disable the config.server field when using --venafi-connection

maelvls · maelvls · commit 1487f36f2137 · 2024-08-30T08:04:14.000+02:00
For context, EU customers need to change the URL of the VCP API to point to https://api.venafi.eu. To do that, and imagining that they are using the VenafiConnection authentication, they may try to use the `spec.vcp.url` field on their VenafiConnection resource and find that this field doesn’t do anything because the Helm chart's `config.server` is set to https://api.venafi.cloud by default. Another possible scenario is that EU customers may end up with a VenafiConnection configured with the `spec.vcp.url` field set to `https://api.venafi.eu`. This VenafiConnection will have been already working well with venafi-enhanced-issuer and approver-policy-enterprise. Once they try to switch the Agent to the VenafiConnection auth method, they will see that it doesn’t work because the Agent picks up the default value in the Agent’s helm chart, i.e., ``` config: server: https://api.venafi.cloud. ```
diff --git a/deploy/charts/venafi-kubernetes-agent/README.md b/deploy/charts/venafi-kubernetes-agent/README.md
@@ -26,13 +26,13 @@ If you do not have one, you can sign up for a free trial now at:
 | authentication.venafiConnection.namespace | string | `"venafi"` | The namespace of a VenafiConnection resource which contains the configuration for authenticating to Venafi. |
 | command | list | `[]` | Specify the command to run overriding default binary. |
 | config | object | `{"clientId":"","clusterDescription":"","clusterName":"","configmap":{"key":null,"name":null},"ignoredSecretTypes":["kubernetes.io/service-account-token","kubernetes.io/dockercfg","kubernetes.io/dockerconfigjson","kubernetes.io/basic-auth","kubernetes.io/ssh-auth","bootstrap.kubernetes.io/token","helm.sh/release.v1"],"period":"0h1m0s","server":"https://api.venafi.cloud/"}` | Configuration section for the Venafi Kubernetes Agent itself |
-| config.clientId | string | `""` | The client-id returned from the Venafi Control Plane |
+| config.clientId | string | `""` | The client-id to be used for authenticating with the Venafi Control Plane. Only useful when using a Key Pair Service Account in the Venafi Control Plane. You can obtain the cliend ID by creating a Key Pair Service Account in the Venafi Control Plane. |
 | config.clusterDescription | string | `""` | Description for the cluster resource if it needs to be created in Venafi Control Plane |
 | config.clusterName | string | `""` | Name for the cluster resource if it needs to be created in Venafi Control Plane |
 | config.configmap | object | `{"key":null,"name":null}` | Specify ConfigMap details to load config from an existing resource. This should be blank by default unless you have you own config. |
 | config.ignoredSecretTypes | list | `["kubernetes.io/service-account-token","kubernetes.io/dockercfg","kubernetes.io/dockerconfigjson","kubernetes.io/basic-auth","kubernetes.io/ssh-auth","bootstrap.kubernetes.io/token","helm.sh/release.v1"]` | Reduce the memory usage of the agent and reduce the load on the Kubernetes API server by omitting various common Secret types when listing Secrets. These Secret types will be added to a "type!=<type>" field selector in the agent config. * https://docs.venafi.cloud/vaas/k8s-components/t-cfg-tlspk-agent/#configuration * https://kubernetes.io/docs/concepts/configuration/secret/#secret-types * https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/#list-of-supported-fields |
 | config.period | string | `"0h1m0s"` | Send data back to the platform every minute unless changed |
-| config.server | string | `"https://api.venafi.cloud/"` | Overrides the server if using a proxy in your environment For the EU variant use: https://api.venafi.eu/ |
+| config.server | string | `"https://api.venafi.cloud/"` | API URL of the Venafi Control Plane API. For EU tenants, set this value to https://api.venafi.eu/. If you are using the VenafiConnection authentication method, you must set the API URL using the field `spec.vcp.url` on the VenafiConnection resource instead. |
 | crds.forceRemoveValidationAnnotations | bool | `false` | The 'x-kubernetes-validations' annotation is not supported in Kubernetes 1.22 and below. This annotation is used by CEL, which is a feature introduced in Kubernetes 1.25 that improves how validation is performed. This option allows to force the 'x-kubernetes-validations' annotation to be excluded, even on Kubernetes 1.25+ clusters. |
 | crds.venafiConnection | object | `{"include":false}` | Optionally include the VenafiConnection CRDs |
 | crds.venafiConnection.include | bool | `false` | When set to false, the rendered output does not contain the VenafiConnection CRDs and RBAC. This is useful for when the Venafi Connection resources are already installed separately. |
diff --git a/deploy/charts/venafi-kubernetes-agent/values.yaml b/deploy/charts/venafi-kubernetes-agent/values.yaml
@@ -191,10 +191,15 @@ authentication:
 
 # -- Configuration section for the Venafi Kubernetes Agent itself
 config:
-  # -- Overrides the server if using a proxy in your environment
-  # For the EU variant use: https://api.venafi.eu/
+  # -- API URL of the Venafi Control Plane API. For EU tenants, set this value to
+  # https://api.venafi.eu/. If you are using the VenafiConnection authentication
+  # method, you must set the API URL using the field `spec.vcp.url` on the
+  # VenafiConnection resource instead.
   server: "https://api.venafi.cloud/"
-  # -- The client-id returned from the Venafi Control Plane
+  # -- The client-id to be used for authenticating with the Venafi Control
+  # Plane. Only useful when using a Key Pair Service Account in the Venafi
+  # Control Plane. You can obtain the cliend ID by creating a Key Pair Service
+  # Account in the Venafi Control Plane.
   clientId: ""
   # -- Send data back to the platform every minute unless changed
   period: "0h1m0s"
