Skip to content

Configuring authentication using HashiCorp Vault

You have two options when configuring Venafi Connection to work with HashiCorp Vault:

  • Storing the Venafi username and password in HashiCorp Vault and authenticating to HashiCorp Vault using OIDC.
  • Authenticating to Venafi TPP using LDAP credentials obtained from HashiCorp Vault.

Store the Venafi username and password in HashiCorp Vault and authenticate to HashiCorp Vault using OIDC

The following example shows a cluster issuer resource which uses a Kubernetes service account token to authenticate to HashiCorp Vault which contains the credentials for Venafi TPP.

Step 1: Configure the Kubernetes resources

  1. Create a service account which the Venafi Connection can use to authenticate to HashiCorp Vault:

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: application-team-1
  namespace: venafi

  2. Give the venafi-connection service account the permission to create tokens for this service account:

    1. Create role that allows the creation of service account tokens for application-team-1:

      apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: create-tokens-for-application-team-1
  namespace:  venafi
rules:
- apiGroups: [ "" ]
  resources: [ "serviceaccounts/token" ]
  verbs: [ "create" ]
  resourceNames: [ "application-team-1" ]

    2. Link the controller's service account to the create-tokens-for-vault-sa role:

      apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: application-team-1-sa-rolebinding
  namespace:  venafi
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: create-tokens-for-application-team-1
subjects:
- kind: ServiceAccount
  name: venafi-connection
  namespace:  venafi

  3. Create the Venafi Connection certificate request that has a reference to the Venafi Control Plane server, HashiCorp Vault instance and to the ServiceAccount:

    apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: application-team-1-connection
  namespace: venafi
spec:
  tpp:
    url: https://tpp1.example.com

    accessToken:
      - serviceAccountToken:
          name: application-team-1
          audiences: [ "vault.vault.svc.cluster.local" ]
      - hashicorpVaultOAuth:
          authInputType: OIDC
          role: application-team-1
          authPath: /v1/auth/example-corp/login
          url: http://vault.vault.svc.cluster.local:8200
      - hashicorpVaultSecret:
          secretPath: /v1/secret/data/application-team-1/tpp-username-password
          fields: [ "username", "password" ]
          url: http://vault.vault.svc.cluster.local:8200
      - tppOAuth:
          authInputType: UsernamePassword
          url: https://tpp1.example.com

Step 2: Configure HashiCorp Vault

Now configure HashiCorp Vault for "Kubernetes" authentication, and create a Role that allows the application-team-1 service account to authenticate and impersonate it.

kubectl exec -n vault pods/vault-0 -- \
    vault auth enable -path=example-corp kubernetes

kubectl exec -n vault pods/vault-0 -- \
    vault write auth/example-corp/config \
      kubernetes_host=https://kubernetes.default.svc

kubectl exec -n vault pods/vault-0 -- \
    vault write auth/example-corp/role/application-team-1 \
       role_type=jwt \
       bound_audiences=vault.vault.svc.cluster.local \
       user_claim=sub \
       bound_service_account_names=application-team-1 \
       bound_service_account_namespaces= venafi \
       policies=application-team-1-readonly \
       ttl=5m

Note

In this example HashiCorp Vault is configured to use Kubernetes authentication, and it is running inside the Kubernetes cluster.

Alternatively, you can configure HashiCorp Vault to use JWT authentication, which is similar but with some important differences.

The disadvantage is that with JWT authentication HashiCorp Vault can't check for revoked Kubernetes JWT tokens. The advantage is that Vault won't need to connect to the Kubernetes API server which makes it easier to connect to a HashiCorp Vault server that is running outside the Kubernetes cluster where Venafi Connection is running.

Step 3: Store TPP Credentials in HashiCorp Vault

Next, store the Venafi TPP credentials in a secret in HashiCorp Vault and create an access policy to allow these to be read by the role that was created in the previous step.

# hashicorp-vault.policy.hcl
path "secret/data/application-team-1/tpp-username-password" {
  capabilities = ["read"]
}

kubectl exec -i -n vault pods/vault-0 -- \
    vault policy write application-team-1-readonly - < hashicorp-vault.policy.hcl

kubectl exec -n vault pods/vault-0 -- \
    vault kv put -mount=secret application-team-1/tpp-username-password username=application-team-1 password=xxxx-xxxx-xxxx-xxxx

Authenticating to Venafi TPP using LDAP credentials obtained from HashiCorp Vault

Note

You must install Venafi Enhanced Issuer 0.8.0 or later to use this feature.

Venafi Connection integrations with Venafi Enhanced Issuer 0.8.0 or later and Approver Policy Enterprise 0.11.0 or later also support authentication to Venafi TPP using LDAP credentials obtained from HashiCorp Vault.

  1. Create a dedicated user in your LDAP directory (for example, vaultautomation) and bind it to the cert-manager API integration in TPP. Don't forget to add it to a policy folder.
  2. Create a service account that the Venafi Connection can use to authenticate to HashiCorp Vault, and give the venafi-connection service account the permission to create tokens for this service account.

  3. Configure HashiCorp Vault for LDAP authentication. How exactly you do this depends on how LDAP is set up on your system.

    For more information on the HashiCorp Vault LDAP configuration options, see the LDAP secrets engine documentation on the HashiCorp site.

    The following is a basic example:

    1. Enable the LDAP secret engine.

      kubectl exec -n vault pods/vault-0 -- \
vault secrets enable ldap

    2. Add the credentials that HashiCorp Vault needs to communicate with LDAP to generate passwords

      kubectl exec -n vault pods/vault-0 -- \
vault write ldap/config \
binddn=$USERNAME \
bindpass=$PASSWORD \
url=ldaps://$LDAP_SERVER_HOST

    3. Set up a static role (for example, vaultautomation) to map a name in HashiCorp Vault to an entry in LDAP. This role manages password rotation settings. See the sample command below:

      kubectl exec -n vault pods/vault-0 -- \
vault write ldap/static-role/vaultautomation \
dn='uid=vaultautomation,ou=users,dc=mycompany,dc=com' \
username='vaultautomation' \
rotation_period="20m"

  4. Create the Venafi Connection certificate request that has a reference to the Venafi Control Plane server, HashiCorp Vault LDAP server instance, and to the service account. See the example below:

      apiVersion: jetstack.io/v1alpha1
  kind: VenafiConnection
  metadata:
    name: application-team-1-connection
    namespace:  venafi
  spec:
    tpp:
      url: https://tpp1.example.com

      accessToken:
        - serviceAccountToken:
            name: application-team-1
            audiences: [ "vault.vault.svc.cluster.local" ]
        - hashicorpVaultOAuth:
            authInputType: OIDC
            role: application-team-1
            authPath: /v1/auth/example-corp/login
            url: http://vault.vault.svc.cluster.local:8200
        - hashicorpVaultLDAP:
            ldapPath: /v1/ldap/static-cred/vaultautomation
            url: http://vault.vault.svc.cluster.local:8200
        - tppOAuth:
            authInputType: UsernamePassword
            url: https://tpp1.example.com

  5. Add a vault policy to make the credentials for the service account readable, and add it to the Kubernetes authentication. For example:

    path "ldap/static-cred/vaultautomation" {
capabilities = [ "read" ]
}

  6. Finally, make a Venafi Cluster Issuer and certificate point to the new Venafi Connection.