credhub#
What runs op the director (pcf 1.11):
Resources#
- credhub
- credhub bosh release
- credhub bosh release docs!
- credhub api and cli ref
- cf-uaac
- pcf 1.12 and credhub
- Setting Up and Deploying CredHub with BOSH
- Using CredHub to Increase the Security of Your Platform - Dan Jahner, Pivotal
- YouTube "CredHub and Secure Credential Management - Peter Blum, Scott Frederick"
Setting up your local BOSH environment#
First create your local BOSH director:
bosh create-env ~/workspace/bosh-deployment/bosh.yml \ --state ./state.json \ -o ~/workspace/bosh-deployment/virtualbox/cpi.yml \ -o outbound-network.yml \ -o ~/workspace/bosh-deployment/bosh-lite.yml \ -o ~/workspace/bosh-deployment/bosh-lite-runc.yml \ -o ~/workspace/bosh-deployment/jumpbox-user.yml \ -o ~/workspace/bosh-deployment/uaa.yml \ -o ~/workspace/bosh-deployment/credhub.yml \ --vars-store ./creds.yml \ -v director_name="Bosh Lite Director" \ -v internal_ip=192.168.50.6 \ -v internal_gw=192.168.50.1 \ -v internal_cidr=192.168.50.0/24 \ -v outbound_network_name=NatNetwork bosh alias-env vbox -e 192.168.50.6 --ca-cert <(bosh int ./creds.yml --path /director_ssl/ca) export BOSH_ENVIRONMENT=vbox export BOSH_CLIENT=admin export BOSH_CLIENT_SECRET=`bosh int ./creds.yml --path /admin_password` echo "updating cloud config..." bosh -n update-cloud-config ~/workspace/bosh-deployment/warden/cloud-config.yml
Mind the uaa.yml and credhub.yml operator files.
When the deployment finishes you will have a creds.yml file that has all k
When you have this up and running, credhub should be running on port 8844 and use the local UAA (on port 8443) as it's authenticator.
Login to credhub#
First you need the credhub and uaa cli's, see the resources section for the download URLs. To install uaac, run sudo gem install cf-uaac.Then you set the API to credhub:
metskem@athena-2~/workspace/boshlite/deployments/vbox $ credhub api -s https://192.168.50.6:8844 --ca-cert <(bosh int creds.yml --path /credhub_tls/ca) --skip-tls-validation Setting the target url: https://192.168.50.6:8844 Warning: The targeted TLS certificate has not been verified for this connection. Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead.
First some jq magic to get the UAA URL from the credhub /info api:
curl -k --silent https://192.168.50.6:8844/info|jq '.["auth-server"].url' -r https://192.168.50.6:8443
Login to credhub should be done with a UAA user, so login with that first (it took me quite some time to find out which user/password to use for uaa admin):
uaac token client get uaa_admin -s l128pcpdag6olta4ec1x # get this password from creds.yml#uaa_admin_client_secretAfter that you are able to list the contexts and you can see you have scime.write (needed for adding users) and more:
metskem@athena ~/workspace/boshlite/deployments/vbox uaac contexts
[0]*[https://192.168.50.6:8443]
skip_ssl_validation: true
[0] [admin]
client_id: admin
