search

department-of-veterans-affairs / va.gov-team

Public resources for building on and in support of VA.gov. Visit complete Knowledge Hub:
https://depo-platform-documentation.scrollhelp.site/index.html
281 stars 197 forks source link

Research into what parts of cert rotation process can be automated #69649

Closed vidjovanovic closed 3 months ago

vidjovanovic commented 10 months ago

Figure out what parts of the cert rotation process can be automated. Use MPI and SSoe cert process for reference.

After ##69259

vidjovanovic commented 10 months ago

Ideas: Look into certs that we host ourselves. Research into roles needed and if Venafi token is needed. Automate SSM parameter storage.

zyellowhorse commented 6 months ago

Objective

Look into creating automation around our certificate rotation process. Specifically the certificate renewal and requesting process.

Findings

We currently use the platform Venafi for our certificate needs within the VA. You will need to be on the network as well as have specific permissions to manually request certificate renewals. There is a process documented to request access to Venafi if you don't already have access.

Research

After reaching out to the Platform Team to see if they had any existing automation around their certificate rotation they didn't at the time. Looking into Venafi a bit it looks like there is an API that can be used to programmatically create certificate renewals but I was unable to find where to get the API key and who I would need to speak to request access to getting an API key.

Current approach

Since it looks like we are unable to get access to an API to programmatically renew certificates we will try to use web browser automation using Selenium

Review of web browser Automation

After thinking and testing web browser automation it looks like it may not be the best approach.

  1. There is going to be a lot of work to make the automation robust enough to where if the UI changes it can account for some of that / make it easier to maintain.
  2. This is only automating a portion of the process and might actually be as useful.
  3. Once the web browser automation is done how do we go about running it and if its done in automation what we

Validation

We should validate that the cert actually changed and is the value we expect it to be. Also when we do validation we should try not outputting the actual value and we should try to compare them as hashed values to hide the actual values.

zyellowhorse commented 6 months ago

Currently in a holding pattern while we wait for Kyle Matheny to continue through his process of creating a service account for Venafi. Once he does get a service account created we can either also use his service account for our services or we can follow the process he is going through to create our own service account.