[SSL Certificates Management] Document monitoring and renewal workflow

department-of-veterans-affairs / va.gov-team

Public resources for building on and in support of VA.gov. Visit complete Knowledge Hub:

https://depo-platform-documentation.scrollhelp.site/index.html

282 stars 203 forks source link

[SSL Certificates Management] Document monitoring and renewal workflow #32790

Closed jhouse-solvd closed 9 months ago

jhouse-solvd commented 2 years ago

Description

As a platform operator, I need operational documentation that describes how SSL certificates are managed.

Background / context

While documentation exists describing the renewal process specifically, what's needed is a high-level doc with links to additional resources, inventory, jobs, monitoring, and the like.

Obtain or Renew Publicly Signed SSL Certificates
Obtain VA Signed SSL Certificates for External Backend Connections
Jenkins job that alerts on SSL certificates that results in a notification that to #devops-deploys Slack channel, like THIS.

Acceptance Criteria (AC)

[ ] Operational documentation exists in Confluence for managing SSL Certificates
- [ ] Summarize how SSL certs are monitored, tracked, and renewed
- [ ] Link to the resources provided above
- [ ] Provide links to Infrastructure as Code (IaC)

mchelen-gov commented 2 years ago

related issue to migrate Jenkins job: https://github.com/department-of-veterans-affairs/va.gov-team/issues/32800

jhouse-solvd commented 2 years ago

relates to #32790

jhouse-solvd commented 2 years ago

I can pick this up and start the doc. I'll get feedback from those familiar w/ the process to ensure accuracy.

jhouse-solvd commented 2 years ago

Document HERE

cc: @ph-One & @little-oddball

johnny-jesensky-adhoc commented 11 months ago

This ticket has been siting in the Platform Content Team's icebox for quite a while. We're going to take a look to see if there are still documentation gaps on these topics on the Platform Website, and will take any needed action to get them filled.

jhouse-solvd commented 9 months ago

@johnny-jesensky-adhoc - AFAIK, this documentation (and sub-pages) is primarily for platform operators. I'm not sure there's a need for any of these instructions to be listed on the Platform Website. So, this issue can likely be closed.

Separately, it might be helpful for there to be instructions on the platform website that explain how VFS users can request for an SSL cert to be implemented/renewed for a given connection/integration.

There's currently this that states: "Note: These certificates are managed by Platform personnel." which links here... but it's not exactly clear where VFS users should go from there. I think VFS teams would visit #vfs-platform-support to request a new cert to be implemented, and then Platform Support would pick up the request and do the needful, communicating back w/ VFS teams along the way.

Hopefully, this helps, but let me know if there's any other info I can provide! ☺️

johnny-jesensky-adhoc commented 9 months ago

Thank you for looking into this @jhouse-solvd - that makes sense, and agree with your assessment. We recently received some separate feedback to increase the robustness of our External Integrations docs, so will look to include this in those updates.

We will close this ticket out, and create a separate card to add some greater guidance on requesting SSL certs.

FYI @jknipes