Configuring venafi-connection

Learn about different ways to configure VenafiConnection custom resources.

Use Case: Create a Venafi Connection without Storing Secrets with TPP's JWT Mapping

This is a secretless method for authenticating with TLS Protect Datacenter (TPP). With this method, no access token nor password is needed. This method is limited to TLS Protect Datacenter (TPP) 22.4 and above. TLS Protect Cloud (VaaS) is not yet supported.

The following example shows a cluster issuer resource which uses a Kubernetes ServiceAccount Token to authenticate to Venafi TPP.

Configure the Kubernetes resources

# 1. Create a ServiceAccount which the Venafi Connection will use to authenticate to Venafi TPP.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: application-team-1
  namespace: jetstack-secure

Copy to clipboard

# 2. Give the 'venafi-connection' ServiceAccount the permission to create tokens for this ServiceAccount

# create role that allows creating sa tokens for 'application-team-1'
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: create-tokens-for-application-team-1
  namespace: jetstack-secure
rules:
- apiGroups: [ "" ]
  resources: [ "serviceaccounts/token" ]
  verbs: [ "create" ]
  resourceNames: [ "application-team-1" ]
---
# link the controller's service account to the 'create-tokens-for-vault-sa' role
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: application-team-1-sa-rolebinding
  namespace: jetstack-secure
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: create-tokens-for-application-team-1
subjects:
- kind: ServiceAccount
  name: venafi-connection
  namespace: jetstack-secure

Copy to clipboard

# 3. Create the VenafiConnection CR that has a reference to the Venafi Control Plane server and to the ServiceAccount

apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: application-team-1-connection
  namespace: jetstack-secure
spec:
  tpp:
    url: https://tpp1.example.com

    accessToken:
      - serviceAccountToken:
          name: application-team-1
          audiences: [ "tpp" ]
      - tppOAuth:
          authInputType: JWT
          url: https://tpp1.example.com

Copy to clipboard

Next Steps

Read more Reference Documentation for venafi-connection to learn about different configuration use-cases and to read the full API documentation and CLI documentation.

Configuring venafi-connection

Use Case: Create a Venafi Connection without Storing Secrets with TPP's JWT Mapping

Configure the Kubernetes resources

Next Steps

On this page