This open source project is community-supported. To report a problem or share an idea, use
Issues; and if you have a suggestion for fixing the issue, please include those details, too.
In addition, use Pull Requests to contribute actual bug fixes or proposed enhancements.
We welcome and appreciate all contributions. Got questions or want to discuss something with our team?
Join us on Slack!
This solution implements an OpenStack Heat plugin that uses the VCert-Python library to simplify enrollment of TLS certificates needed for stacks while ensuring their compliance with enterprise security policy. The plugin is designed to be a used in a Heat template to request a certificate from Venafi Trust Protection Platform or Venafi as a Service for a Heat resource.
You should install pip packages into same python environment that is used by heat-engine. Instructions may differ for your OpenStack installation.
-
Switch to openstack user
-
Determine python dist-package directory:
python -m site
-
Install the
vcert
andopenstack-heat-plugin-venafi
pip packages for use by the OpenStack instance:pip install openstack-heat-plugin-venafi
-
Create the default plugin directory
/usr/lib/heat
:mkdir -p /usr/lib/heat
-
Identify where pip package has been locally installed:
PIP_PKG_LOC=$(pip show openstack-heat-plugin-venafi | awk '/^Location:/{print $2}')
-
Create a symbolic link for the installed plugin in the
/usr/lib/heat
directory:ln -s ${PIP_PKG_LOC}/openstack-heat-plugin-venafi /usr/lib/heat/
-
Restart the Heat engine:
sudo systemctl restart openstack-heat-engine.service
Review the provided example YAML test_certificate.yml. It is strongly recommended to export credentials as variables and add them as hidden parameters to the stack rather than hardcoding them in your configuration.
In most cases you will need to specify a trust bundle because the Venafi Platform is commonly
secured using a certificate issued by a private enterprise PKI. In order to specify a
trust_bundle
you must first base64 encode the file contents:
cat /path/to/bundle.pem |base64 --wrap=10000
openstack stack create -t venafi/resources/tests/fixtures/test_certificate.yml \
--parameter common_name="common-name.venafi.example" \
--parameter sans="DNS:dns-san-1.venafi.example","DNS:dns-san-2.venafi.example","IP:10.20.30.40","IP:192.168.192.168","email:[email protected]" \
--parameter venafi_url="https://tpp.venafi.example" \
--parameter access_token="tn1PwE1QTZorXmvnTowSyA==" \
--parameter zone="DevOps\\OpenStack" \
--parameter trust_bundle=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmVENDQW1XZ0F3SUJBZ0lRVW1ZR0tqdzdmazI1Ylg3K29KZDIyakFOQmdrcWhraUc5dzBCQVFzRkFEQkYKTVNjd0pRWURWUVFMRXg1V1pXNWhabWtnVDNCbGNtRjBhVzl1WVd3Z1EyVnlkR2xtYVdOaGRHVXhHakFZQmdOVgpCQU1URVdoaExYUndjREV1YzNGc2FHRXVZMjl0TUI0WERURTVNRFl4TnpJeE1UVXhPRm9YRFRJd01EWXhOakl4Ck1UVXhPRm93UlRFbk1DVUdBMVVFQ3hNZVZtVnVZV1pwSUU5d1pYSmhkR2x2Ym1Gc0lFTmxjblJwWm1sallYUmwKTVJvd0dBWURWUVFERXhGb1lTMTBjSEF4TG5OeGJHaGhMbU52YlRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0VQQURDQ0FRb0NnZ0VCQUxTYW5RQ0JFUEtXaG1KYzZ0T1Fod1oweExqN25xbm1KWGwrUjF0am9XN3RKUk5kCjljTzRyQzI0RjNFdFNOdnlmRldtSjBidUxEcWNmbkdKR2tWazFkOWtVZWI0elJKbXU0RlBOa1VzdjRRUkRoSGUKc2FydEowZU8wN2Rpek5nMXU4SG0rek5DcGk3TFZQRDhHRGJHeVN0WTVRblE1ZGU0ZllBMnpaV2NQNldRUjU4VApJblE0Q1NtejhiV01iRXdtQTgxdGlNVVR3YWMwTEFuL0hhYjVjOUVhaDlwc0NqSmMydFJiUjhpbmRRQWVmMmEzCkl3VEE1VUpzSHdpRjBGSHFRY2RDSG56NCtEdUVnVUlaaWZCcUNxSkhWdG53S0xya0YzZTNWZDdLemJBQXkzNlcKd2N0ZUhsdFk5UGlFUlRBSnp5WHRBNklscm5XT1lqNlRzNkVCYWJVQ0F3RUFBYU5wTUdjd0hRWURWUjBPQkJZRQpGRmxVc29uYVpwd25RTE9iTTFFNUYwdzNYamQrTUFrR0ExVWRFd1FDTUFBd0hBWURWUjBSQkJVd0U0SVJhR0V0CmRIQndNUzV6Y1d4b1lTNWpiMjB3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BMEcKQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJYTnorMEJ1YzFlL2o2bnJoUHlRb0g2RDM3N0ptUmplMjBDQW5TSDlwNwpWMW5FeHlOMS83dGtXL0JTOEJtSlF4Ty84dWhBVXNVQ3FWalpleVZVRnN5czc4VE5YeEVQQncrT3lLMlJLVWJDCmJsYTFPa1dTWkxVb1A3WThoTysyWU80R1BnU25ndDhXMWR3dHdjQ1gvMFZEaFNDUEoxU2N0RXUwMHlkSlZpMWEKYkhqb1I5VG0xYXNyeG53Z0ttcGpxQlpsbWxaUDBvZDZyMTRFVFlIZjJKelFxa24rTjY4UHN5Mm1VZlo0ZDBpRQptajdnU0RwUlpvNlk2NHd0WlBoZU9mWlZCaEg3SjhxRUdRcjk5dW5kc0FvSVlla2NVSkd1RjhBRStFZUVuQllWCmNKQWZtYUE2Zmx0R0puVnZlTUpod29xRDVBNzNrcWpzRlNFeUNvZ3VncTRCCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K \
venafi-test-stack-01
The zone value for Venafi as a Service is comprised of an Application name and an Issuing Template API Alias that is associated with the Application (e.g. "Business App\Enterprise CIT").
openstack stack create -t venafi/resources/tests/fixtures/test_certificate.yml \
--parameter common_name="common-name.venafi.example" \
--parameter sans="DNS:dns-san-1.venafi.example","DNS:dns-san-2.venafi.example" \
--parameter api_key="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
--parameter zone="Business App\\Enterprise CIT" \
venafi-test-stack-02
Copyright © Venafi, Inc. All rights reserved.
This solution is licensed under the Apache License, Version 2.0. See LICENSE
for the full license text.
Please direct questions/comments to [email protected].