https://github.com/keyfactor/gcp-loadbalancer-windowsorchestrator

The GCP Load Balancer Orchestrator allows for the management of Google Cloud Platform Load Balancer certificate stores. The orchestrator uses the Google Cloud Compute Engine API to manage stores.
https://github.com/keyfactor/gcp-loadbalancer-windowsorchestrator

keyfactor-orchestrator

Last synced: 2 months ago
JSON representation

The GCP Load Balancer Orchestrator allows for the management of Google Cloud Platform Load Balancer certificate stores. The orchestrator uses the Google Cloud Compute Engine API to manage stores.

• Host: GitHub
• URL: https://github.com/keyfactor/gcp-loadbalancer-windowsorchestrator
• Owner: Keyfactor
• License: apache-2.0
• Created: 2021-04-21T20:30:41.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2022-11-18T15:57:09.000Z (over 2 years ago)
• Last Synced: 2025-02-09T21:19:06.741Z (4 months ago)
• Topics: keyfactor-orchestrator
• Language: C#
• Homepage:
• Size: 72.3 KB
• Stars: 0
• Watchers: 4
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# GCP Load Balancer

The GCP Load Balancer Orchestrator allows for the management of Google Cloud Platform Load Balancer certificate stores.  Inventory, Management-Add, and Management-Remove functions are supported.  Also, re-binding to endpoints IS supported for certificate renewals (but NOT adding new certificates).  The orchestrator uses the Google Cloud Compute Engine API to manage stores.

#### Integration status: Production - Ready for use in production environments.

## About the Keyfactor Windows Orchestrator AnyAgent

This repository contains a Windows Orchestrator AnyAgent, which is a plugin to the Keyfactor Windows Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications.

The Windows Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing AnyAgents, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific AnyAgent, see below in this readme.

Note that in Keyfactor Version 9, the Windows Orchestrator have been replaced by the Universal Orchestrator. While this AnyAgent continues to work with the Windows Orchestrator, and the Windows Orchestrator is supported alongside the Universal Orchestrator talking to Keyfactor version 9, AnyAgent plugins cannot be used with the Universal Orchestrator.

## Support for GCP Load Balancer

GCP Load Balancer is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative.

###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.

___

# Introduction 

- The GCP Load Balancer Orchestrator allows for the management of Google Cloud Platform Load Balancer certificate stores.  Inventory, Management-Add, and Management-Remove functions are supported.  Also, re-binding to endpoints IS supported for certificate renewals (but NOT adding new certificates).  The orchestrator uses the Google Cloud Compute Engine API to manage stores.

# Setting up GCP Cert Store Type

The certificate store type set up for the GCP Load Balancer Orchestrator should have the following options set:

**Name:** A descriptive name for the certificate store type

**Short Name:** Must be **GCP**

**Needs Server:** Unchecked

**Blueprint Allowed:** Unchecked

**Requires Store Password:** Unchecked

**Supports Entry Password:** Unchecked

**Supports Custom Alias:** Optional (If unselected, a random alias will be generated by the GCP LB Orchestrator)

**Uses PowerShell: ** Unchecked

**Store Path Type:** FreeForm

**Private Keys: ** Required (Adding a certificate to a GCP Load Balancer certificate store without the private key is not a valid use case)

**PFX Password Style:** Default

**Job Types:** Check Inventory, Add, and Remove.  Leave Create, Discovery, and Reenrollment unchecked

**Parameters:** Add 1 custom parameter if authenticating to the GCP API library by passing the GCP service account key from Keyfactor Command (see Authentication):

- Name: Must be **jsonKey**

- Display Name: Desired custom display name

- Type: Secret

- Change Default Value: Unchecked

- Default Value: Leave blank

# Setting up GCP Cert Store

When creating a GCP certificate store in Keyfactor, the various options should be set up a follows:

**Category:** Must be GCP

**Container:** Optional container name if using this feature.  Please consult the Keyfactor Command Reference Guide for more information on this feature.

**Client Machine:** The name or IP address of the Orchestrator server that will be handling GCP jobs.

**Store Path:** This should be your Google Cloud project ID.  This will work against GCP Global resources.  Optionally, you can append "/" with the region you wish to process against.  Please refer to the following page for a list of valid region codes (GCP code column): https://gist.github.com/rpkim/084046e02fd8c452ba6ddef3a61d5d59.

**Service Account Key:** If you will be authenticating via passing credentials from Keyfactor Command, you must add this value as follows:

- No Service Account Key: Unchecked

- Secret Source: "Keyfactor Secrets" if you wish to store the GCP service account key in the Keyfactor secrets engine or "Load From PAM Provider" if you have set up a PAM provider integration within Keyfactor Command and wish to store this value there.

- Enter and Confirm Service Account Key: The JSON-based service account key you acquired from GCP (See Authentication).

**Inventory Schedule:** Set whether to schedule Inventory jobs for this certificate store, and if so, the frequency here.

# Authentication

A service account is necessary for authentication to GCP.  The following are the required permissions:

- compute.sslCertificates.create

- compute.sslCertificates.delete

- compute.sslCertificates.list

The agent supports having credentials provided by the environment, environment variable, or passed manually from Keyfactor Command.  

You can read more about the first two options [here](https://cloud.google.com/docs/authentication/production#automatically).

To pass credentials from Keyfactor Command you need to first create a service account and then download a service account key.  

Instructions are [here](https://cloud.google.com/docs/authentication/production#manually).  

Remember to assign the appropriate role/permissions for the service account.

Afterwards inside Keyfactor Command copy and paste the contents of the service account key in the password field for the GCP Certificate Store Type.

# Supported Functionality

- Inventory

- Management-Add (including re-binding of existing bindings for certificate renewals, no binding functionality available for new certificate adds)

- Management-Remove

# Not Implemented/Supported

- Discovery

- Management-Create

- Reenrollment

***

### License

[Apache](https://apache.org/licenses/LICENSE-2.0)