From 583407a84a8bc911d4ada616c3e0da9a7c30510c Mon Sep 17 00:00:00 2001 From: Luis Presuel Date: Fri, 22 Sep 2023 01:50:19 -0600 Subject: [PATCH 1/2] Rewrites some parts of the principal README. Adds relevant in for setting up aruba cucumber tests in aruba/README. --- README.md | 263 +++++++++++++++++++++++++++++++++------ aruba/README | 30 ----- aruba/README.md | 322 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 546 insertions(+), 69 deletions(-) delete mode 100644 aruba/README create mode 100644 aruba/README.md diff --git a/README.md b/README.md index be046de7..2df00af0 100644 --- a/README.md +++ b/README.md @@ -33,14 +33,14 @@ Custom Fields and Instance Tracking require TPP 18.2 or higher, and Token Authen 3. Download the source code: ```sh -go get github.com/Venafi/vcert/v4 +go get github.com/Venafi/vcert/v5 ``` or Pre Go 1.13 ```sh -git clone https://github.com/Venafi/vcert.git $GOPATH/src/github.com/Venafi/vcert/v4 +git clone https://github.com/Venafi/vcert.git $GOPATH/src/github.com/Venafi/vcert/v5 ``` Go 1.11 with go modules enabled or go 1.13 and up make sure to clone outside of `$GOPATH/src` @@ -59,7 +59,7 @@ make build For code samples of programmatic use, please review the files in [/examples](/examples/). ### Common part -1. In your main.go file, make the following import declarations: `github.com/Venafi/vcert/v4`, `github.com/Venafi/vcert/v4/pkg/certificate`, and `github.com/Venafi/vcert/v4/pkg/endpoint`. +1. In your main.go file, make the following import declarations: `github.com/Venafi/vcert/v5`, `github.com/Venafi/vcert/v5/pkg/certificate`, and `github.com/Venafi/vcert/v5/pkg/endpoint`. 1. Create a configuration object of type `&vcert.Config` that specifies the Venafi connection details. Solutions are typically designed to get those details from a secrets vault, .ini file, environment variables, or command line parameters. ### Enroll certificate @@ -96,41 +96,240 @@ go test -v ./example -run TestRequestCertificate The requirement for the CA Template to be assigned by policy follows a long standing Venafi best practice which also met our design objective to keep the certificate request process simple for VCert users. If you require the ability to specify the CA Template with the request you can use the TPP REST APIs but please be advised this goes against Venafi recommendations. -## Testing with Trust Protection Platform and Venafi as a Service +## Playbook functionality + +For detailed explanations about the playbook and how it is build please check here: [Readme Playbook](./README-PLAYBOOK.md) -Unit tests: +Information about how to e2e cucumber tests can be found here: [Playbook e2e testing with Aruba](./aruba/README.md) -```sh +## Contributing to VCert + +Venafi welcomes contributions from the developer community. + +### Preparing your own for to add changes + +1. Fork it to your account (https://github.com/Venafi/vcert/fork) +2. Clone your fork (`git clone git@github.com:youracct/vcert.git`) +3. Create a feature branch (`git checkout -b your-branch-name`) +4. Implement and test your changes +5. Commit your changes (`git commit -am 'Added some cool functionality'`) +6. Push to the branch (`git push origin your-branch-name`) +7. Create a new Pull Request (https://github.com/youracct/vcert/pull/new/your-branch-name) + +### Preparing tests environment + +In order for us to accept incoming changes, they must pass our internal pipeline which triggers this project's tests. +There are two types SDK tests (some of them are e2e) and Cucumber tests (all of them are e2e). +Even if contributing only SDK, you need to make sure SDK tests pass. + +For our integration tests side to work, Trust Protection Platform and Venafi as a Service require