Configuring venafi-connection
Learn about different ways to configure VenafiConnection custom resources.
Introduction
VenafiConnection is a "namespaced" resource. Any ServiceAccount or Secret referenced by a VenafiConnection MUST be in the same namespace as the VenafiConnection resource or in a namespace that matches the allowReferencesFrom field, as described in cross namespace VenafiConnection references.
The custom resources definitions for VenafiConnections are added to your Kubernetes API server when you install one of the projects that use the Venafi Connection resources as configuration.
Configuring how venafi-connection Authenticates to Venafi
venafi-connection has a very flexible mechanism for loading the bearer token which it uses to interact with Venafi resource API endpoints.
The bearer token (also known as the access-token) can be loaded directly from a Kubernetes Secret, or if you prefer to minimize the use of Kubernetes Secret resources, you can configure venafi-connection to generate a token based on a SA JWT token or load the access-token (or the associated OAuth credentials) from HashiCorp Vault.
Controllers that use Venafi Connections can authenticate to HashiCorp Vault using an ephemeral Kubernetes ServiceAccount token, which it generates dynamically rather than loading it from a Secret or from a project ServiceAccount token volume.
You define a chain of one or more authentication sources in the accessToken field of the VenafiClusterIssuer or VenafiIssuer resource, and the output of each source in the chain will be the input to the next source until the output of the final source, which must be the Venafi bearer token which is used to authentication to the Venafi resource APIs, for posting certificate signing requests and later downloading the signed certificates.
You can configure venafi-connection to load either the access-token directly from a source (assuming that you have created and stored the access-token out-of-band using vcert getcred, for example). Or you can configure venafi-connection to load a username / password from a Kubernetes Secret or a HashiCorp Vault secret, and then use that to authenticate to the Venafi auth APIs in return for a bearer token.
ā ļø The VenafiConnection resource will not report any issues in its status as long as it is not used. Create an Issuer or CertificateRequestPolicy that references the VenafiConnection to start using the VenafiConnection, after which the VenafiConnection resource's status will be updated.
Example configurations
š Use SA JWT token authentication
š Read Credentials/ TPP OAuth token/ VaaS API-key from K8S Secret
š Read Credentials/ TPP OAuth token/ VaaS API-key from Vault