Update Venafi username/password authentication section #1618
Conversation
update username/password section Signed-off-by: ilyes Ajroud <[email protected]>
cert-manager-prow
bot
added
dco-signoff: yes
✅ Deploy Preview for cert-manager ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
Signed-off-by: ilyes Ajroud <[email protected]>
cert-manager-prow
bot
added
size/M
cert-manager-prow
bot
added
dco-signoff: no
ilyesAj
force-pushed
the
feat/update_venafi_documentation
branch
from
a894fa5 to
01cc876
Compare
cert-manager-prow
bot
added
dco-signoff: yes
Signed-off-by: ilyes Ajroud <[email protected]>
ilyesAj
changed the title
There was a problem hiding this comment.
Mostly just to correct that no refresh_token is used with cert-manager OS.
Perhaps add some info for users to scope their client integration appropriately as that could help.
Otherwise, thank you for updating the docs, it's better. I have a few more things but they are not in reference to your changes, but previous content, so after this I will endeavour to address them in a follow up.
| @@ -186,19 +186,20 @@ $ kubectl create secret generic \ | |||
|
|
|||
| ### Username / Password Authentication | |||
|
|
|||
| > ⚠️ When you supply a Venafi TPP username and password, | |||
There was a problem hiding this comment.
I believe we should now be fine to remove this warning as API keys are old and these docs only affect current and future. So previous version users can still adhear to the warning. Please shout out if anyone things we need to keep this warning on API Keys for TPP.
Signed-off-by: ilyes Ajroud <[email protected]>
There was a problem hiding this comment.
One minor comment to remove reference to revoke in some text. Just don't want to give anyone false hope that cert-manager does any sort of revocation. It's probably just a remnant of a misunderstanding of the TPP scopes requried.
Otherwise it looks better and handles the use case, so thank you for taking the time to correct these docs. I'll approve on here and see what / commands I need to approve.
Co-authored-by: Peter Fiddes <[email protected]> Signed-off-by: ilyes Ajroud <[email protected]>
|
/lgtm |
|
/approve |
Signed-off-by: ilyes Ajroud <[email protected]>
cert-manager-prow
bot
removed
the
lgtm
thanks , fixed |
wallrj
changed the title
|
/test pull-cert-manager-website-verify |
|
@wallrj: No presubmit jobs available for cert-manager/website@master In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
| Create an application integration with name and ID `cert-manager`. | ||
| Set the "Base Access Settings" to `certificate: manage,revoke`. | ||
| Create an application integration with name and ID `cert-manager.io`. | ||
| Set the "Base Access Settings" to `certificate: manage`. |
There was a problem hiding this comment.
I can't remember whether recent versions of TPP include the cert-manager.io API integration by default.
@hawksight do you know?
If so, we can add a note to explain that this step might be optional with recent versions of TPP.
Optional: Here, or in a followup PR we should make sure we're using accurate terminology.
For example, "application integration" should be "API integration".
And "Base Access Settings" should be "Scope".
There was a problem hiding this comment.
It is my understanding the cert-manager.io API integration is standard in recent versions at least yes. We can add that in a follow up PR I think.
There was a problem hiding this comment.
@wallrj agrees with @hawksight , we can open a followup PR on this .
Venafi has updated its terminology starting from the recent version, and we need to ensure alignment with it. However, I currently do not have the ability to instantiate Venafi test environment to check it.
Signed-off-by: ilyes Ajroud <[email protected]>
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hawksight, wallrj The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
cert-manager-prow
bot
added
the
approved
Preview: https://deploy-preview-1618--cert-manager.netlify.app/docs/configuration/venafi/#creating-a-venafi-trust-protection-platform-issuer
remove warning related to username/password authentification
clarify procedures for the username/password authentification
update client ID to allign with the code
add the ability to update the client-id
related to:
feat: Use OAuth endpoint for Venafi Issuer when user/pass provided cert-manager#7084
Venafi TPP Support for OAuth when authenticating with a username and password cert-manager#4653
add ability to inject client-id in tpp secret venafi cert-manager#7484