access to those products. + +#### SDK tests + +Every file that ends with `_test.go` should be run, generally +you will need to make to run the following ones that triggers +our SDK e2e tests. + +- `/pkg/venafi/cloud/connector_test.go` +- `/pkg/venafi/tpp/connector_test.go` + +>Note 1: +> - cloud -> TLSPC (previously know as VaaS) +> - tpp -> TLSPDC + +>Note 2: +> This may vary on the feature you are trying to update. + +For the e2e of our SDK tests to work you need to configure +environment variables in `/test/context.go`. + +In order to trigger all off SDK tests: + +``` make test ``` -Integration tests for Trust Protection Platform and Venafi as a Service require access to those products. Environment -variables are used to specify required settings including credentials. The VaaS API key and zone value -fragments (i.e. `Application Name`\\`Issuing Template API Alias`) are readily available in the web interface. +In order to run TLSPC tests, in the root of project run: -```sh -export TPP_URL=https://tpp.venafi.example/vedsdk -export TPP_USER=tpp-user -export TPP_PASSWORD=tpp-password -export TPP_ZONE='some\suggested_policy' -export TPP_ZONE_RESTRICTED='some\locked_policy' -export TPP_ZONE_ECDSA='some\ecdsa_policy' +``` +make cloud_test +``` +In order to run TLSPDC tests, in the root of project run: + +``` make tpp_test ``` -```sh -export CLOUD_URL=https://api.venafi.cloud/v1 -export CLOUD_APIKEY=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -export CLOUD_ZONE='My Application\Permissive CIT' -export CLOUD_ZONE_RESTRICTED='Your Application\Restrictive CIT' +In order to run Playbook tests, in the root of project run: -make cloud_test ``` +make playbook_test +``` + +##### SDK Environment variables + +###### TLSPDC related ENVs + +**TPP_USER and TPP_PASSWORD** + +We will use them to generate an access token on the go. That user +must have configured an API integration that is named `vcert-sdk` +which is the default one we use for testing and it needs to be +able to create an access token that has all the following scopes: +`certificate:discover,manage,revoke;configuration:manage;ssh:manage` + +**TPP_ZONE** + +- No domain restriction + +- CSR Generation: Accepts both user provided and service generated CSR's + +- Key algorithm `RSA` and key size defaults to `2048` + +- Private Key algorithm set to "High security but low system compatibility (SHA256 AES256)" or "Insecure but better system compatibility (SHA1 3DES)". + +- Configured Microsoft CA with default certificate validity for 8 years + + +**TPP_ZONE_RESTRICTED** + +Same as **TPP_ZONE** but only difference would be restricting the domain as follows: + + - vfidev.com + - vfidev.net + - vfide.org + + +**TPP_ZONE_ECDSA** + +Same as **TPP_ZONE** but only difference would be the private key type: + +Key Algorithm `ECC` and Elliptic Curve `P521` + +**TPP_CA_NAME** + +The CA template that need to use for Policy management related tests. + +**TPP_PM_ROOT** + +The Policy that need to use for Policy management related tests. + +>Note: we have disabled **TestGetPolicy** test that uses **TPP_POLICY_MANAGEMENT_SAMPLE**. +This is just for dev purposes, you can enable the test for testing and then let it back to be skipped. + +**TPP_SSH_CA** + +The SSH CA template that we use for requesting SSH certificates. +It should be able to accept requests for "test.com" + +**TPP_ZONE_SEARCH_CERT** + +The Policy we use for Search Certificate feature that allows to Query valid certificates. +It should just be a different policy to regular ones so it doesn't query a certificate that's not +expected for the test. + +###### TLSPC related ENVs + +**CLOUD_APIKEY** + +It only needs API KEY bound to a user that is able to create +service generated CSR. + +**CLOUD_ZONE** + +Needs the following configuration: + +- Encryption and Validity: `VaaS or user generated` + +- Validity: `90 days` + +- Key Algorithm: `RSA 2048`, `RSA 4096` + +- Common Name and Subject Alternative Names: No restriction applied. + +**CLOUD_ZONE_RESTRICTED** + +Needs the following configuration: + +- Encryption and Validity: `VaaS or user generated` + +- Validity: `1 weeks` + +- Key Algorithm: `RSA 2048`, `RSA 4096` + +- Common Name and Subject Alternative Names + + - Common Name: `.