!!! credhub
[{TableOfContents}]
What runs op the director (pcf 1.11):
!! Resources
* [credhub|https://github.com/cloudfoundry-incubator/credhub]
* [credhub bosh release|https://github.com/pivotal-cf/credhub-release]
* [credhub bosh release docs! | https://github.com/pivotal-cf/credhub-release/tree/master/docs]
* [credhub api and cli ref|https://credhub-api.cfapps.io]
* [cf-uaac|https://github.com/cloudfoundry/cf-uaac]
* [pcf 1.12 and credhub|https://docs.pivotal.io/tiledev/1-12/credhub.html]
* [Setting Up and Deploying CredHub with BOSH|https://docs.cloudfoundry.org/credhub/setup-credhub-bosh.html]
* [Using CredHub to Increase the Security of Your Platform - Dan Jahner, Pivotal|https://youtu.be/UHqKLEEZH3s]
* [YouTube "CredHub and Secure Credential Management - Peter Blum, Scott Frederick"|https://youtu.be/gQnM_PIMuE8]
!! Setting up your local BOSH environment
First create your local BOSH director:
{{{
bosh create-env ~/workspace/bosh-deployment/bosh.yml \
--state ./state.json \
-o ~/workspace/bosh-deployment/virtualbox/cpi.yml \
-o outbound-network.yml \
-o ~/workspace/bosh-deployment/bosh-lite.yml \
-o ~/workspace/bosh-deployment/bosh-lite-runc.yml \
-o ~/workspace/bosh-deployment/jumpbox-user.yml \
-o ~/workspace/bosh-deployment/uaa.yml \
-o ~/workspace/bosh-deployment/credhub.yml \
--vars-store ./creds.yml \
-v director_name="Bosh Lite Director" \
-v internal_ip=192.168.50.6 \
-v internal_gw=192.168.50.1 \
-v internal_cidr=192.168.50.0/24 \
-v outbound_network_name=NatNetwork
bosh alias-env vbox -e 192.168.50.6 --ca-cert <(bosh int ./creds.yml --path /director_ssl/ca)
export BOSH_ENVIRONMENT=vbox
export BOSH_CLIENT=admin
export BOSH_CLIENT_SECRET=`bosh int ./creds.yml --path /admin_password`
echo "updating cloud config..."
bosh -n update-cloud-config ~/workspace/bosh-deployment/warden/cloud-config.yml
}}}
Mind the uaa.yml and credhub.yml operator files.\\
When the deployment finishes you will have a creds.yml file that has all k
When you have this up and running, credhub should be running on port 8844 and use the local UAA (on port 8443) as it's authenticator.
! Login to credhub
First you need the credhub and uaa cli's, see the resources section for the download URLs. To install uaac, run {{sudo gem install cf-uaac}}.
Then you set the API to credhub:
{{{
metskem@athena-2~/workspace/boshlite/deployments/vbox $ credhub api -s https://192.168.50.6:8844 --ca-cert <(bosh int creds.yml --path /credhub_tls/ca) --skip-tls-validation
Setting the target url: https://192.168.50.6:8844
Warning: The targeted TLS certificate has not been verified for this connection.
Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead.
}}}
First some jq magic to get the UAA URL from the credhub /info api:
{{{
curl -k --silent https://192.168.50.6:8844/info|jq '.["auth-server"].url' -r
https://192.168.50.6:8443
}}}
Login to credhub should be done with a UAA user, so login with that first (it took me quite some time to find out which user/password to use for uaa admin):
{{{
uaac token client get uaa_admin -s l128pcpdag6olta4ec1x # get this password from creds.yml#uaa_admin_client_secret
}}}
After that you are able to list the contexts and you can see you have scime.write (needed for adding users) and more:
{{{
metskem@athena ~/workspace/boshlite/deployments/vbox uaac contexts
[0]*[https://192.168.50.6:8443]
skip_ssl_validation: true
[0] [admin]
client_id: admin
access_token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI2MzMyOWY4Y2JmMjI0YzE3OThhYjVlN2I5MTdjY2QzYyIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiYm9zaC5hZG1pbiJdLCJzY29wZSI6WyJib3NoLmFkbWluIl0sImNsaWVudF9pZCI6ImFkbWluIiwiY2lkIjoiYWRtaW4iLCJhenAiOiJhZG1pbiIsInJldm9jYWJsZSI6dHJ1ZSwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiI0YmI2OTAwYyIsImlhdCI6MTUzNTk4MDQxNSwiZXhwIjoxNTM2MDIzNjE1LCJpc3MiOiJodHRwczovLzE5Mi4xNjguNTAuNjo4NDQzL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImFkbWluIiwiYm9zaCJdfQ.URHw2xjZrqUFBMFVV4Ap4t4u5QqiMk61krlrIQx4s8klW2PDnEPS0tyl0qwmDOxdU08-C-s-E_GPbgePl8gqFGs6sgXagRmqw2ecnI2LDLu0SvhpKjMPGtCN0Gv38ZhDA_hzbrLouRgZ7SaxctSX4TnQMad_uxG0mq1KgFePy6luVqr32vvepkqMbRDBrNHro30wI_CDjie0vcFNBA9pQF5Z5SmUqzXAUvt2jEzPEc7Hqhwd8gAzOTAzOQYRnDnfMHdf3MP6ZGjPly7xDyRp9Z-QXo6PLItI7KmlO-qluU0JgKFnaznBl5TxTwMMA5o0k7FKXCjewPa--87yO3-A6w
token_type: bearer
expires_in: 43199
scope: bosh.admin
