Configuring venafi-connection
Learn about different ways to configure VenafiConnection custom resources.
Use Case: Loading Venafi Bearer Token from a Kubernetes Secret
This is the simplest authentication mechanism. In this case, the Venafi TPP access-token or Venafi-as-a-Service API Key are loaded from a Kubernetes Secret.
# 1. Create the Kubernetes Secret that contains the Venafi Bearer TokenapiVersion: v1kind: Secretmetadata:name: application-team-1-tpp-access-tokennamespace: jetstack-securedata:access-token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Copy to clipboard
# 2. Give the 'venafi-connection' ServiceAccount the permission to read this secret# create role that allows reading secrets for 'application-team-1'apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:name: get-application-team-1-tpp-access-tokennamespace: jetstack-securerules:- apiGroups: [ "" ]resources: [ "secrets" ]verbs: [ "get" ]resourceNames: [ "application-team-1-tpp-access-token" ]---# link the connection service account to the 'get-application-team-1-tpp-access-token' roleapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: application-team-1-secret-rolebindingnamespace: jetstack-secureroleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: get-application-team-1-tpp-access-tokensubjects:- kind: ServiceAccountname: venafi-connectionnamespace: jetstack-secure
Copy to clipboard
# 3. Create the VenafiConnection CR that has a reference to the Venafi Control Plane server and to the Venafi Bearer TokenapiVersion: jetstack.io/v1alpha1kind: VenafiConnectionmetadata:name: application-team-1-connectionnamespace: jetstack-securespec:tpp:url: https://tpp1.example.comaccessToken:- secret:name: application-team-1-tpp-access-tokenfields: [ "access-token" ] # the field name in the Kubernetes Secret
Copy to clipboard
Next Steps
- Read more Reference Documentation for venafi-connection to learn about different configuration use-cases and to read the full API documentation and CLI documentation.