Enrolling a Certificate for a Policy Central Cluster Policy

To enroll a certificate for a policy central cluster policy:

Go to menu > KUBE+ > Cluster Security > Secure Apps.
Click .

On the Enroll Certificate page, enter/select the field information in the General Information section for Cert resource to be created on Kubernetes cluster.

Table 1. General Information Section - Field and Description Table
Field	Description
Enroll Cert To *	Select the endpoint where the cert is to be deployed. The options are: Secret: KUBE+ enrolls certificate and stores signed certificate and key in k8s secret. POD : KUBE+ has a CSI provider which provisions certificates in the pods local volume. Route: KUBE+ enrolls certificate and stores signed certificate and key in OpenShift route. Additionally, the ConfigMap objects are discovered.
Format *	Note: This field is displayed only if you select the Enroll Cert To option as Pod. The certificate file format that should be downloaded to the pod. The supported formats include PEM, PFX, P12, and JKS.
Encoding *	Note: This field is displayed only if you select the Enroll Cert To option as Pod. The encoding type of the file content. Supported types include utf-8, hex, and base64.
Is CA Required *	Note: This field is displayed only if you select the Enroll Cert To option as Pod. Download the trust store for the enrolled certificate. Set to False will result in the download only leaf certificates.
File Name	Note: This field is displayed only if you select the Enroll Cert To option as Pod. The name of the certificate file to be created in the pod.
Cluster *	Select a cluster where the certificate to be deployed from the dropdown list.
Cluster Policy *	Select a policy central cluster policy from the drop-down list.
Policy Type *	The policy type is displayed as Policy Central for the selected cluster policy.
Policy Scope *	The scope of the policy is dispayed.
Assign Group *	Select a group from the drop-down list. This Note: This list displays groups based on the group selected for the CA policy.
Namespaces *	Enter the namespaces.
Cluster Policy Template *	Select a Certificate Authority (CA) template for the cluster policy.
Certificate Authority *	The CA is displayed based on the selected Cluster Policy Template.
Certificate Category *	The type of certificate. The options include 'Client' and 'Server'.
Certificate Name *	Enter a Certificate Name for certificate storage within the K8s cluster.
Secret Name *	Enter a Secret Name for certificate storage within the K8s cluster.
Enable Auto Renewal *	Select a auto renewal option. The options are: False (default) - Certificates will not be automatically renewed prior to their expiration. True - Certificates can be automatically renewed before they expire.
CSR Validity *	The validity for the CSR in the cluster, if not approved. The default is 24h.
Overwrite valid certificates *	Options : False/True If this option is set to true, any update to the fields under `spec` in the certificate will trigger re-enrollment.
Advanced Certificate Options *	Note: This field is displayed only if you select the Enroll Cert To option as Secret. Select one of the following options: False - Default. This option does not allow you to apply advanced certificate options. True - This option allows advanced certificate customization options.
Certificate Deployment Mode	Note: This field is displayed only if you select the Advanced Certificate Options option as True. Standard [i.e : certificates downloaded and deployed in tls.crt, tls.key, ca.crt] Certificate Chain [i.e : The server certificate (issued to the domain) is combined with the intermediate certificate(s) provided by the Certificate Authority (CA) but the root is not included] CA Bundle : [i.e : Concatenation of the server certificate, intermediate certificate(s), and root certificate in a single PEM-encoded file]
Secret Delete *	Note: This field is displayed only if you select the Advanced Certificate Options option as True. Options : No/Yes If this option is set to Yes, the associated secret will be deleted after the certificate is removed.
Custom Secret	Options : Yes/No Certificate Enrolment in secret with custom keys for certificate, private key and ca certificates. Provide the keys to be used in each field. Key Name for Server certificate: <customname> Key Name for Private Key: <customname> Key Name for Server certificate: <customname>
Deploy Trust Store	Note: This field is displayed only if you select the Enroll Cert To option as Route. Options : Yes/No Download the trust store for the enrolled certificate. Set to No will result in the download only leaf certificates.

Enter/select field information in the CSR Parameter section.

