search

department-of-veterans-affairs / abd-vro

To get Veterans benefits in minutes, VRO software uses health evidence data to help fast track disability claims.
Other
19 stars 6 forks source link

Scoping Venafi Onboarding Request from PKI Operations Team #3350

Closed nelsestu closed 1 day ago

nelsestu commented 3 weeks ago

As a VRO Platform team member, we need to understand and respond to a request that we've received from the PKI Operations Team regarding our Venafi Onboarding Status. Specifically the message was sent from a shared mailbox: "OIT Venafi Mailbox" OITVenafiMailbox@va.gov stating:

Please reply back to this Email with your System’s onboarding status to Venafi. If your System does not use SSL/TLS PKI Certificates, please also reply and with your statement.

Please see the [[Original Message Content]] section below for the full message from PKI Operations.

What we do know:

  1. We've only interacted with Venafi as custom resource definitions of kubernetes through kubectl as described in the BIP API wiki page.
  2. Erik sent a follow up [[Erik's Follow up Response]] on 8/14/2024 at 7:30pm eastern
  3. No reply since 8/14 response

Acceptance Criteria:

  1. Identify what is meant by our "system's onboarding status"? Does Erik's follow up response
  2. Identify how the certificate management kubernetes CRDs relate back to the Venafi management tools. Are there aspects of Venafi that we are missing by only interacting with it via kubectl?
  3. Ask LHDI's opinion about this onboarding status.
    • We will ask LHDI during Aug 21st Office hours for their take
  4. Determine next steps and Outline the remaining following up tasks as we identify what these are.

Original Message Content:

You have been identified as the Point of Contact for VASI Systems under the Software Factory (SWF) Systems not onboarded to Venafi (see list below).

Our PKI Operations Team is reaching out to help you onboard to the Venafi Trust Protection Platform, which manages and maintains Public Key Infrastructure (PKI) certificates for the VA Enterprise. This effort supports the VA’s focus to prevent an outage due to an expired PKI certificate, which will disrupt our Veterans care.

Please reply back to this Email with your System’s onboarding status to Venafi. If your System does not use SSL/TLS PKI Certificates, please also reply and with your statement. OIT Leadership wants us to track the onboarding status. We have the resources below to help you onboard with either the regular or elevated account.

KB0111143 How to Be Onboarded (and gain access) to Venafi's User Portal
Venafi Onboarding Guide Venafi Onboarding Guide for Regular (MEA) or Elevated (0 account)
VA PKI Sharepoint VA PKI Sharepoint page with Venafi Guides and How-To Documents
OITVenafiMailbox@va.gov Venafi PKI Operations Shared Mailbox
OITITOPSSOIOSSPKIVPCALLEMPLOYEES@va.gov Venafi PKI Operations Team Distribution Group

For additional assistance, the Venafi PKI Operations Team will have weekly open Onboarding meetings every Tuesdays at 11am CST. You may join to ask questions and request a demonstration of the Venafi User Portal and its features.

Open Venafi Onboarding Meeting Meeting ID: xxx Passcode: xxx

Best Regards, PKI Operations Team

VASI ID System Name not onboarded to Venafi
2056 Member Services - Customer Relationship Management
2472 Open Data Publishing
2490 Health Professionals Scholarship Management System
2494 Qualtrics Research
2509 FM Systems - FMS Employees
2821 Login.gov
2823 Automated Benefits Delivery
2915 Universal Design Platform as a Service
2947 Gordian Federal Cloud
2972 Kahua Federal Network
2986 Tango Reserve by AgilQuest
2987 Strategic Capital Investment Planning 2.0
2991 Global Telehealth Services - Virtual Health Platform
2997 Juniper Network Juniper Mist
3002 Itamar Dispatcher Cloud
3033 UiPath Automation Cloud Public Sector
3035 Prisma Access
3053 Copado GovCloud
3055 Pega EHRM - IO E2E Acquisition Hub
3218 Triage Expert Cloud
3234 Crestron XiO Cloud
3235 US Axon FedCloud
3238 Projnet
3241 External Data Transfer System
3246 VLogic Facility Management
3248 VBA Corporate Database Utilities
3285 AEON
3325 Enterprise Event Bus
3333 ServiceNow External Application Support Environment
3362 CrestPoint Environmental Management Service

Erik's Follow up Response

Hello Venafi Onboarding team,

The ABD VRO team is familiar with Venafi as the Certificate Management feature that is exposed through LHDI Kubernetes Clusters. We have followed certain documentation that LHDI hosts and through that, have been successfully provisioning and managing certificates. Our understanding and use of Venafi Certificate Management features has been completely within the kubectl command line utility and its ability to interact with custom resources objects. LHDI have mentioned that there is a UI available, but my understanding of Venafi is evolving rapidly and based on the resources included in the original message, there appears to be much more than what we've known about previously. It seems we would benefit from what ever onboarding processes you recommend.

And so, we've use Venafi certificate management in the ways that kubectl exposes these feautres to us, and have successfully provisioned and renewed certificates, but we have not been trained or onboarded about other aspects of the Venafi certificate management offering. Please share any recommended steps for us to get started with the onboarding process. In the meantime we'll continue to familiarize ourselves with the resources you linked in your initial outreach.

Thanks very much,

Erik Nelsestuen ABD-VRO Senior Software Engineer OCTO Benefits Crew

BerniXiongA6 commented 3 weeks ago

Hi Tyler -- in LHDI office hours today, Gabe asked our team to send you this ticket so you could help us to better understand whether VRO is clear about our onboarding status with Venafi -- or whether there are recommended next steps from LHDI for resolving this request from PKI Ops Team? If you could reply here with your feedback on whether this reply above that was sent from @nelsestu to PKI Ops Team will suffice or if we should take additional steps, we would appreciate any assistance. Thanks so much! cc: @CorySohrakoffUSDS @jstrothman @amylai-va @meganhicks

BerniXiongA6 commented 3 weeks ago

Here's the Slack thread just sent to Tyler Snell in LHDI Slack: https://lighthouseva.slack.com/archives/C03UA9MV1EH/p1724258462778789

nelsestu commented 1 week ago

Tyler passed our inquery on as a ticket that we can track here: https://github.com/department-of-veterans-affairs/lighthouse-di-tenant-support/issues/38

nelsestu commented 1 week ago

Tyler confirms that: "VRO should not need direct access to Venafi, as they have the ability to create and manage certificates through cert-manager which then uses the VA's Venafi instance on the back-end of LHDI."

In this case, we'll consider the case closed. They've heard from us and we've confirmed that we are using Venafi certificate-generation capabilities through LHDI's integration with them. We have what we need and they have what they need.

BerniXiongA6 commented 1 day ago

Closing this ticket since LHDI has responded to our question and there's no additional action needed on VRO's end.