credhub#
What runs op the director (pcf 1.11):
Resources#
- credhub
- credhub bosh release
- credhub bosh release docs!
- credhub api and cli ref
- cf-uaac
- pcf 1.12 and credhub
- Setting Up and Deploying CredHub with BOSH
- Using CredHub to Increase the Security of Your Platform - Dan Jahner, Pivotal
- YouTube "CredHub and Secure Credential Management - Peter Blum, Scott Frederick"
Setting up your local BOSH environment#
First create your local BOSH director:
bosh create-env ~/workspace/bosh-deployment/bosh.yml \ --state ./state.json \ -o ~/workspace/bosh-deployment/virtualbox/cpi.yml \ -o outbound-network.yml \ -o ~/workspace/bosh-deployment/bosh-lite.yml \ -o ~/workspace/bosh-deployment/bosh-lite-runc.yml \ -o ~/workspace/bosh-deployment/jumpbox-user.yml \ -o ~/workspace/bosh-deployment/uaa.yml \ -o ~/workspace/bosh-deployment/credhub.yml \ --vars-store ./creds.yml \ -v director_name="Bosh Lite Director" \ -v internal_ip=192.168.50.6 \ -v internal_gw=192.168.50.1 \ -v internal_cidr=192.168.50.0/24 \ -v outbound_network_name=NatNetwork bosh alias-env vbox -e 192.168.50.6 --ca-cert <(bosh int ./creds.yml --path /director_ssl/ca) export BOSH_ENVIRONMENT=vbox export BOSH_CLIENT=admin export BOSH_CLIENT_SECRET=`bosh int ./creds.yml --path /admin_password` echo "updating cloud config..." bosh -n update-cloud-config ~/workspace/bosh-deployment/warden/cloud-config.yml
Mind the uaa.yml and credhub.yml operator files.
When the deployment finishes you will have a creds.yml file that has all k
When you have this up and running, credhub should be running on port 8844 and use the local UAA (on port 8443) as it's authenticator.
Login to credhub#
First you need the credhub and uaa cli's, see the resources section for the download URLs. To install uaac, run sudo gem install cf-uaac.Then you set the API to credhub:
metskem@athena-2~/workspace/boshlite/deployments/vbox $ credhub api -s https://192.168.50.6:8844 --ca-cert <(bosh int creds.yml --path /credhub_tls/ca) --skip-tls-validation Setting the target url: https://192.168.50.6:8844 Warning: The targeted TLS certificate has not been verified for this connection. Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead.
First some jq magic to get the UAA URL from the credhub /info api:
curl -k --silent https://192.168.50.6:8844/info|jq '.["auth-server"].url' -r https://192.168.50.6:8443
Login to credhub should be done with a UAA user, so create that first :
You can then use this value for creating the uaa users:
export UAA_URL=$(curl -k --silent https://192.168.50.6:8844/info|jq '.["auth-server"].url' -r)
uaac target ${UAA_URL} --skip-ssl-validation
CredHub on PCF#
/:~# ps -ef|grep -i credh vcap 35083 1 0 Jan26 ? 00:05:10 java -Dspring.profiles.active=prod -Dspring.config.location=/var/vcap/jobs/credhub/config/application.yml -Dlog4j.configurationFile=/var/vcap/jobs/credhub/config/log4j2.properties -Djava.security.egd=file:/dev/urandom -Djava.io.tmpdir=/var/vcap/jobs/credhub/tmp -ea -jar credhub.jar ....
This listens on port 8844.
There is an interesting config file @ /var/vcap/jobs/credhub/config/application.yml
Logging is @ /var/vcap/sys/log/credhub/credhub.log
Setting the target#
metskeh@admin-d01we-cis:~$ ./credhub api --skip-tls-validation --server 10.253.6.11:8844 Warning: The targeted TLS certificate has not been verified for this connection. Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead. Setting the target url: https://10.253.6.11:8844
Getting info and health#
metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/info | jq
{
"auth-server": {
"url": "https://10.253.6.11:8443"
},
"app": {
"name": "CredHub",
"version": "1.0.8"
}
}
metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/health | jq
{
"status": "UP"
}