Configuring venafi-connection

Learn about different ways to configure VenafiConnection custom resources.

Use Case: Store Venafi Username / Password in HashiCorp Vault and Authenticate to HashiCorp Vault using OIDC

The following example shows a cluster issuer resource which uses a Kubernetes ServiceAccount Token to authenticate to HashiCorp Vault which contains the credentials for Venafi TPP.

Configure the Kubernetes resources

# 1. Create a ServiceAccount which the Venafi Connection will use to authenticate to HashiCorp Vault.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: application-team-1
  namespace: jetstack-secure

Copy to clipboard

# 2. Give the 'venafi-connection' ServiceAccount the permission to create tokens for this ServiceAccount

# create role that allows creating sa tokens for 'application-team-1'
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: create-tokens-for-application-team-1
  namespace: jetstack-secure
rules:
- apiGroups: [ "" ]
  resources: [ "serviceaccounts/token" ]
  verbs: [ "create" ]
  resourceNames: [ "application-team-1" ]
---
# link the controller's service account to the 'create-tokens-for-vault-sa' role
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: application-team-1-sa-rolebinding
  namespace: jetstack-secure
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: create-tokens-for-application-team-1
subjects:
- kind: ServiceAccount
  name: venafi-connection
  namespace: jetstack-secure

Copy to clipboard

# 3. Create the VenafiConnection CR that has a reference to the Venafi Control Plane server, HashiCorp Vault instance and to the ServiceAccount

apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: application-team-1-connection
  namespace: jetstack-secure
spec:
  tpp:
    url: https://tpp1.example.com

    accessToken:
      - serviceAccountToken:
          name: application-team-1
          audiences: [ "vault.vault.svc.cluster.local" ]
      - hashicorpVaultOAuth:
          authInputType: OIDC
          role: application-team-1
          authPath: /v1/auth/example-corp/login
          url: http://vault.vault.svc.cluster.local:8200
      - hashicorpVaultSecret:
          secretPath: /v1/secret/data/application-team-1/tpp-username-password
          fields: [ "username", "password" ]
          url: http://vault.vault.svc.cluster.local:8200
      - tppOAuth:
          authInputType: UsernamePassword
          url: https://tpp1.example.com

Copy to clipboard

Configure HashiCorp Vault

Now configure HashiCorp Vault for "Kubernetes" authentication, and create Role which will allow the application-team-1 ServiceAccount to authenticate and impersonate it.

kubectl exec -n vault pods/vault-0 -- \
    vault auth enable -path=example-corp kubernetes

kubectl exec -n vault pods/vault-0 -- \
    vault write auth/example-corp/config \
      kubernetes_host=https://kubernetes.default.svc

kubectl exec -n vault pods/vault-0 -- \
    vault write auth/example-corp/role/application-team-1 \
       role_type=jwt \
       bound_audiences=vault.vault.svc.cluster.local \
       user_claim=sub \
       bound_service_account_names=application-team-1 \
       bound_service_account_namespaces=jetstack-secure \
       policies=application-team-1-readonly \
       ttl=5m

Copy to clipboard

ℹ️ In this example HashiCorp Vault is configured to use Kubernetes authentication, and it is running inside the Kubernetes cluster. Alternatively you can configure HashiCorp Vault to use JWT authentication, which is similar but with some important differences. The disadvantage is that with JWT authentication HashiCorp Vault will not be able to check for revoked Kubernetes JWT tokens. The advantage is that Vault won't need to connect to the Kubernetes API server which makes it easier to connect to a HashiCorp Vault server that is running outside the Kubernetes cluster where venafi-connection is running.

Store TPP Credentials in HashiCorp Vault

Next store the Venafi TPP credentials in a secret in HashiCorp Vault and create an access policy to allow these to be read by the Role that was created in the previous step.

# hashicorp-vault.policy.hcl
path "secret/data/application-team-1/tpp-username-password" {
  capabilities = ["read"]
}

Copy to clipboard

kubectl exec -i -n vault pods/vault-0 -- \
    vault policy write application-team-1-readonly - < hashicorp-vault.policy.hcl

kubectl exec -n vault pods/vault-0 -- \
    vault kv put -mount=secret application-team-1/tpp-username-password username=application-team-1 password=xxxx-xxxx-xxxx-xxxx

Copy to clipboard

Next Steps

Read more Reference Documentation for venafi-connection to learn about different configuration use-cases and to read the full API documentation and CLI documentation.

Configuring venafi-connection

Use Case: Store Venafi Username / Password in HashiCorp Vault and Authenticate to HashiCorp Vault using OIDC

Configure the Kubernetes resources

Configure HashiCorp Vault

Store TPP Credentials in HashiCorp Vault

Next Steps

On this page