apiops icon indicating copy to clipboard operation
apiops copied to clipboard
verified publisher icon Azure

[FEATURE REQ] Supporting certificates onboarding to APIM

Open passionInfinite opened this issue 1 year ago • 4 comments

Please describe the feature.

As of now, we want to onboard certificates specifically to support mtls in backend. This APIM instance is shared across different teams so it cannot be done at the infrastructure level unless there is already any recommended process from Microsoft to handle it.

Workaround We can have additional powershell scripts that looks into mtls-certificates folder having spec.json file that can have content mentioning details about the Azure Key Vault and the Certificate that needs to be synced from the Azure Key Vault. The access to the AKV is done through managed identities. So that APIM instance SPN can access the certificates to sync from AKV.

Standard Solution Looking something standard support to apiops, How can we integrate that same process to the ApiOps so that teams can onboard api level certificates to support MTLS scenario.

Note: I am happy to contribute with some guidance from the core maintainers.

passionInfinite avatar Mar 27 '24 14:03 passionInfinite 

  Thank you for opening this issue! Please be patient while we will look into it and get back to you as this is an open source project. In the meantime make sure you take a look at the [closed issues](https://github.com/Azure/apiops/issues?q=is%3Aissue+is%3Aclosed) in case your question has already been answered. Don't forget to provide any additional information if needed (e.g. scrubbed logs, detailed feature requests,etc.).
  Whenever it's feasible, please don't hesitate to send a Pull Request (PR) our way. We'd greatly appreciate it, and we'll gladly assess and incorporate your changes.

github-actions[bot] avatar Mar 27 '24 14:03 github-actions[bot]

Could you please elaborate on this scenario? How would you handle it outside of ApiOps?

guythetechie avatar Mar 27 '24 22:03 guythetechie

@guythetechie Thanks for replying. In our case we have terraform setup and the problem of adding certificates through terraform is all the teams has to request the shared instance owner to add the certificates to the APIM. The outside ApiOps workflow is give permission to APIM instance to the Azure Key Vault and then terraform add the entry with the KeyVault secret path to the certificate. If we can leverage this same flow through ApiOps then teams can merge this spec file to the GithubRepo and publisher can sync the portal.

passionInfinite avatar Apr 01 '24 13:04 passionInfinite

@guythetechie Let me know if you still need more information. We can coordinate and see how we can progress further. Thanks!

passionInfinite avatar Apr 09 '24 19:04 passionInfinite

We don't cover this as part of apiops. Our main focus with apiops is the api section.

waelkdouh avatar Jul 05 '24 15:07 waelkdouh