Dirty Harry Wiki: Credhub

This page (revision-26) was last changed on 23-Apr-2022 17:06 by Harry Metske

This page was created on 23-Apr-2022 17:05 by Harry Metske

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Pagination: Previous 12all (Total items: 26 )

Version	Date Modified	Size	Author	Changes ...
26	23-Apr-2022 17:06	30 KB	Harry Metske	to previous
25	23-Apr-2022 17:05	30 KB	Harry Metske	to previous \| to last
24	23-Apr-2022 17:05	30 KB	Harry Metske	to previous \| to last
23	23-Apr-2022 17:05	29 KB	Harry Metske	to previous \| to last
22	23-Apr-2022 17:05	29 KB	Harry Metske	to previous \| to last
21	23-Apr-2022 17:05	28 KB	Harry Metske	to previous \| to last

Pagination: Previous 12all (Total items: 26 )

Page References

Incoming links	Outgoing links
Credhub...nobody	Credhub

Version management

Difference between version and

At line 68 changed one line

curl -k --silent https://192.168.50.6:8844/info|jq '.["auth-server"].url' }}}

curl -k --silent https://192.168.50.6:8844/info|jq '.["auth-server"].url' -r

https://192.168.50.6:8443

}}}

At line 73 changed one line

uaac token client get uaa_admin -s $(cat <(bosh int creds.yml --path /uaa_admin_client_secret))

uaac token client get uaa_admin -s l128pcpdag6olta4ec1x # get this password from creds.yml#uaa_admin_client_secret

At line 99 added 2 lines

metskem@athena ~/workspace/boshlite/deployments/vbox

At line 101 removed 3 lines

%%collapsebox

__clients__

%%small

At line 163 removed 2 lines

At line 722 changed one line

metskem@athena-2 ~/workspace/boshlite/deployments/vbox uaac token client get credhub-admin -s $(bosh int creds.yml --path /credhub_admin_client_secret)

metskem@athena-2 ~/workspace/boshlite/deployments/vbox uaac token client get credhub-admin -s mtpsxo2s0igmjab6hntk

At line 729 changed one line

And we can use the credhub client to login:

And now we can use the credhub client to login??

At line 731 removed 7 lines

{{{

metskem@athena-2 ~/workspace/boshlite/deployments/vbox credhub login -s https://192.168.50.6:8844 --ca-cert <(bosh int creds.yml --path /credhub_tls/ca) --skip-tls-validation --client-name credhub-admin --client-secret $(bosh int creds.yml --path /credhub_admin_client_secret)

Warning: The targeted TLS certificate has not been verified for this connection.

Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead.

Setting the target url: https://192.168.50.6:8844

}}}

At line 739 removed 104 lines

Then generate an ssh key in credhub:

{{{

metskem@athena-2 ~/workspace/boshlite/deployments/vbox credhub generate --type ssh --name /static/ssh_key

id: 7fb0017a-8b70-45a4-bfd5-8407d845ed73

name: /static/ssh_key

type: ssh

value: <redacted>

version_created_at: "2018-09-07T06:52:34Z"

}}}

And get it back from credhub by name :

{{{

metskem@athena-2 ~/workspace/boshlite/deployments/vbox credhub get -n /static/ssh_key

id: 7fb0017a-8b70-45a4-bfd5-8407d845ed73

name: /static/ssh_key

type: ssh

value:

