!!! credhub

[{TableOfContents}]

What runs op the director (pcf 1.11):

!! Resources

* [credhub|https://github.com/cloudfoundry-incubator/credhub]
* [credhub bosh release|https://github.com/pivotal-cf/credhub-release]
* [credhub bosh release docs! | https://github.com/pivotal-cf/credhub-release/tree/master/docs]
* [credhub api and cli ref|https://credhub-api.cfapps.io]
* [pcf 1.12 and credhub|https://docs.pivotal.io/tiledev/1-12/credhub.html]
* [Setting Up and Deploying CredHub with BOSH|https://docs.cloudfoundry.org/credhub/setup-credhub-bosh.html]
* [Using CredHub to Increase the Security of Your Platform - Dan Jahner, Pivotal|https://youtu.be/UHqKLEEZH3s]
* [YouTube "CredHub and Secure Credential Management - Peter Blum, Scott Frederick"|https://youtu.be/gQnM_PIMuE8]

!! Setting up your local BOSH environment

First create your local BOSH director:
{{{
bosh create-env ~/workspace/bosh-deployment/bosh.yml  \
 --state ./state.json \
 -o ~/workspace/bosh-deployment/virtualbox/cpi.yml \
 -o outbound-network.yml \
 -o ~/workspace/bosh-deployment/bosh-lite.yml \
 -o ~/workspace/bosh-deployment/bosh-lite-runc.yml \
 -o ~/workspace/bosh-deployment/jumpbox-user.yml \
 -o ~/workspace/bosh-deployment/uaa.yml \
 -o ~/workspace/bosh-deployment/credhub.yml \
 --vars-store ./creds.yml \
 -v director_name="Bosh Lite Director"  \
 -v internal_ip=192.168.50.6 \
 -v internal_gw=192.168.50.1 \
 -v internal_cidr=192.168.50.0/24 \
 -v outbound_network_name=NatNetwork
 
bosh alias-env vbox -e 192.168.50.6 --ca-cert <(bosh int ./creds.yml --path /director_ssl/ca)
 
export BOSH_ENVIRONMENT=vbox
export BOSH_CLIENT=admin
export BOSH_CLIENT_SECRET=`bosh int ./creds.yml --path /admin_password`

echo "updating cloud config..."
bosh -n update-cloud-config ~/workspace/bosh-deployment/warden/cloud-config.yml
}}}

Mind the uaa.yml and credhub.yml operator files.

When you have this up and running, credhub should be running on port 8844 and use the local UAA (on port 8443) as it's authenticator.



!! CredHub on PCF
{{{
/:~# ps -ef|grep -i credh
vcap      35083      1  0 Jan26 ?        00:05:10 java -Dspring.profiles.active=prod -Dspring.config.location=/var/vcap/jobs/credhub/config/application.yml -Dlog4j.configurationFile=/var/vcap/jobs/credhub/config/log4j2.properties -Djava.security.egd=file:/dev/urandom -Djava.io.tmpdir=/var/vcap/jobs/credhub/tmp -ea -jar credhub.jar
....
}}}

This listens on port 8844.\\
There is an interesting config file @ {{/var/vcap/jobs/credhub/config/application.yml}}\\
Logging is @ {{/var/vcap/sys/log/credhub/credhub.log}}

! Setting the target__
{{{
metskeh@admin-d01we-cis:~$ ./credhub api --skip-tls-validation --server 10.253.6.11:8844
Warning: The targeted TLS certificate has not been verified for this connection.
Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead.
Setting the target url: https://10.253.6.11:8844
}}}

! Getting info and health

{{{
metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/info | jq
{
  "auth-server": {
    "url": "https://10.253.6.11:8443"
  },
  "app": {
    "name": "CredHub",
    "version": "1.0.8"
  }
}
}}}

{{{
metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/health | jq
{
  "status": "UP"
}
}}}