Update for Venafi Cluster Issuer in some projects as well as updated vsat manifests

cert-manager-csi-spiffe/templates/cert-policy-for-venafi-ica.yaml

@@ -20,7 +20,7 @@ spec:
   plugins:
     venafi:
       values:
-        venafiConnectionName: vtpp-connection
+        venafiConnectionName: venafi-connection
         zone: ${JS_VENAFI_TPP_ZONE_PRIVATE_CA1}
   selector:
     issuerRef:

cert-manager-csi/templates/issuer-for-redis-app.yaml

@@ -1,3 +1,24 @@
+# Create secret to access Venafi TPP with token
+# Using stringData for unencoded apikey value. Must be base64 encoded if "data" is used instead of stringData
+---
+apiVersion: jetstack.io/v1alpha1
+kind: VenafiClusterIssuer
+metadata:
+  name: venafi-issuer-for-redis
+spec:
+  venafiConnectionName: venafi-connection
+  zone: ${JS_VENAFI_ZONE_PRIVATE_CA1}
+---
+
+apiVersion: jetstack.io/v1alpha1
+kind: VenafiClusterIssuer
+metadata:
+  name: venafi-issuer-for-redis-server
+spec:
+  venafiConnectionName: venafi-connection
+  zone: ${JS_VENAFI_ZONE_PRIVATE_CA1}
+---
+
 # Create secret to access Venafi TPP with token
 # Using stringData for unencoded apikey value. Must be base64 encoded if "data" is used instead of stringData
 
@@ -18,9 +39,11 @@ metadata:
   namespace: sandbox
 spec:
   venafi:
-    zone: ${JS_VENAFI_TPP_ZONE_PRIVATE_CA1}
+    zone: ${JS_VENAFI_ZONE_PRIVATE_CA1}
     tpp:
       url: ${JS_VENAFI_TPP_URL} # Change this to the URL of your TPP instance
       caBundle: ${JS_VENAFI_TPP_BASE64_ENCODED_CACERT}
       credentialsRef:
-        name: vtpp-auth-secret-for-redis-issuer
+        name: vtpp-auth-secret-for-redis-issuer
+
+

cert-manager-csi/templates/redis-certs-policy-and-rbac.yaml

@@ -15,14 +15,39 @@ spec:
   plugins:
     venafi:
       values:
-        venafiConnectionName: vtpp-connection
-        zone: ${JS_VENAFI_TPP_ZONE_PRIVATE_CA1}
+        venafiConnectionName: venafi-connection
+        zone: ${JS_VENAFI_ZONE_PRIVATE_CA1}
   selector:
     issuerRef:
-      name: "vtpp-issuer-for-redis"
-      kind: "Issuer"
-      group: "cert-manager.io"
-
+      name: "venafi-issuer-for-redis"
+      kind: "VenafiClusterIssuer"
+      group: "jetstack.io"
+---
+apiVersion: policy.cert-manager.io/v1alpha1
+kind: CertificateRequestPolicy
+metadata:
+  name: cert-policy-for-redis-server
+spec:
+  allowed:
+    commonName:
+      value: "redis*svc.cluster.local"
+      required: true
+    dnsNames:
+      values: ["*"]
+    usages:
+      - "digital signature"
+      - "key encipherment"
+      - "server auth"
+  plugins:
+    venafi:
+      values:
+        venafiConnectionName: venafi-connection
+        zone: ${JS_VENAFI_ZONE_PRIVATE_CA1}
+  selector:
+    issuerRef:
+      name: "venafi-issuer-for-redis-server"
+      kind: "VenafiClusterIssuer"
+      group: "jetstack.io"
 --- 
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -34,7 +59,7 @@ rules:
     resources: ["certificaterequestpolicies"]
     verbs: ["use"]
     # Name of the CertificateRequestPolicies to be used.
-    resourceNames: ["cert-policy-for-redis"]
+    resourceNames: ["cert-policy-for-redis","cert-policy-for-redis-server","cert-policy-for-redis-tmp"]
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -54,4 +79,29 @@ subjects:
   namespace: jetstack-secure
 - kind: ServiceAccount
   name: cert-manager
-  namespace: jetstack-secure
+  namespace: jetstack-secure
+---
+apiVersion: policy.cert-manager.io/v1alpha1
+kind: CertificateRequestPolicy
+metadata:
+  name: cert-policy-for-redis-tmp
+spec:
+  allowed:
+    commonName:
+      value: "redis*svc.cluster.local"
+      required: true
+    dnsNames:
+      values: ["*"]
+    usages:
+      - "digital signature"
+      - "key encipherment"
+  plugins:
+    venafi:
+      values:
+        venafiConnectionName: venafi-connection
+        zone: ${JS_VENAFI_ZONE_PRIVATE_CA1}
+  selector:
+    issuerRef:
+      name: "vtpp-issuer-for-redis"
+      kind: "Issuer"
+      group: "cert-manager.io"

