Create a Venafi Connection without Storing Secrets with TPP's JWT Mapping¶
This is a secretless method for authenticating with TLS Protect Datacenter (TPP). With this method, you don't require an access token or password. This method is limited to TLS Protect Datacenter (TPP) 22.4 or later. TLS Protect Cloud (VaaS) is not yet supported.
The following example shows a cluster issuer resource which uses a Kubernetes ServiceAccount Token to authenticate to Venafi TPP.
Configuring the Kubernetes resources¶
-
Create a service account that the Venafi Connection can use to authenticate to Venafi TPP.
apiVersion: v1 kind: ServiceAccount metadata: name: application-team-1 namespace: venafi
-
Give the venafi-connection service account the permission to create tokens for this service account.
-
Create a role that allows the creation of service account tokens for application-team-1:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: create-tokens-for-application-team-1 namespace: venafi rules: - apiGroups: [ "" ] resources: [ "serviceaccounts/token" ] verbs: [ "create" ] resourceNames: [ "application-team-1" ]
-
Link the controller's service account to the create-tokens-for-vault-sa role:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: application-team-1-sa-rolebinding namespace: venafi roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: create-tokens-for-application-team-1 subjects: - kind: ServiceAccount name: venafi-connection namespace: venafi
-
-
Create the Venafi Connection certificate request that has a reference to the Venafi Control Plane server and to the service account:
apiVersion: jetstack.io/v1alpha1 kind: VenafiConnection metadata: name: application-team-1-connection namespace: venafi spec: tpp: url: https://tpp1.example.com accessToken: - serviceAccountToken: name: application-team-1 audiences: [ "tpp" ] - tppOAuth: authInputType: JWT url: https://tpp1.example.com