*\.vfidev\.com` + + - DNS (SAN): `.*\.vfidev\.com` + +- CSR Parameters + + - Organization (O): `Venafi Inc.\` + + - Organizational Unit (OU): `Integrations`, `Integration` + + - City (L): `Salt Lake` + + - State (ST): `utah` + + - Country (C): `US` + + +**VAAS_ZONE_EC** + +- Encryption and Validity: `VaaS generated` + +- Validity: `90 days` + +- Key Algorithm: `EC P256`, `EC P384`, `EC P521`, `EC ED25519` + +> Note: This order of the key algorithm is important as we expect it +> to be in this in order in test: **TestReadPolicyConfigurationOnlyEC** + +- Common Name and Subject Alternative Names + + - Common Name: `[a-z]{1}[a-z0-9.-]*\.vfidev\.com` + + - DNS (SAN): `[a-z]{1}[a-z0-9.-]*\.vfidev\.com` + +- CSR Parameters + + - Organization (O): `Venafi Inc.\` + + - Organizational Unit (OU): `Integrations`, `Integration` + + - City (L): `Salt Lake` + + - State (ST): `utah` + + - Country (C): `US` + +**CLOUD_ENTRUST_CA_NAME** + +An Entrust CA enabled, that we will just need to verify we can create +a policy for it in our "Policy Management" feature + +**CLOUD_DIGICERT_CA_NAME** + +A Digicert CA enabled, that we will just need to verify we can create +a policy for it in our "Policy Management" feature + +**CLOUD_CA_NAME** + +A Venafi Built-in CA enabled, that we will just need to verify we can create +a policy for it in our "Policy Management" feature + + +>Note: we have disabled **TestGetPolicy** test that uses **CLOUD_POLICY_MANAGEMENT_SAMPLE**. +This is just for dev purposes, you can enable the test for testing and then let it back to be skipped. + +### Cucumber Tests Command line utility tests make use of [Cucumber & Aruba](https://github.com/cucumber/aruba) feature files. -- To run tests for all features in parallel: +- To run tests for all features: ```sh make cucumber @@ -143,23 +342,9 @@ make cucumber FEATURE=./features/basic/version.feature ``` When run, these tests will be executed in their own Docker container using the Ruby version of Cucumber. -The completed test run will report on the number of test "scenarios" and "steps" that passed, failed, or were skipped. +The completed test run will report on the number of test "scenarios" and "steps" that passed, failed, or were skipped. -## Playbook functionality - -For detailed explanations about the playbook and how it is build please check here: [Readme Playbook](./README-PLAYBOOK.md) - -## Contributing to VCert - -Venafi welcomes contributions from the developer community. - -1. Fork it to your account (https://github.com/Venafi/vcert/fork) -2. Clone your fork (`git clone git@github.com:youracct/vcert.git`) -3. Create a feature branch (`git checkout -b your-branch-name`) -4. Implement and test your changes -5. Commit your changes (`git commit -am 'Added some cool functionality'`) -6. Push to the branch (`git push origin your-branch-name`) -7. Create a new Pull Request (https://github.com/youracct/vcert/pull/new/your-branch-name) +For detailed explanations about how set up the cucumber tests please check here: [Readme Aruba + Cucumber](./aruba/README.md) ## License diff --git a/aruba/README b/aruba/README deleted file mode 100644 index d47867e1..00000000 --- a/aruba/README +++ /dev/null @@ -1,30 +0,0 @@ - - -=== RubyMine Setup === - - 1. building the app every scenario run - - Run -> Edit Configurations... - - Templates -> Cucumber - - Add Before launch: External tool - - Program: /usr/local/go/bin/go - Arguments: build -o bin/vcert ../cmd/vcert - Working directory: $GOPATH/src/github.com/Venafi/vcert/v4/aruba - - OK -> OK -> Apply -> OK - - - 2. setting up local variables so that real-run scenarios knocks to real endpoints from IDE: - - $ vi aruba/features/step_definitions/0.endpoints.rb - - ENV['TPP_URL'] = "https://tpp.venafi.example.com:5008/vedsdk" - ENV['TPP_USER'] = "user" - ENV['TPP_PASSWORD'] = "xxx" - ENV['TPP_ZONE'] = 'some\zone' - ENV['CLOUD_URL'] = "https://api.venafi.example.com/v1" - ENV['CLOUD_APIKEY'] = "xxxxxxxx-b256-4c43-a4d4-15372ce2d548" - ENV['CLOUD_ZONE'] = "Default" diff --git a/aruba/README.md b/aruba/README.md new file mode 100644 index 00000000..9f05729c --- /dev/null +++ b/aruba/README.md @@ -0,0 +1,322 @@ + +# Cucumber tests setup + +## Cucumber tests environment variables + +We need to define the following environment variables, you can find out more +about you need for them in [here](./../README.md#sdk-environment-variables): + +- TPP_URL +- TPP_USER +- TPP_PASSWORD +- TPP_ACCESS_TOKEN +- TPP_ZONE +- TPP_ZONE_ECDSA +- CLOUD_URL +- CLOUD_APIKEY +- CLOUD_ZONE + +Then also we need to define these, that are as well needed for cucumber tests: + +**TPP_IP** + +The IP of your TPP instance, we will need it to add it in the Docker container `/etc/hosts` file + +**TPP_CN** + +The Common Name of your TPP instance, we will to add it in the Docker container `/etc/hosts` file + +**TPP_TRUST_BUNDLE** + +When running the Docker container, you need to let know cucumber where to find the TPP trust bundle, this is +so we can make secure connection. In this case this should be the same as depicted in the [Dockerfile](./Dockerfile): +`/vcert/tpp/` +plus the name of the file (we recommend this name, also is git-ignored by our project, you can see it [here](./../.gitignore)) +`tpp-bundle.pem` +resulting in full path: +`/vcert/tpp/tpp-bundle.pem` + +>**Note:** While testing/debugging directly on IDE, you will to set this value as where it's located in your local machine. + +**FIREFLY_CA_BUNDLE** + +When running the Docker container, you need to let know cucumber where to find the TPP trust bundle, this is +so we can make secure connection. In this case this should be the same as depicted in the [Dockerfile](./Dockerfile): +`/vcert/firefly/` +plus the name of the file (we recommend this name, also is git-ignored by our project, you can see it [here](./../.gitignore)) +`firefly-bundle.pem` +resulting in full path: +`/vcert/aruba/firefly-bundle.pem` + +**FIREFLY_ZONE** + +We use OKTA as our Identity Provider for Firefly, so you will need the following env variables: + +**OKTA_AUTH_SERVER** + +You auth OKTA server, you should be able to find how is formed in your OKTA Developer Panel + +E.g.: +`https://dev-fdsfdsfsdf.okta.com/oauth2/sfdsfsdfsdfd"` + +We support 2 flows for e2e testing. "Secret Auth" and "Password Auth": + +For "Secret Auth" flow you need to defined following variables: + +**OKTA_CLIENT_ID**: Your "Secret Auth" flow application ID + +**OKTA_CLIENT_SECRET**: Your "Secret Auth" flow secret string + +For "Password Auth" flow you need to defined following variables: + +**OKTA_CLIENT_ID_PASS**: Your "Password Auth" flow application ID + +**OKTA_CREDS_USR**: Your username for "Password Auth" flow + +**OKTA_CREDS_PSW**: Your password for "Password Auth" flow + +## Playbook testing with cucumber and aruba + +In order to write e2e testing with aruba for playbook, there are 3 steps: + +- Writing the Playbook YAML +- Executing and validating