cert-manager-csi/templates/redis-client.yaml

@@ -47,7 +47,9 @@ spec:
             driver: csi.cert-manager.io
             readOnly: true
             volumeAttributes:
-                  csi.cert-manager.io/issuer-name: vtpp-issuer-for-redis
+                  csi.cert-manager.io/issuer-name: venafi-issuer-for-redis
+                  csi.cert-manager.io/issuer-kind: VenafiClusterIssuer
+                  csi.cert-manager.io/issuer-group: jetstack.io
                   csi.cert-manager.io/dns-names: redis-client.svc.cluster.local
                   csi.cert-manager.io/common-name: redis-client.svc.cluster.local
         - name: config

cert-manager-csi/templates/redis-server.yaml

@@ -11,7 +11,7 @@ data:
     tls-port 6379
     tls-cert-file /redis-master-ssl/certs/tls.crt
     tls-key-file /redis-master-ssl/certs/tls.key
-    tls-ca-cert-file /redis-master-ssl/certs/ca.crt
+   #  tls-ca-cert-file /redis-master-ssl/certs/ca.crt
     tls-ca-cert-dir /etc/ssl/certs
     tls-auth-clients yes
 
@@ -63,9 +63,15 @@ spec:
             driver: csi.cert-manager.io
             readOnly: true
             volumeAttributes:
-                  csi.cert-manager.io/issuer-name: vtpp-issuer-for-redis
-                  csi.cert-manager.io/dns-names: redis-server01.svc.cluster.local
-                  csi.cert-manager.io/common-name: redis-server01.svc.cluster.local
+              #csi.cert-manager.io/issuer-name: venafi-issuer-for-redis-server
+              #csi.cert-manager.io/issuer-kind: VenafiClusterIssuer
+              #csi.cert-manager.io/issuer-group: jetstack.io
+              #csi.cert-manager.io/key-usages: "server auth, digital signature, key encipherment"
+              #csi.cert-manager.io/dns-names: redis-server01.svc.cluster.local
+              #csi.cert-manager.io/common-name: redis-server01.svc.cluster.local
+              csi.cert-manager.io/issuer-name: vtpp-issuer-for-redis
+              csi.cert-manager.io/dns-names: redis-server01.svc.cluster.local
+              csi.cert-manager.io/common-name: redis-server01.svc.cluster.local
         - name: config
           configMap:
             name: redis-server-config

certificate-approver/templates/cert-policy.yaml

@@ -15,10 +15,10 @@ spec:
   plugins:
     venafi:
       values:
-        venafiConnectionName: vtpp-connection
-        zone: ${JS_VENAFI_TPP_ZONE_PUBLIC_CA1}
+        venafiConnectionName: venafi-connection
+        zone: ${JS_VENAFI_ZONE_PUBLIC_CA1}
   selector:
     issuerRef:
-      name: "vtpp-cluster-issuer"
+      name: "venafi-cluster-issuer"
       kind: "VenafiClusterIssuer"
       group: "jetstack.io"

certificate-approver/templates/sample-cert1.yaml

@@ -14,7 +14,7 @@ spec:
     - sample-cert1.${JS_JETSTACKER_DOMAIN_NAME}
   commonName: sample-cert1.${JS_JETSTACKER_DOMAIN_NAME}
   issuerRef:
-    name: "vtpp-cluster-issuer"
+    name: "venafi-cluster-issuer"
     kind: "VenafiClusterIssuer"
     group: "jetstack.io"
 --- 

certificate-approver/templates/sample-cert2.yaml

@@ -14,7 +14,7 @@ spec:
     - sample-cert2.${JS_JETSTACKER_DOMAIN_NAME}
   commonName: sample-cert2.${JS_JETSTACKER_DOMAIN_NAME}
   issuerRef:
-    name: "vtpp-cluster-issuer"
+    name: "venafi-cluster-issuer"
     kind: "VenafiClusterIssuer"
     group: "jetstack.io"
 --- 

certificate-approver/templates/sample-cert3.yaml

@@ -14,7 +14,7 @@ spec:
     - sample-cert3.${JS_JETSTACKER_DOMAIN_NAME}.foo
   commonName: sample-cert3.${JS_JETSTACKER_DOMAIN_NAME}.foo
   issuerRef:
-    name: "vtpp-cluster-issuer"
+    name: "venafi-cluster-issuer"
     kind: "VenafiClusterIssuer"
     group: "jetstack.io"
 --- 