jti: 63329f8cbf224c1798ab5e7b917ccd3c
[1]*[uaa_admin]
client_id: uaa_admin
access_token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJkNjU5NDFhYWM5MTc0MTBkYTE5NzMzODNlNTU2OTU5YiIsInN1YiI6InVhYV9hZG1pbiIsImF1dGhvcml0aWVzIjpbImNsaWVudHMucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwic2NpbS53cml0ZSIsInNjaW0ucmVhZCJdLCJzY29wZSI6WyJjbGllbnRzLnJlYWQiLCJwYXNzd29yZC53cml0ZSIsImNsaWVudHMuc2VjcmV0IiwiY2xpZW50cy53cml0ZSIsInVhYS5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoidWFhX2FkbWluIiwiY2lkIjoidWFhX2FkbWluIiwiYXpwIjoidWFhX2FkbWluIiwicmV2b2NhYmxlIjp0cnVlLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6ImFhOWIzNmI0IiwiaWF0IjoxNTM1OTgxNDgwLCJleHAiOjE1MzYwMjQ2ODAsImlzcyI6Imh0dHBzOi8vMTkyLjE2OC41MC42Ojg0NDMvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsic2NpbSIsInVhYV9hZG1pbiIsInBhc3N3b3JkIiwiY2xpZW50cyIsInVhYSJdfQ.KGCXMI0d5QxtfONsA1xPr8gLBFnGxRNrs6v3pLbLIlgW4yDeReWI428MDxKX57rh8acyjV4fLv734PHxt9h8DDgOVe582BYaTzoSKJnuPC5cUiz0lApNYuXXtKwwhS5WeSp0hnpBx26n6ETg5fWAUKS0tNYy-1jfM2jDbRRuubWCxac1iJ5UjXnIhnpefRyIWuymEbyG3aEzTg0MST1SGQA4u4VTKVY-2ElNW3SQ4AAK_TgVNM-pXxoN4BM3Q51lKWf0y7yoLWCilIPMQVyQpQmbTtwzjgmVmOQAe8v6SpivYtMxd5iJLkYGxeQHTV72gOlDS7fpOH4Y2YgMHeIkLQ
token_type: bearer
expires_in: 43199
scope: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
jti: d65941aac917410da1973383e556959b
metskem@athena ~/workspace/boshlite/deployments/vbox
}}}
You need the second context (uaa_admin), as you can see it has all the scopes you need (clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read).\\
Now you can also list the current uaa users:
{{{
metskem@athena ~/workspace/boshlite/deployments/vbox uaac clients
admin
scope: uaa.none
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
authorities: bosh.admin
lastmodified: 1535891189747
bosh_cli
scope: openid bosh.admin bosh.read bosh.*.admin bosh.*.read bosh.teams.*.admin bosh.teams.*.read
resource_ids: none
authorized_grant_types: password refresh_token
autoapprove:
access_token_validity: 120
refresh_token_validity: 86400
authorities: uaa.none
lastmodified: 1535891189819
credhub-admin
scope: uaa.none
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
access_token_validity: 3600
authorities: credhub.write credhub.read
lastmodified: 1535891189423
credhub_cli
scope: credhub.read credhub.write
resource_ids: none
authorized_grant_types: password refresh_token
autoapprove:
access_token_validity: 60
refresh_token_validity: 1800
authorities: uaa.none
lastmodified: 1535891189596
director_to_credhub
scope: uaa.none
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
access_token_validity: 3600
authorities: credhub.write credhub.read
lastmodified: 1535891189890
hm
scope: uaa.none
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
authorities: bosh.admin
lastmodified: 1535891189671
uaa_admin
scope: uaa.none
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
authorities: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
lastmodified: 1535891189507
metskem@athena ~/workspace/boshlite/deployments/vbox
}}}
And there we see the user __credhub-admin__, that one is what we need for managing credhub. So let's credhub-login with that:
{{{
}}}
!! CredHub on PCF
{{{
/:~# ps -ef|grep -i credh
vcap 35083 1 0 Jan26 ? 00:05:10 java -Dspring.profiles.active=prod -Dspring.config.location=/var/vcap/jobs/credhub/config/application.yml -Dlog4j.configurationFile=/var/vcap/jobs/credhub/config/log4j2.properties -Djava.security.egd=file:/dev/urandom -Djava.io.tmpdir=/var/vcap/jobs/credhub/tmp -ea -jar credhub.jar
....
}}}
This listens on port 8844.\\
There is an interesting config file @ {{/var/vcap/jobs/credhub/config/application.yml}}\\
Logging is @ {{/var/vcap/sys/log/credhub/credhub.log}}
! Setting the target__
{{{
metskeh@admin-d01we-cis:~$ ./credhub api --skip-tls-validation --server 10.253.6.11:8844
Warning: The targeted TLS certificate has not been verified for this connection.
Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead.
Setting the target url: https://10.253.6.11:8844
}}}
! Getting info and health
{{{
metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/info | jq
{
"auth-server": {
"url": "https://10.253.6.11:8443"
},
"app": {
"name": "CredHub",
"version": "1.0.8"
}
}
}}}
{{{
metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/health | jq
{
"status": "UP"
}
}}}