the output +- Removing generated files + +### Writing the Playbook YAML + +you'll need to provide the structure of the YAML as +if you are describing every value for it as the following Ruby classes: + +- Installation +- Location +- Object +- Request +- PlaybookTask + +All of them mimic the YAML file field counterparts (you can see all the available value for them in [here](./features/playbook/support/aruba.rb)) + +The starting point for creating a Playbook YAML file will be as follows: + +1. `Given I have playbook with connection details` + +For example, for TPP this will create the equivalent of: +```YAML +config: + connection: + type: tpp + credentials: + clientId: vcert-sdk + accessToken: '{{ Env "TPP_ACCESS_TOKEN" }}' + refreshToken: '{{ Env "TPP_REFRESH_TOKEN" }}' + trustBundle: /path/to/my/trustbundle.pem # TrustBundle for TPP connection + url: https://tpp.venafi.example # URL to TPP instance +``` + +2. `I have playbook with certificateTasks block` + +This will initialize a certificate block, it's important doing these initializations before actually populating +keys and values for the object. + +3. `And I have playbook with task named "myCertificateInstallation"` + +This will start populating the task with name as "myCertificateInstallation" + +4. `And task named "myCertificateInstallation" has request` + +Now we are starting to populate the request block + +5. Populating following request values: +`And task named "myCertificateInstallation" has request with "csr" value "service"` +`And task named "myCertificateInstallation" has request with "keyType" value "rsa"` +`And task named "myCertificateInstallation" has request with "keySize" value "4096"` + + +6. `And task named "myCertificateInstallation" has request with default zone` + +This will look for the zone that you had set for environment variables depending on the Venafi Platform you are writing +this test: + +- **TPP_ZONE** (TLSPDC) +- **CLOUD_ZONE** (TLSPC) +- **FIREFLY_ZONE** + +From 2 to 6 we have produced the following block: + +```YAML +certificateTasks: + name: myCertificateInstallation + request: + csr: service + keyType: rsa + keySize: 4096 + zone: Devops\vcert +``` +7. `And task named "myCertificateInstallation" request has subject` + +In here we start providing a subject block + +8. Then we start populating subject values: + +``` +And task named "myCertificateInstallation" request has subject with "country" value "US" +And task named "myCertificateInstallation" request has subject with "locality" value "Salt Lake City" +And task named "myCertificateInstallation" request has subject with "province" value "Utah" +And task named "myCertificateInstallation" request has subject with "organization" value "Venafi Inc" +And task named "myCertificateInstallation" request has subject with "orgUnits" value "engineering,marketing" +``` + +you could also do the following step to do the above: + +`And task named "myCertificateInstallation" request has subject with default values` + +9. `And task named "myCertificateInstallation" request has subject random CommonName` + +We use this predefined step to create a random name for us. + +10. `And task named "myCertificateInstallation" has installations` + +We provide an installation block + +11. `And task named "myCertificateInstallation" has installation format PEM with file name "c1.cer", chain name "ch1.cer", key name "k1.pem" with installation` + +From step 7 to 11, we have generated this block: + +```YAML + subject: + country: US + locality: Salt Lake City + province: Utah + organization: Venafi Inc + orgUnits: + - engineering + - marketing + commonName: 1692387475-0dgrf.venafi.example.com + installations: + - format: PEM + file: '{{- Env "PWD" }}/tmp/aruba/cert.cer' + chainFile: '{{- Env "PWD" }}/tmp/aruba/chain.cer' + keyFile: '{{- Env "PWD" }}/tmp/aruba/key.pem' + afterInstallAction: echo SuccessInstall +``` + +12. `And I created playbook named "" with previous content` + +This is the last step for generating the YAML, we need this to convert the Ruby generated objects +to an actual Playbook that VCert will run. + +Then putting all together, we have the resulting YAML: + +```YAML +--- +config: + connection: + type: tpp + credentials: + clientId: vcert-sdk + accessToken: '{{ Env "TPP_ACCESS_TOKEN" }}' + trustBundle: /path/to/my/trustbundle.pem # TrustBundle for TPP connection + url: https://tpp.venafi.example # URL to TPP instance +certificateTasks: + name: myCertificateInstallation + request: + csr: service + keyType: rsa + keySize: 4096 + zone: Devops\vcert + subject: + country: US + locality: Salt Lake City + province: Utah + organization: Venafi Inc + orgUnits: + - engineering + - marketing + commonName: 1692387475-0dgrf.venafi.example.com + installations: + - format: PEM + file: '{{- Env "PWD" }}/tmp/aruba/c1.cer' + chainFile: '{{- Env "PWD" }}/tmp/aruba/ch1.cer' + keyFile: '{{- Env "PWD" }}/tmp/aruba/k1.pem' + afterInstallAction: echo SuccessInstall +``` + +If you want to find this generated file during debugging, aruba automatically +adds it to `/tmp/aruba/file_name.yml`; of course, assuming you are launching tests +from your IDE and not for Docker. + +### Executing and validating the output + +Continuing the previous steps: + +13. We will now execute VCert with our YAML: + +``` +And I run `vcert run -f ` +``` + +14. And then start validating: + +We validate output: + +``` +Then the output should contain "successfully executed after-install actions" +And the output should contain "playbook run finished" +``` + +We validate file exists: + +``` +And a file named "cert.cer" should exist +And a file named "chain.cer" should exist +And a file named "key.pem" should exist +``` + +We validate that files meet our expectations: + +``` +And playbook generated private key in "k1.pem" and certificate in "c1.cer" should have the same modulus +And "k1.pem" should not be encrypted RSA private key +And "k1.pem" should be RSA private key with password "" +``` + +### Removing generated files + +Although if you are re-using the name of the YAML file Aruba will overwrite it +on every test, It's always good practice removing these files at the end of every test. + +15. we remove the files we created: +``` +And I uninstall file named "c1.cer" +And I uninstall file named "ch1.cer" +And I uninstall file named "k1.pem" +``` + +## RubyMine Setup + +1. building the app every scenario run + + Run -> Edit Configurations... + + Templates -> Cucumber + + Add Before launch: External tool + + Program: /usr/local/go/bin/go + Arguments: build -o bin/vcert ../cmd/vcert + Working directory: $GOPATH/src/github.com/Venafi/vcert/v4/aruba + + OK -> OK -> Apply -> OK + + +2. setting up local variables so that real-run scenarios knocks to real endpoints from IDE: + + $ vi aruba/features/step_definitions/0.endpoints.rb + + ENV['TPP_URL'] = "https://tpp.venafi.example.com:5008/vedsdk" + ENV['TPP_USER'] = "user" + ENV['TPP_PASSWORD'] = "xxx" + ENV['TPP_ZONE'] = 'some\zone' + ENV['CLOUD_URL'] = "https://api.venafi.example.com/v1" + ENV['CLOUD_APIKEY'] = "xxxxxxxx-b256-4c43-a4d4-15372ce2d548" + ENV['CLOUD_ZONE'] = "Default" From 988f29d9f35163bece8f7e7f7835b21f4f13a996 Mon Sep 17 00:00:00 2001 From: Luis Presuel Date: Fri, 22 Sep 2023 02:05:12 -0600 Subject: [PATCH 2/2] Adds links for titles of create playbook process and fixes some of the code template blocks --- aruba/README.md | 102 ++++++++++++++++++++++++------------------------ 1 