certificate-approver/templates/venafi-issuer.yaml

@@ -4,8 +4,8 @@
 apiVersion: jetstack.io/v1alpha1
 kind: VenafiClusterIssuer
 metadata:
-  name: vtpp-cluster-issuer
+  name: venafi-cluster-issuer
 spec:
-  venafiConnectionName: vtpp-connection
-  zone: ${JS_VENAFI_TPP_ZONE_PUBLIC_CA1}
+  venafiConnectionName: venafi-connection
+  zone: ${JS_VENAFI_ZONE_PUBLIC_CA1}
 ---

common/templates/venafi-cloud-connection.yaml

@@ -1,7 +1,7 @@
 apiVersion: jetstack.io/v1alpha1
 kind: VenafiConnection
 metadata:
-  name: venafi-cloud-connection
+  name: venafi-connection
   namespace: jetstack-secure
 spec:
   vaas:

common/templates/venafi-tpp-connection.yaml

@@ -1,7 +1,7 @@
 apiVersion: jetstack.io/v1alpha1
 kind: VenafiConnection
 metadata:
-  name: vtpp-connection
+  name: venafi-connection
   namespace: jetstack-secure
 spec:
   tpp:

docs/02.create-venafi-connection.md

@@ -74,10 +74,10 @@ kubectl get VenafiConnection -n jetstack-secure
 ```
 and you will see
 ```
-❯ kubectl get VenafiConnection -n jetstack-secure
-NAME                      AGE
-venafi-cloud-connection   11s
-vtpp-connection           40s
+kubectl get VenafiConnection -n jetstack-secure
+
+NAME                AGE
+venafi-connection   11s
 ```
 
 These connections will be used to create the `VenafiIssuer` or `VenafiClusterIssuer` resources as required to fulfill `CertificateRequests`

settings-template.sh

@@ -1,53 +1,41 @@
 export JS_ENTERPRISE_CREDENTIALS_FILE := /Users/riaz.mohamed/sandbox/gitprojects/clean/jetstackdemosv2/demos/js-enterprise-credentials-1.json
-
+export JS_AIRGAPPED := false
 
 ###########################
 # Venafi Specific Variables
 ###########################
 
-# Venafi TPP access token. You must have the Venafi platform up and running
+# Venafi TLSP-DC (TPP) access token. You must have the Venafi platform up and running
 export JS_VENAFI_TPP_ACCESS_TOKEN :=REPLACE-ME
 export JS_VENAFI_TPP_REFRESH_TOKEN :=REPLACE-ME
 export JS_VENAFI_TPP_REFRESH_TOKEN_EXPIRY :=REPLACE-ME
-
-export JS_VENAFI_CLIENTID := cert-manager.io
-export JS_CONTAINER_REGISTRY := eu.gcr.io/jetstack-secure-enterprise
-
+export JS_VENAFI_TPP_USERNAME := REPLACE-ME # E.g. user1
+export JS_VENAFI_TPP_PASSWORD := REPLACE-ME # E.g. userpass
 export JS_VENAFI_TPP_URL :=REPLACE-ME # E.g. https://tpp.mydomain.com/vedsdk
-
-#Reference to file that contains CA bundle in PEM format. This is the certchain to tpp.mydomain.com. venafi-tpp-server-ca.pem is in .gitignore 
 export JS_VENAFI_TPP_CA_BUNDLE_PEM_FILE :=~/GitHub/demos/venafi-tpp-server-ca.pem
-#Base64 encoding of the above
 export JS_VENAFI_TPP_BASE64_ENCODED_CACERT :=REPLACE-ME
-export JS_VENAFI_TPP_ZONE_PUBLIC_CA1 := REPLACE-ME # E.g. Certificates\\\\Kubernetes\\\\Public1
-export JS_VENAFI_TPP_ZONE_PUBLIC_CA2 := REPLACE-ME # E.g. Certificates\\\\Kubernetes\\\\Public2
-
-#Reference to file that contains CA bundle in PEM format for Private PKI. This is the root CA for PKI referenced in PRIVATE_CA$. 
-#venafi-msca-ica-root.pem is in .gitignore 