Table 2. CSR Parameter Section - Field and Description Table
Field	Description
CSR Generation Source *	The default CSR generation endpoint option is K8's Secret. In the scenario where private keys need to be generated in AppViewX, users can choose the CSR endpoint as 'AppViewX'.
Common Name *	Enter the common name of the cert.
Subject Alternative Name	Select a Subject Alternative Name from the dropdown list. The options are: DNS - DNS of the cert IP Address - IP Address of the cer
Organization	Enter the organization of the cert.
Organization Unit	Enter the organization unit of the cert.
Locality	Enter the locality of the cert.
Street Address	Enter the street of the cert.
State	Enter the state or province of the cert.
Country	Enter the country of the cert.
Postal Code	Enter the postal code of the cert.
mail Address	Enter the email address of the cert.
-Mandatory*

Enter/select the field information in the Private Key Parameters section.

Table 3. Private Key Parameters Section - Field and Description Table
Field	Description
Key Type *	Select a key type of the cert from the dropdown list. The options are: RSA EC
Bit Length *	Select the bit length from the dropdown list. CSR param bit lengths for RSA are 2048/4096/3072. CSR param bit lengths for EC are 256/384/521.
Hash Function *	Select a hash function from the drop-down list.
-Mandatory*

Click Generate Cert YAML to get the certificate for enrollment in the Certificate YAML field.
Note:
- To download the enrolled CERT configuration as a YAML file, click
- To see the commands in the full screen view, click the .
- To copy the command, click .
Use Annotation as follows:
1. When you select Enroll Cert To as Route, an option to Generate Route Annotation will display. Click Generate Route Annotation to generate the annotation with the certificate name provided.
  The sample annotation will look something like this:
```
annotations:
 	 appviewx.com-cert-orchestrator/cert-name: co-hello-openshift.apps-crc.testing
```
  Note: The cert-orchestrator will monitor the Route objects in the OpenShift cluster. If a route contains an annotation with the key appviewx.com-cert-orchestrator/cert-name, the value of this annotation will be used to identify the source certificate provider.
2. Copy the annotation and include it in your OpenShift route configuration.
  Sample route configuration:
```
kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: co-hello-openshift-edge
  namespace: test
  uid: 3a00d4ef-cb3d-4b51-9c9a-7046d462b451
  resourceVersion: '1138573'
  creationTimestamp: '2024-10-04T08:52:45Z'
  annotations:
    appviewx.com-cert-orchestrator/cert-name: co-hello-openshift.apps-crc.testing
spec:
  host: co-hello-openshift.apps-crc.testing
  subdomain: hello-openshift
  to:
    kind: Service
    name: hello-openshift
    weight: 100
  port:
    targetPort: 8080
  tls:
    termination: edge
  wildcardPolicy: None
```
  Note: Make sure to update the values (such as certificate name and host) to match your environment before applying this configuration.
Click Add to add the certificate to the Enroll Certificate inventory list.

When you select Enroll Cert To as Pod option, then do the following steps to enroll a certificate to a pod:

Apply the generated SecretProviderClass YAML to the cluster.

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
    name: demo-cluster-pod-cert
    namespace: default
spec:
    parameters:
        isCARequired: 'True'
        objectEncoding: 'utf-8'
        objectFormat: 'pem'
        objects: |
          - additionalCSRParameters:
                certificateCategories:
                - 'Server'
                hashFunction: 'SHA256'
            caSettingRef:
                group: 'Default'
                kind: 'CASettingCluster'
                name: 'karthik-ui-casc-default'
            commonName: 'demo.cluster.com'
            isCA: false
            isDisableReCreate: true
            isDisableRenewal: true
            isOverwriteValidCertificate: false
            isPrivateKeyGenerationAtRemote: true
            issueWaitPeriod: '24h'
            privateKey:
                algorithm: 'RSA'
                rotationPolicy: never
                size: 2048
            secretName: 'demo-cluster-pod-secret'
    provider: appviewx

Once the cluster status is changed to Deployed and Success, use the generated SecretProviderClass in the application pod YAML.

kind: Pod
apiVersion: v1
metadata:
  name: webapp-demo-cluster
spec:
  containers:
  - image: jweissig/app:0.0.1
    name: webapp
    volumeMounts:
    - name: secrets-store-inline
      #mountPath: "/mnt/secrets-store" #Path to mount the certificate data
      mountPath: "/etc/ssl/"           #Path to mount the certificate data
      readOnly: true
  volumes:
    - name: secrets-store-inline
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "demo-cluster-pod-cert" #name of the secretprovider

Upon pod creation, the certificate will be mounted at the specified path.
If you want a certificate and key combined together, configure the following in the cert.yaml file:
```
additionalOutputFormat:
 - KeyWithCertPEM
```
This will add additional field named "tls.keyWithCert.pem", which will contain both the private key and the certificate.