Setting up Cert Manager using Venafi TPP

Follow the steps in this topic to setup cluster issuer for Cert Manager using Venafi TPP. For more information, refer to the steps given here: https://cert-manager.io/docs/configuration/venafi/#creating-a-venafi-trust-protection-platform-issuer

When you start a Cloudera Data Services on premises service installation, make sure that you have installed a cluster issuer to use third-party certificates. To validate if there is a valid cluster issuer, see the following rules:

We can create a clusterissuer without annotation. It is not activated until we add the below annotation:
```
kubectl annotate clusterissuer <ISSUER_NAME> 
issuer.cdp.cloudera.com/type=longlived/shortlived
```
The cluster issuer must have the following annotation to be activated, along with the label set as follows:
```
kubectl label clusterissuer <ISSUER_NAME> issuer.cdp.cloudera.com/project=<CDP_NAMESPACE>
```
In Cloudera Embedded Container Service and OCP, the CDP_NAMESPACE is "cdp". Once this is setup, you can test this by creating a test certificate and checking in their Venafi TPP instance that the certificate is created. A sample certificate will look like:
```
apiVersion: cert-manager.io/v1
kind: Certificate
metadata: 
    name: test-cert 
    namespace: default
spec: 
    secretName: test-venafi-tls # This will store the certificate 
issuerRef: 
    name: tpp-issuer 
    kind: ClusterIssuer 
    commonName: test.cdp.svc.cluster.local 
dnsNames: 
    - test.cdp.svc.cluster.local 
privateKey: 
    algorithm: RSA 
    size: 2048
```

An example setup is as follows:

Make sure the cert-manager is installed and all pods are up and running in the cert-manager namespace.

Create a secret in cert-manager namespace with the credentials to communicate with Venafi TPP instance.

Refer to the below example:

Put the following contents in a file called tpp-secret.yaml

apiVersion: v1
data:
  password: <password>
  username: <username>
kind: Secret
metadata:
  name: tpp-secret
  namespace: cert-manager
type: Opaque

kubectl apply -f tpp-secret.yaml

or

kubectl create secret generic tpp-secret \
  --from-literal=username='<username>' \
  --from-literal=password='<password>' \
  -n cert-manager

Create a secret in the cert-manager namespace with below command if Venafi is configured with custom CA:
```
kubectl create secret generic qe-tpp-ca --from-file=ca.crt -n cert-manager
```
```
X509v3 Basic Constraints:
 CA:TRUE
```
note
Verify that the ca.crt has: CA:TRUE
Create clusterissuer resource to be used with cert manager using below commands.

Refer to the below example:
1. Longlived cluster issuer - 365 days validity
```
Put the following contents in a file called longlived-issuer.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  annotations:
    issuer.cdp.cloudera.com/type: longlived
  labels:
    issuer.cdp.cloudera.com/project: cdp
  name: tpp-issuer
spec:
  venafi:
    tpp:
      url: https://<venafi.at.yourorg.com>:<port>
    credentialsRef:
        name: tpp-secret
      caBundleSecretRef:
        name: qe-tpp-ca
        key: ca.crt
    zone: \VED\Policy\Cloudera\Longlived

Run the following command to create the ClusterIssuer resource
kubectl apply -f longlived-issuer.yaml
```
  The ClusterIssuer should be configured successfully, i.e. READY column should have the value True.
```
kubectl get clusterissuer tpp-issuer
NAME                READY   AGE
tpp-issuer          True    26h
```
2. Shortlived cluster issuer - 24 hours validity. Refer to the below example:
```
Put the following contents in a file called shortlived-issuer.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  annotations:
    issuer.cdp.cloudera.com/type: shortlived
  labels:
    issuer.cdp.cloudera.com/project: cdp
  name: tpp-issuer-short
spec:
  venafi:
    tpp:
      url: https://<venafi.at.yourorg.com>:<port>
      credentialsRef:
        name: tpp-secret
      caBundleSecretRef:
        name: qe-tpp-ca
        key: ca.crt
    zone: \VED\Policy\Cloudera\Shortlived

Run the following command to create the ClusterIssuer resource
kubectl apply -f shortlived-issuer.yaml
```
  The Cluster Issuer should be configured successfully. That is, READY column should have the value True.
```
kubectl get clusterissuer tpp-issuer-short
NAME                READY   AGE
tpp-issuer-short          True    26h
```
  Once the test is successfully verified, it can be deleted by running the following command:
```
kubectl delete certificate test-cert
```
  When Venafi TPP (Trust Protection Platform) requires a custom mandatory field to be included in all certificate issuance API requests, this custom field can be mandatory or not mandatory depending on how the customfield is configured on Venafi TPP. Custom Annotation Support in Certificate Manager feature enables support for custom annotation fields defined in the Venafi ClusterIssuer with their specified values. It automatically injects the required Venafi custom field annotations (venafi.cert-manager.io/custom-fields) into CertificateRequest objects at creation, ensuring they are included in all Venafi certificate issuance API calls.
  Annotations with dynamic values—such as those generated from environment variables or the cluster name—are not supported.
  note
  Support is available for venafi.cert-manager.io/<> fields such as venafi.cert-manager.io/custom-fields.
  For example, to add a custom Venafi field annotation NBKID with the value ADFS:1234554321 to the ClusterIssuer named tpp-issuer-e2e-lbd60c, use the following command:
```
kubectl patch clusterissuer tpp-issuer-e2e-lbd60c --type='merge' -p
                '{"metadata":{"annotations":{"venafi.cert-manager.io/custom-fields":"[{\"name\":\"NBKID\",\"value\":\"ADFS:1234554321\"}]"}}}'
```