-export JS_VENAFI_INTERMEDIATE_CA_ROOT_PEM_FILE :=~/GitHub/demos/venafi-msca-ica-root.pem
-export JS_VENAFI_TPP_ZONE_PRIVATE_CA1 := REPLACE-ME # E.g. Certificates\\Kubernetes\\Private1
-export JS_VENAFI_TPP_ZONE_PRIVATE_CA2 := REPLACE-ME # E.g. Certificates\\Kubernetes\\Private2
-
 #Location to sync certificates between Kubernetes and Venafi TPP
 export JS_VENAFI_CERT_SYNC_POLICY_FOLDER := REPLACE-ME # E.g. Certificates\\\\Kubernetes\\\\Discovered
+export JS_VENAFI_CLIENTID := cert-manager.io
 
+# VENAFI TLSPC (Cloud)
 # Venafi API Key. Register for an account on ui.venafi.cloud for a key.
 export JS_VENAFI_CLOUD_API_KEY :=REPLACE-ME
 
-# Figure out escaping on your own !!. Using \\ here. Had to use \\\\ For Venafi TPP.
-export JS_VENAFI_CLOUD_PUBLIC_ZONE_ID1 :=Demo\\demo
-export JS_VENAFI_CLOUD_PUBLIC_ZONE_ID2 :=Demo\\demo
+#venafi-msca-ica-root.pem is in .gitignore 
+export JS_VENAFI_INTERMEDIATE_CA_ROOT_PEM_FILE :=~/GitHub/demos/venafi-msca-ica-root.pem
 
-# Venafi Zone ID for CSI driver specific usecases.
-# Due to escaping \\ becomes one \, so Demo\\\\demo becomes Demo\\demo
-export JS_VENAFI_CLOUD_PRIVATE_ZONE_ID1 :=Demo\\\\demo
-export JS_VENAFI_CLOUD_PRIVATE_ZONE_ID2 :=Demo\\\\demo
 
-export JS_VENAFI_TPP_USERNAME := REPLACE-ME # E.g. user1
-export JS_VENAFI_TPP_PASSWORD := REPLACE-ME # E.g. userpass
+# Zones / Policy Folders
+export JS_VENAFI_ZONE_PUBLIC_CA1 := REPLACE-ME
+
+#Examples
+#TLKPK-Riaz-Public\TLSPK-Template-Riaz
+#tpp Riaz\\Certificates\\Kubernetes\\Ingress
+export JS_VENAFI_ZONE_PRIVATE_CA1 := REPLACE-ME
 
 # Email for creating docker registry secret that holds Jetstack Secure enterprise access token
-export JS_AIRGAPPED := false
+export JS_CONTAINER_REGISTRY := eu.gcr.io/jetstack-secure-enterprise
 export JS_DOCKER_REGISTRY_SECRET := venafi-jetstack-enterprise-key
 export JS_DOCKER_REGISTRY_USERNAME := REPLACE_ME
 export JS_DOCKER_REGISTRY_PASSWORD := REPLACE_ME
@@ -59,7 +47,6 @@ export JS_EMAIL_ID_FOR_LE_CERT :=${JS_DOCKER_REGISTRY_EMAIL} #for LE certs
 export JS_JETSTACKER_DOMAIN_NAME :=REPLACE_ME
 export JS_K8S_CLUSTER_NAME :=jetstack-secure-demo-01
 
-
 #--------START IMAGE VERSIONS AND HELM CHART VERSIONS -------------
 # ENTERPRISE CERT MANAGER versions
 # helm
@@ -135,6 +122,8 @@ export JS_ISTIO_SHORT_VERSION :=1.17
 # image
 export JS_CERT_MANAGER_OPEN_SHIFT_ROUTES_IMAGE_VERSION :=v0.5.0
 
+export JS_SAMPLE_TRUSTSTORE_APP_IMAGE := riazvm/jetstackdemos-truststore:1.3
+export JS_OPENSHIFT_ROUTE_IMAGE := ghcr.io/cert-manager/cert-manager-openshift-routes:0.1.3
 #--------END  IMAGE VERSIONS AND HELM CHART VERSIONS -------------
 
 
@@ -174,9 +163,6 @@ export JS_KUBERNETES_HOST := REPLACE_ME
 
 export JS_SAMPLE_APP_IMAGE := nginxdemos/nginx-hello
 
-export JS_SAMPLE_TRUSTSTORE_APP_IMAGE := riazvm/jetstackdemos-truststore:1.3
-
-export JS_OPENSHIFT_ROUTE_IMAGE := ghcr.io/cert-manager/cert-manager-openshift-routes:0.1.3
 
 #Firefly config
 export JS_VENAFI_FIREFLYCA_CONFIG_ID :=b45axxx0-xxxx-xxxx-xxxx-f78e8339xxxx