private_key: |

-----BEGIN RSA PRIVATE KEY-----

MIIEpQIBAAKCAQEAxROvOfTnMQvy+gw1L+pDQLwDsupBdiEBy6m6+3n8l/g7Lxpf

dB7j8P1B7usG/CL01hV2rFHtol6jDg0TCYnTPiHkQIYZlTL39l7uNePv373MRy9s

jtCtv/YWPofF4hf8yHn8xC7a2/oEMM44aSN/3gYKfJf4s9PpMbVUxMsi5oF+yKKO

br+/CSTiQcvndZkAfLl9sS4FcIrRjSHuNQJ81syT43p75RVUwzvl84zT/4McmcSj

5Z2r6G7z0x7t3P4mf4ttutf0ryCgYWsorvHyNrxKKJf07F0yaK+JkaNjKTn4Rtmo

vqAGbfJw771OZCQ8UNOmOoEPy+dk4/RzC3vR8QIDAQABAoIBAHDIGBJBzgCqhu2E

CPgXx08HidJc7wNsVju4MXJy2BQcEbqeDBxHBUlHlfDlfYTTeGv/sn9hD25JXGTR

JKDjyAkZmic21vMkTPUoVIhwnjjbxEjEogqE77oYWZiFWMBP2/DapsWaztLunHFV

wsCgeS+VI3E0AzbeQeiZjh5k5d8lIR7IkT18pCmQ7sssB6EWDeY0x4IUJObfrU/Y

5iULq7Hx4+pxfiDtUllIcX5AJD1JCtVHmX871ST6zE10n1KUi2lhe5WdBEdFn43m

3cDQJ5SaqouaTro7vEiGoH1mToPqnxqVlpYgNW3xHT+t5XcewvnTThSrro9gsBHG

wIf+KKUCgYEA6d0MumKQE5ZN3s3RoxUnJqRQ8fbGg5Hps0KrCQS90VlgJFCBjF9T

kpYxFCQ/alxRN0NG5ehGaI1FjGT7RfUkXaAtFL0VItJBGEnnQpJrYSzuEhrvkEUh

Y4A74NIgyH1yftSsMCKR61yVICnTowRhlasKUffdCGwjI2Rr62YBAHcCgYEA17s6

FwkDVr1SaDUSmG9lMjP25h9jDppcbDJMwMtDD47i/kxkK9M/IdI2nXqR5+B+vwlN

dVEhsSZRLr9WyEWjNLoRBpOP0Ya/FwiEI9+BBzbalhHJ0s95oeWuX80RSJb67UOY

DB27cuhPijMYuadHcgYaT4C/+oxPUF5LCNbYgtcCgYEApPM+NASrHLWqLRm84Ktd

1vqVAWWO9WQok0DVxGGsxQmmL1b9WRYvqzf2W/+JHysIOdNhIW5oovvp7zGWrexP

fx4oTfVkABCOy2PtEt6VkJARR4HqMTchar4a/eMYLnGVHXJCFR19EKZXpLz7woKn

ldpzSAdsxrEHQ8JkAEANOtcCgYEAzS5ppZcQ8eLHCg3QTeNFIGaEIYMgt7bgyJde

oM+yTI3eH3eQno4gsY46G7WEKEJAynmSjk5H+TE0bX3WkEyLWY7Ouq6GTwYVoVac

N3JQSghGBg2NI0/po63MF5n3Ik9XAWsUphFxQ2zomczXa1xKe4yKYatW7HmexhWo

0BNngakCgYEA5mGPSrAB7hHsP3IG2F+ui0zeC65AuR5XP22TugoclnaWbcTzz/bP

0H9AwASguCuOkn/aJIAKYC6BTA2WEOW59zJekO/LVPhHm3QRuaYOFO5IBXyoDmvO

265TIM/NZ+TbLV8QHR2CKR8u3RQZi/wZClybOavFoqIR5tSu1SqlpaA=

-----END RSA PRIVATE KEY-----

public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFE6859OcxC/L6DDUv6kNAvAOy6kF2IQHLqbr7efyX+DsvGl90HuPw/UHu6wb8IvTWFXasUe2iXqMODRMJidM+IeRAhhmVMvf2Xu414+/fvcxHL2yO0K2/9hY+h8XiF/zIefzELtrb+gQwzjhpI3/eBgp8l/iz0+kxtVTEyyLmgX7Ioo5uv78JJOJBy+d1mQB8uX2xLgVwitGNIe41AnzWzJPjenvlFVTDO+XzjNP/gxyZxKPlnavobvPTHu3c/iZ/i2261/SvIKBhayiu8fI2vEool/TsXTJor4mRo2MpOfhG2ai+oAZt8nDvvU5kJDxQ06Y6gQ/L52Tj9HMLe9Hx

public_key_fingerprint: kodcZ/qmGimxhY9FXbOmxnPzwr2Qf0WWLWqdd0q9lyY

version_created_at: "2018-09-07T06:52:34Z"

}}}

! Finding creds

Simply use the __credhub find__ with no arguments:

{{{

metskem@athena-2 ~/workspace/boshlite/deployments/vbox credhub find

credentials:

- name: /yy/sample-rsa

version_created_at: "2018-09-21T12:35:39Z"

- name: /xx/sample-rsa

version_created_at: "2018-09-21T12:35:34Z"

- name: /static/sample-rsa

version_created_at: "2018-09-21T12:25:52Z"

- name: /static/ssh_key

version_created_at: "2018-09-21T12:23:52Z"

}}}

! Exporting (backup) creds

Simply use the __credhub export__ command.

! Importing (restore) creds

Simply use the __credhub import__ command.\\

It does however complain about ssh-type entries:

{{{

Credential '/static/ssh_key' at index 8 could not be set: The request includes an unrecognized parameter 'public_key_fingerprint'. Please update or remove this parameter and retry your request.

}}}

! Test deploy and see if it works

We took the [gogs boshrelease|https://github.com/cloudfoundry-community/gogs-boshrelease] as a test case.

We uploaded the required stemcell and deployed with __bosh -n deploy -d gogs ~/workspace/gogs-boshrelease/manifests/gogs.yml__, this gogs.yml file has several secrets in it.\\

After deploying it simply works, and with the __credhub find__ command, you see that several entries were created:

{{{

metskem@athena-2 ~/workspace/boshlite/deployments/vbox/gogs: credhub find

credentials:

- name: /static/ssh_key

version_created_at: "2018-09-22T13:59:45Z"

- name: /static/sample-rsa

version_created_at: "2018-09-22T13:59:45Z"

- name: /xx/sample-rsa

version_created_at: "2018-09-22T13:59:45Z"

- name: /yy/sample-rsa

version_created_at: "2018-09-22T13:59:45Z"