file changed, 51 insertions(+), 51 deletions(-) diff --git a/aruba/README.md b/aruba/README.md index 9f05729c..fd8f48dd 100644 --- a/aruba/README.md +++ b/aruba/README.md @@ -79,9 +79,9 @@ For "Password Auth" flow you need to defined following variables: In order to write e2e testing with aruba for playbook, there are 3 steps: -- Writing the Playbook YAML -- Executing and validating the output -- Removing generated files +- [Writing the Playbook YAML](./README#writing-the-playbook-yaml) +- [Executing and validating the output](./README#executing-and-validating-the-output) +- [Removing generated files](./README#removing-generated-files) ### Writing the Playbook YAML @@ -145,12 +145,12 @@ From 2 to 6 we have produced the following block: ```YAML certificateTasks: - name: myCertificateInstallation - request: - csr: service - keyType: rsa - keySize: 4096 - zone: Devops\vcert + name: myCertificateInstallation + request: + csr: service + keyType: rsa + keySize: 4096 + zone: Devops\vcert ``` 7. `And task named "myCertificateInstallation" request has subject` @@ -184,20 +184,20 @@ From step 7 to 11, we have generated this block: ```YAML subject: - country: US - locality: Salt Lake City - province: Utah - organization: Venafi Inc - orgUnits: - - engineering - - marketing - commonName: 1692387475-0dgrf.venafi.example.com - installations: - - format: PEM - file: '{{- Env "PWD" }}/tmp/aruba/cert.cer' - chainFile: '{{- Env "PWD" }}/tmp/aruba/chain.cer' - keyFile: '{{- Env "PWD" }}/tmp/aruba/key.pem' - afterInstallAction: echo SuccessInstall + country: US + locality: Salt Lake City + province: Utah + organization: Venafi Inc + orgUnits: + - engineering + - marketing + commonName: 1692387475-0dgrf.venafi.example.com +installations: + - format: PEM + file: '{{- Env "PWD" }}/tmp/aruba/cert.cer' + chainFile: '{{- Env "PWD" }}/tmp/aruba/chain.cer' + keyFile: '{{- Env "PWD" }}/tmp/aruba/key.pem' + afterInstallAction: echo SuccessInstall ``` 12. `And I created playbook named "" with previous content` @@ -210,35 +210,35 @@ Then putting all together, we have the resulting YAML: ```YAML --- config: - connection: - type: tpp - credentials: - clientId: vcert-sdk - accessToken: '{{ Env "TPP_ACCESS_TOKEN" }}' - trustBundle: /path/to/my/trustbundle.pem # TrustBundle for TPP connection - url: https://tpp.venafi.example # URL to TPP instance + connection: + type: tpp + credentials: + clientId: vcert-sdk + accessToken: '{{ Env "TPP_ACCESS_TOKEN" }}' + trustBundle: /path/to/my/trustbundle.pem # TrustBundle for TPP connection + url: https://tpp.venafi.example # URL to TPP instance certificateTasks: - name: myCertificateInstallation - request: - csr: service - keyType: rsa - keySize: 4096 - zone: Devops\vcert - subject: - country: US - locality: Salt Lake City - province: Utah - organization: Venafi Inc - orgUnits: - - engineering - - marketing - commonName: 1692387475-0dgrf.venafi.example.com - installations: - - format: PEM - file: '{{- Env "PWD" }}/tmp/aruba/c1.cer' - chainFile: '{{- Env "PWD" }}/tmp/aruba/ch1.cer' - keyFile: '{{- Env "PWD" }}/tmp/aruba/k1.pem' - afterInstallAction: echo SuccessInstall + name: myCertificateInstallation + request: + csr: service + keyType: rsa + keySize: 4096 + zone: Devops\vcert + subject: + country: US + locality: Salt Lake City + province: Utah + organization: Venafi Inc + orgUnits: + - engineering + - marketing + commonName: 1692387475-0dgrf.venafi.example.com + installations: + - format: PEM + file: '{{- Env "PWD" }}/tmp/aruba/c1.cer' + chainFile: '{{- Env "PWD" }}/tmp/aruba/ch1.cer' + keyFile: '{{- Env "PWD" }}/tmp/aruba/k1.pem' + afterInstallAction: echo SuccessInstall ``` If you want to find this generated file during debugging, aruba automatically