search

department-of-veterans-affairs / va.gov-team

Public resources for building on and in support of VA.gov. Visit complete Knowledge Hub:
https://depo-platform-documentation.scrollhelp.site/index.html
281 stars 196 forks source link

Cert-Manager: Directly request and renew certificate with Venafi #58310

Open tuongngova opened 1 year ago

tuongngova commented 1 year ago

Describe the problem

Right now we're requesting and renewing certificates with Venafi in the manual fashion. If we can be able to directly request and renew the certificate in AWS EKS cluster via cert-manager, the secrets containing the certificates can be updated automatically.

Who will benefit

All vets-api services which utilizes certificates from Venafi. Sign-in-Service is among those who would benefit from the implementation

Describe your idea

Request Venafi for a service account and required info for cert-manager to configure Venafi as backend cert authority. Have cert-manager configure backend cert authority of Venafi. Configure certificate to be requested and stored in secret Mount the secrets to the containers.

Provide evidence

https://cert-manager.io/docs/tutorials/venafi/venafi/#creating-a-venafi-issuer-resource

Platform Mission

Other:

No response

little-oddball commented 1 year ago

@pjhill - can we get this item on the docket to discuss in an upcoming CoP meeting. I could see this additionally being a nice little reliability item so gonna cc: @BillChapmanUSDS & @ericboehs

pjhill commented 1 year ago

Added to DevOps COP meeting agenda for the week -- https://vfs.atlassian.net/wiki/spaces/DO/pages/2708963329/07+20+2023

steel36 commented 6 months ago

Status check: @pjhill Has there been any progress on this item? Is it still under consideration or still active in some capacity?

tayism commented 4 months ago

Hey there @pjhill -- any recent updates on this one? Thanks!

gopixelsgo commented 2 months ago

Hi @pjhill - checking in to see if this ticket is still active/has any updates. Or can it be close? Thanks!

tayism commented 1 month ago

Hello @pjhill @JoeTice -- Is this issue in progress? Backlog? Closed? Thanks!

gopixelsgo commented 1 month ago

Hi @pjhill @JoeTice - Did anything ever happen with this issue? We're looking to move Reviewed issues into Backlog or In Progress if they're still active, or Closed if not. Thanks!

gopixelsgo commented 2 weeks ago

Hi @pjhill @JoeTice - any update on this issue? Thanks!

pjhill commented 2 weeks ago

I will add this item to the next DevOps COP meeting on Thursday 7/18. It's possible that this feature was partially or completely implemented during a previous effort by Platform's Tech Team 2. The DevOps COP can discuss and investigate the status of this feature in the next meeting.