vcert icon indicating copy to clipboard operation
vcert copied to clipboard
verified publisher icon Venafi

Support both VCP regions

Open hawksight opened this issue 1 year ago • 0 comments

BUSINESS PROBLEM

Currently EU users of VCP are at a disadvantage in that they require additional configuration to make use of vcert.

For example when requesting a cert:

US:

vcert enroll -p vcp -t $VCP_ACCESS_TOKEN -z "tlspk-peter\tlspk" --cn gimme.cert.com --verbose --no-prompt --format json > mycert.json

EU:

vcert enroll -p vcp --url https://api.venafi.eu -t $VCP_ACCESS_TOKEN -z "Test1\Default" --cn gimme.cert.com --verbose --no-prompt --format json > mycert.json

VCP is the only platform that has multiple backends that I know, so there needs to be some way to identify the region you are using.

For reference without using the --platform|-p flag, vcert defaults to the TPP API paths, e.g.

vcert enroll --url https://api.venafi.eu -t $VCP_ACCESS_TOKEN -z "Test1\Default" --cn gimme.cert.com --verbose --no-prompt --format json > mycert.json
vCert: 2024/07/25 13:06:18 Warning: --platform not set. Attempting to best-guess platform from connection flags
vCert: 2024/07/25 13:06:18 Successfully connected to Trust Protection Platform
vCert: 2024/07/25 13:06:18 Got 404 Not Found status for POST https://api.venafi.eu/vedsdk/certificates/checkpolicy
vCert: 2024/07/25 13:06:18 Invalid status: 404 Not Found Server response:

PROPOSED SOLUTION(S)

I would like to make the experience consistent for both regions users without adding more configuration. If anything we should reduce it.

  1. Do away with --platform and infer the platform from --url. Based on the fact EU users have to provide it, why not make all provide it.
  2. Add EU / US specific values to --platform|-p, eg. vcp-us|vcp-eu|vcp where vcp could default to api.venafi.cloud for backwards compatability.
  3. Add a --region flag thats only applicable when using --platform vcp. Valid values EU|US

CURRENT ALTERNATIVES

N/A

VENAFI EXPERIENCE

I am currently a Venafi Employee.

ANY OTHER CONTEXT

When creating e service account with VCP EU tenant, I got a URL back like this:

  • https://api.eu.venafi.cloud/v1/oauth2/v2.0/<TENAND_ID>/token

I had just seen the .cloud suffix and therefore had not thought to change my follow up vcert enroll command. For example in a EU tenant, to request a token via JWT, the command length / params are the same:

# EU / US
vcert getcred -p vcp --token-url $VCP_TOKEN_URL --external-jwt $JWT --verbose --format json

If I inteded to script with vcert CLI, then this command would change easily based on variable. The enroll comand however forces me to if and change the command based on region I am using.

hawksight avatar Jul 25 '24 12:07 hawksight