====== Automation ======

<WRAP round tip>
**Priority 1** - Reduces manual work and errors \\
**Target audience:** DevOps, Platform Teams
</WRAP>

Guides for automating certificate operations in a PQ-enabled PKI.

----

===== Overview =====

<mermaid>
flowchart TB
    subgraph TRIGGER["TRIGGER"]
        T1[Scheduled]
        T2[Event-based]
        T3[API Request]
    end

    subgraph PROCESS["AUTOMATION"]
        P1[ACME Client]
        P2[CI/CD Pipeline]
        P3[Cert-Manager]
        P4[Scheduled Job]
    end

    subgraph OUTPUT["RESULT"]
        O1[Certificate deployed]
        O2[Secrets rotated]
        O3[CRL updated]
    end

    T1 --> P4 --> O2
    T2 --> P3 --> O1
    T3 --> P1 --> O1
    T3 --> P2 --> O1

    style P1 fill:#fff3e0
    style P2 fill:#e8f5e9
    style P3 fill:#e3f2fd
</mermaid>

----

===== Scenarios =====

^  Scenario  ^  Description  ^  Complexity  ^  Use Case  ^
| [[.:acme-integration|ACME Integration]] | Let's Encrypt / ACME protocol with PQ | Medium | Web servers, APIs |
| [[.:cicd-code-signing|CI/CD Code Signing]] | Automatic signing in pipelines | High | Software releases |
| [[.:cert-manager-k8s|Kubernetes Cert-Manager]] | Automate certificates in Kubernetes | High | Cloud-native apps |
| [[.:scheduled-renewal|Scheduled Renewal]] | Automatic certificate renewal | Low | All servers |

----

===== Decision Tree =====

<mermaid>
flowchart TD
    A[New certificate needed] --> B{Environment?}
    B -->|Kubernetes| C[Cert-Manager]
    B -->|Classic servers| D{Internet-facing?}
    B -->|CI/CD Pipeline| E[Pipeline Signing]
    D -->|Yes| F[ACME/Let's Encrypt]
    D -->|No| G[Scheduled Renewal]

    C --> H[cert-manager.io + Issuer]
    F --> I[Certbot + Hook]
    G --> J[Cron + Script]
    E --> K[Sigstore/HSM]

    style C fill:#e3f2fd
    style F fill:#e8f5e9
    style G fill:#fff3e0
    style E fill:#fce4ec
</mermaid>

----

===== Prerequisites =====

| Component | Version | Purpose |
|-----------|---------|---------|
| OpenSSL | 3.6+ | PQ algorithms |
| Certbot | 2.0+ | ACME client |
| cert-manager | 1.12+ | Kubernetes |
| HashiCorp Vault | 1.15+ | Secrets management |

----

===== Quick Start =====

**1. Simplest Automation (Cron + Script):**

<code bash>
# /etc/cron.weekly/cert-renew
#!/bin/bash
/usr/local/bin/renew-certificates.sh >> /var/log/cert-renew.log 2>&1
</code>

-> Details: [[.:scheduled-renewal|Scheduled Renewal]]

**2. ACME for public web servers:**

<code bash>
# Certbot with DNS challenge
certbot certonly --dns-cloudflare -d example.com --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
</code>

-> Details: [[.:acme-integration|ACME Integration]]

**3. Kubernetes Cert-Manager:**

<code yaml>
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-app-tls
spec:
  secretName: my-app-tls
  issuerRef:
    name: pq-issuer
    kind: ClusterIssuer
  dnsNames:
    - app.example.com
</code>

-> Details: [[.:cert-manager-k8s|Cert-Manager]]

----

===== Related Documentation =====

  * [[..:tagesgeschaeft:start|Daily Operations]] - Manual operations
  * [[..:monitoring:start|Monitoring]] - Automation monitoring
  * [[en:int:pqcrypt:developer:integration|Integration]] - API integration

----

<< [[..:start|<- Operator Scenarios]] | [[.:acme-integration|-> ACME Integration]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>operator automation acme cicd cert-manager}}