openstack-heat-plugin-venafi 0.2.0

OpenStack Heat Plugin for Venafi Trust Protection Platform and Venafi Cloud

This open source project is community-supported. To report a problem or share an idea, use Issues; and if you have a suggestion for fixing the issue, please include those details, too. In addition, use Pull Requests to contribute actual bug fixes or proposed enhancements. We welcome and appreciate all contributions. Got questions or want to discuss something with our team? Join us on Slack!

Venafi Heat Plugin for OpenStack

This solution implements an OpenStack Heat plugin that uses the VCert-Python library to simplify enrollment of TLS certificates needed for stacks while ensuring their compliance with enterprise security policy. The plugin is designed to be a used in a Heat template to request a certificate from Venafi Platform or Venafi Cloud for a Heat resource.

Installation

You should install pip packages into same python python which is used by heat-engine. Instructions may be different for your openstack installation.

1. Switch to openstack user

2. Determine python dist-package directory:

   python -m site
   

3. Install the vcert and openstack-heat-plugin-venafi pip packages for use by the OpenStack instance:

   pip install openstack-heat-plugin-venafi
   

4. Create the default plugin directory /usr/lib/heat:

   mkdir -p /usr/lib/heat
   

5. Identify where pip package has been locally installed:

   PIP_PKG_LOC=$(pip show openstack-heat-plugin-venafi | awk '/^Location:/{print $2}')
   

6. Create a symbolic link for the installed plugin in the /usr/lib/heat directory:

   ln -s ${PIP_PKG_LOC}/openstack-heat-plugin-venafi /usr/lib/heat/
   

7. Restart the Heat engine:

   sudo systemctl restart openstack-heat-engine.service
   

Usage

Review the provided example YAML test_certificate.yml. It is strongly recommended to export credentials as variables and add them as hidden parameters to the stack rather than hardcoding them in your configuration.

For Venafi Platform:

In most cases you will need to specify a trust bundle because the Venafi Platform is commonly secured using a certificate issued by a private enterprise PKI. In order to specify a trust_bundle you must first base64 encode the file contents:

cat /path/to/bundle.pem |base64 --wrap=10000

openstack stack create -t venafi/resources/tests/fixtures/test_certificate.yml \
--parameter common_name="common-name.venafi.example" \
--parameter sans="DNS:dns-san-1.venafi.example","DNS:dns-san-2.venafi.example","IP:10.20.30.40","IP:192.168.192.168","email:opensource@venafi.com" \
--parameter venafi_url="https://tpp.venafi.example" \
--parameter access_token="tn1PwE1QTZorXmvnTowSyA==" \
--parameter zone="DevOps\\OpenStack" \
--parameter trust_bundle=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmVENDQW1XZ0F3SUJBZ0lRVW1ZR0tqdzdmazI1Ylg3K29KZDIyakFOQmdrcWhraUc5dzBCQVFzRkFEQkYKTVNjd0pRWURWUVFMRXg1V1pXNWhabWtnVDNCbGNtRjBhVzl1WVd3Z1EyVnlkR2xtYVdOaGRHVXhHakFZQmdOVgpCQU1URVdoaExYUndjREV1YzNGc2FHRXVZMjl0TUI0WERURTVNRFl4TnpJeE1UVXhPRm9YRFRJd01EWXhOakl4Ck1UVXhPRm93UlRFbk1DVUdBMVVFQ3hNZVZtVnVZV1pwSUU5d1pYSmhkR2x2Ym1Gc0lFTmxjblJwWm1sallYUmwKTVJvd0dBWURWUVFERXhGb1lTMTBjSEF4TG5OeGJHaGhMbU52YlRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0VQQURDQ0FRb0NnZ0VCQUxTYW5RQ0JFUEtXaG1KYzZ0T1Fod1oweExqN25xbm1KWGwrUjF0am9XN3RKUk5kCjljTzRyQzI0RjNFdFNOdnlmRldtSjBidUxEcWNmbkdKR2tWazFkOWtVZWI0elJKbXU0RlBOa1VzdjRRUkRoSGUKc2FydEowZU8wN2Rpek5nMXU4SG0rek5DcGk3TFZQRDhHRGJHeVN0WTVRblE1ZGU0ZllBMnpaV2NQNldRUjU4VApJblE0Q1NtejhiV01iRXdtQTgxdGlNVVR3YWMwTEFuL0hhYjVjOUVhaDlwc0NqSmMydFJiUjhpbmRRQWVmMmEzCkl3VEE1VUpzSHdpRjBGSHFRY2RDSG56NCtEdUVnVUlaaWZCcUNxSkhWdG53S0xya0YzZTNWZDdLemJBQXkzNlcKd2N0ZUhsdFk5UGlFUlRBSnp5WHRBNklscm5XT1lqNlRzNkVCYWJVQ0F3RUFBYU5wTUdjd0hRWURWUjBPQkJZRQpGRmxVc29uYVpwd25RTE9iTTFFNUYwdzNYamQrTUFrR0ExVWRFd1FDTUFBd0hBWURWUjBSQkJVd0U0SVJhR0V0CmRIQndNUzV6Y1d4b1lTNWpiMjB3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BMEcKQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJYTnorMEJ1YzFlL2o2bnJoUHlRb0g2RDM3N0ptUmplMjBDQW5TSDlwNwpWMW5FeHlOMS83dGtXL0JTOEJtSlF4Ty84dWhBVXNVQ3FWalpleVZVRnN5czc4VE5YeEVQQncrT3lLMlJLVWJDCmJsYTFPa1dTWkxVb1A3WThoTysyWU80R1BnU25ndDhXMWR3dHdjQ1gvMFZEaFNDUEoxU2N0RXUwMHlkSlZpMWEKYkhqb1I5VG0xYXNyeG53Z0ttcGpxQlpsbWxaUDBvZDZyMTRFVFlIZjJKelFxa24rTjY4UHN5Mm1VZlo0ZDBpRQptajdnU0RwUlpvNlk2NHd0WlBoZU9mWlZCaEg3SjhxRUdRcjk5dW5kc0FvSVlla2NVSkd1RjhBRStFZUVuQllWCmNKQWZtYUE2Zmx0R0puVnZlTUpod29xRDVBNzNrcWpzRlNFeUNvZ3VncTRCCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K \
venafi-test-stack-01

ASCIINEMA video:

For Venafi Cloud:

Get the Zone ID value to use from the Venafi Cloud web console.

openstack stack create -t venafi/resources/tests/fixtures/test_certificate.yml \
--parameter common_name="common-name.venafi.example" \
--parameter sans="DNS:dns-san-1.venafi.example","DNS:dns-san-2.venafi.example" \
--parameter api_key="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
--parameter zone="zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz" \
venafi-test-stack-02

ASCIINEMA video:

License

Copyright © Venafi, Inc. All rights reserved.

This solution is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.

Please direct questions/comments to opensource@venafi.com.