Skip to content

Rotating Venafi Kubernetes Agent credentials

The Venafi Kubernetes agent uses a service account to authenticate against the Venafi Control Plane.

To rotate Venafi Kubernetes Agent credentials

  1. In the Venafi Control Plane UI, go to Settings > Service Accounts, click New, and create a new service account.

    This returns a JSON snippet with the credentials of the service account. Save the text in the file in your computer with the name credentials.json.

  2. Delete the Secret that contains the credentials of the old service account, and add a new secret with the new credentials.

  3. Identify the service account the agent was using by decoding the credentials in the existing secret.

    If you installed the agent in the default namespace with the default name for all the resources, this command shows you the existing service account:

    kubectl get secret  -n=venafi agent-credentials -o jsonpath="{.data.credentials\.json}" | base64 -d
    

    The client_id matches the email of the service account in use. Save it as you need it again later in step 7.

  4. Use the following command to delete the old secret with the old service account credentials from your cluster:

    kubectl delete secret -n=venafi agent-credentials
    
  5. Use the following command to create a new secret with the new service account credentials:

    kubectl create secret generic -n=venafi agent-credentials --from-file=./credentials.json
    
  6. Restart the Kubernetes Agent to make sure it loads the new service account:

    kubectl rollout restart deployment agent
    
  7. On the Service Accounts page in the Venafi Control Plane UI, click the checkbox next to the service account previously used by the agent, click DELETE, and then DELETE again to confirm, and erase the old service account from the system.