Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support both VCP regions #507

Open
hawksight opened this issue Jul 25, 2024 · 0 comments
Open

Support both VCP regions #507

hawksight opened this issue Jul 25, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@hawksight
Copy link

hawksight commented Jul 25, 2024
edited
Loading

BUSINESS PROBLEM

Currently EU users of VCP are at a disadvantage in that they require additional configuration to make use of vcert.

For example when requesting a cert:

US:

vcert enroll -p vcp -t $VCP_ACCESS_TOKEN -z "tlspk-peter\tlspk" --cn gimme.cert.com --verbose --no-prompt --format json > mycert.json

EU:

vcert enroll -p vcp --url https://api.venafi.eu -t $VCP_ACCESS_TOKEN -z "Test1\Default" --cn gimme.cert.com --verbose --no-prompt --format json > mycert.json

VCP is the only platform that has multiple backends that I know, so there needs to be some way to identify the region you are using.

For reference without using the --platform|-p flag, vcert defaults to the TPP API paths, e.g.

vcert enroll --url https://api.venafi.eu -t $VCP_ACCESS_TOKEN -z "Test1\Default" --cn gimme.cert.com --verbose --no-prompt --format json > mycert.json
vCert: 2024/07/25 13:06:18 Warning: --platform not set. Attempting to best-guess platform from connection flags
vCert: 2024/07/25 13:06:18 Successfully connected to Trust Protection Platform
vCert: 2024/07/25 13:06:18 Got 404 Not Found status for POST https://api.venafi.eu/vedsdk/certificates/checkpolicy
vCert: 2024/07/25 13:06:18 Invalid status: 404 Not Found Server response:

PROPOSED SOLUTION(S)

I would like to make the experience consistent for both regions users without adding more configuration. If anything we should reduce it.

  1. Do away with --platform and infer the platform from --url. Based on the fact EU users have to provide it, why not make all provide it.
  2. Add EU / US specific values to --platform|-p, eg. vcp-us|vcp-eu|vcp where vcp could default to api.venafi.cloud for backwards compatability.
  3. Add a --region flag thats only applicable when using --platform vcp. Valid values EU|US

CURRENT ALTERNATIVES

N/A

VENAFI EXPERIENCE

I am currently a Venafi Employee.

ANY OTHER CONTEXT

When creating e service account with VCP EU tenant, I got a URL back like this:

I had just seen the .cloud suffix and therefore had not thought to change my follow up vcert enroll command.
For example in a EU tenant, to request a token via JWT, the command length / params are the same:

# EU / US
vcert getcred -p vcp --token-url $VCP_TOKEN_URL --external-jwt $JWT --verbose --format json

If I inteded to script with vcert CLI, then this command would change easily based on variable. The enroll comand however forces me to if and change the command based on region I am using.
@hawksight hawksight added the enhancement New feature or request label Jul 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hawksight