: venafi roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: create-tokens-for-application-team-1 subjects: - kind: ServiceAccount name: venafi-connection namespace: venafi
-
-
Create the Venafi Connection certificate request that has a reference to the Venafi Control Plane server and to the service account:
apiVersion: jetstack.io/v1alpha1 kind: VenafiConnection metadata: name: application-team-1-connection namespace: venafi spec: tpp: url: https://tpp1.example.com accessToken: - serviceAccountToken: name: application-team-1 audiences: [ "tpp" ] - tppOAuth: authInputType: JWT url: https://tpp1.example.com