Skip to content

Configure PagerDuty notifications

Staying aware of expiring certificates and unhealthy certificate issuers is critical to protect machine identities and reduce the likelihood of certificate-related outages. You can automatically send such notifications to PagerDuty, an incident management platform that helps teams detect, triage, and resolve issues in real time.

This page walks you through the steps to integrate Venafi Control Plane with PagerDuty as a notification provider and then set up notifications using the CyberArk APIs.

Configuring PagerDuty in the user interface

You can also configure PagerDuty in Venafi Control Plane. To learn more, see Configure PagerDuty as a notification provider.

Before you begin

Ensure that you have:

  • In Venafi Control Plane, to add notification providers, the System Administrator or PKI Administrator roles. Learn more
  • In PagerDuty, permissions to create services and integrations.
  • In PagerDuty, an escalation policy—which you'll use when creating a service, as described in the the PagerDuty documentation.

Step 1: Create a new service in PagerDuty

To receive notifications from Venafi Control Plane, you must configure a service in PagerDuty. Configuring a service provides an integration key that you supply when adding PagerDuty as a notification provider.

  1. On the PagerDuty dashboard, click Services > Service Directory > New Service.
  2. Name the service and assign an escalation policy to it.
  3. (Optional) Select the recommended alert grouping. Otherwise, every alert creates its own incident.
  4. Click Integrations > Events API v2.
  5. Click Create Service and copy the Integration Key to your clipboard.

Step 2: Add the PagerDuty integration with an API request

This step integrates Venafi Control Plane with PagerDuty. To set up the integration, use the integration key created in the previous step.

  1. Define the name and integrationKey variables (from the steps above). Obtain the tppl-api-key for your environment, then run the following query:

    curl --request POST \
      --url https://api.venafi.cloud/graphql \
      --header 'tppl-api-key: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' \
      --header 'Content-Type: application/json' \
      --data-raw '{
        "query": "mutation createPagerDutyIntegration($name: String!, $integrationKey: String!) { createPagerDutyIntegration(input: {name: $name, pagerDutyParams: {IntegrationKey: $integrationKey}}) { id } }",
        "operationName": "createPagerDutyIntegration",
        "variables": {
          "name": "name",
          "integrationKey": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
        }
      }'
    
  2. Copy the id from the response and store it as a variable in the GraphQL client called integrationId.

Step 3: Create the routing configuration

In this step, you'll define the rules that must be met for a notification to be sent and specify which integration should receive the notifications.

Routing configuration may use CEL expressions to refine event filtering. The sections below outline the available data for building CEL expressions and provide several examples to help you get started.

Best Practice

Use the CEL playground to validate your CEL expressions. Invalid CEL expressions won't trigger notifications.

To use the playground, copy the JSON from the Event details section below into the Input field. Then, copy your CEL expression into the CEL expression field.

Note: On the playground, rename type to _type in both the Input and the CEL expression for the validation to work.

Once you've completed the fields, click Run. Your expression must evaluate to true for notifications to be triggered.

Routing configuration API request

The following API request will be used for each routing configuration, regardless of the notification type. You'll replace the following parameters to specify the type of notification you want to receive and what channel you want the notification to be sent to:

  • name - The name you wish to give to your routing configuration.
  • eventTypeId - The event type identifier for the event. See Event notification types
  • advancedFilterExpression - The CEL expression that defines additional conditions that must be satisfied before a notification is sent. See cert-manager unhealthy issuer status for help with building your advanced CEL expression.
  • integrationID - The id of the integration that the notification should be sent to. The id was generated in the previous step.

API Request

curl --request POST \
  --url https://api.venafi.cloud/graphql \
  --header 'tppl-api-key: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "query": "mutation CreateNotificationRouter($details: NotificationRouterConfigDetailsInput! $filterConfig: NotificationRouterFilterConfigInput! $integrationConfig: NotificationRouterIntegrationConfigurationInput!) { createNotificationRouter(details: $details filterConfig: $filterConfig integrationConfig: $integrationConfig) { id notificationRouterIntegrationConfig { notificationRouterIntegrationID notificationRouterTemplateID } notificationRouterFilterConfig { advancedFilterExpression } } }",
    "variables": {
      "details": {
        "name": "<your router config name>",
        "eventTypeId": "<event type id>"
      },
      "filterConfig": {
        "advancedFilterExpression": "<CEL-expression>"
      },
      "integrationConfig": {
        "integrationId": "<xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx>"
      }
    }
  }'

Note

This API request validates that the advancedFilterExpression compiles without errors. If it fails it returns an error and the notification router is not created. This validation also happens when updating the notification router.

Have a look at Event notification types for examples for more information on notification types and sample CEL expressions you can use when creating routing configurations.