access_token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI2MzMyOWY4Y2JmMjI0YzE3OThhYjVlN2I5MTdjY2QzYyIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiYm9zaC5hZG1pbiJdLCJzY29wZSI6WyJib3NoLmFkbWluIl0sImNsaWVudF9pZCI6ImFkbWluIiwiY2lkIjoiYWRtaW4iLCJhenAiOiJhZG1pbiIsInJldm9jYWJsZSI6dHJ1ZSwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiI0YmI2OTAwYyIsImlhdCI6MTUzNTk4MDQxNSwiZXhwIjoxNTM2MDIzNjE1LCJpc3MiOiJodHRwczovLzE5Mi4xNjguNTAuNjo4NDQzL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImFkbWluIiwiYm9zaCJdfQ.URHw2xjZrqUFBMFVV4Ap4t4u5QqiMk61krlrIQx4s8klW2PDnEPS0tyl0qwmDOxdU08-C-s-E_GPbgePl8gqFGs6sgXagRmqw2ecnI2LDLu0SvhpKjMPGtCN0Gv38ZhDA_hzbrLouRgZ7SaxctSX4TnQMad_uxG0mq1KgFePy6luVqr32vvepkqMbRDBrNHro30wI_CDjie0vcFNBA9pQF5Z5SmUqzXAUvt2jEzPEc7Hqhwd8gAzOTAzOQYRnDnfMHdf3MP6ZGjPly7xDyRp9Z-QXo6PLItI7KmlO-qluU0JgKFnaznBl5TxTwMMA5o0k7FKXCjewPa--87yO3-A6w
token_type: bearer
expires_in: 43199
scope: bosh.admin
jti: 63329f8cbf224c1798ab5e7b917ccd3c
[1]*[uaa_admin]
client_id: uaa_admin
access_token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJkNjU5NDFhYWM5MTc0MTBkYTE5NzMzODNlNTU2OTU5YiIsInN1YiI6InVhYV9hZG1pbiIsImF1dGhvcml0aWVzIjpbImNsaWVudHMucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwic2NpbS53cml0ZSIsInNjaW0ucmVhZCJdLCJzY29wZSI6WyJjbGllbnRzLnJlYWQiLCJwYXNzd29yZC53cml0ZSIsImNsaWVudHMuc2VjcmV0IiwiY2xpZW50cy53cml0ZSIsInVhYS5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoidWFhX2FkbWluIiwiY2lkIjoidWFhX2FkbWluIiwiYXpwIjoidWFhX2FkbWluIiwicmV2b2NhYmxlIjp0cnVlLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6ImFhOWIzNmI0IiwiaWF0IjoxNTM1OTgxNDgwLCJleHAiOjE1MzYwMjQ2ODAsImlzcyI6Imh0dHBzOi8vMTkyLjE2OC41MC42Ojg0NDMvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsic2NpbSIsInVhYV9hZG1pbiIsInBhc3N3b3JkIiwiY2xpZW50cyIsInVhYSJdfQ.KGCXMI0d5QxtfONsA1xPr8gLBFnGxRNrs6v3pLbLIlgW4yDeReWI428MDxKX57rh8acyjV4fLv734PHxt9h8DDgOVe582BYaTzoSKJnuPC5cUiz0lApNYuXXtKwwhS5WeSp0hnpBx26n6ETg5fWAUKS0tNYy-1jfM2jDbRRuubWCxac1iJ5UjXnIhnpefRyIWuymEbyG3aEzTg0MST1SGQA4u4VTKVY-2ElNW3SQ4AAK_TgVNM-pXxoN4BM3Q51lKWf0y7yoLWCilIPMQVyQpQmbTtwzjgmVmOQAe8v6SpivYtMxd5iJLkYGxeQHTV72gOlDS7fpOH4Y2YgMHeIkLQ
token_type: bearer
expires_in: 43199
scope: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
jti: d65941aac917410da1973383e556959b
metskem@athena ~/workspace/boshlite/deployments/vbox
You need the second context (uaa_admin), as you can see it has all the scopes you need (clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read).
Now you can also list the current uaa users:
metskem@athena ~/workspace/boshlite/deployments/vbox uaac clients
admin
scope: uaa.none
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
authorities: bosh.admin
lastmodified: 1535891189747
bosh_cli
scope: openid bosh.admin bosh.read bosh.*.admin bosh.*.read bosh.teams.*.admin bosh.teams.*.read
resource_ids: none
authorized_grant_types: password refresh_token
autoapprove:
access_token_validity: 120
refresh_token_validity: 86400
authorities: uaa.none
lastmodified: 1535891189819
credhub-admin
scope: uaa.none
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
access_token_validity: 3600
authorities: credhub.write credhub.read
lastmodified: 1535891189423
credhub_cli
scope: credhub.read credhub.write
resource_ids: none
authorized_grant_types: password refresh_token
autoapprove:
access_token_validity: 60
refresh_token_validity: 1800
authorities: uaa.none
lastmodified: 1535891189596
director_to_credhub
scope: uaa.none
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
access_token_validity: 3600
authorities: credhub.write credhub.read
lastmodified: 1535891189890
hm
scope: uaa.none
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
authorities: bosh.admin
lastmodified: 1535891189671
uaa_admin
scope: uaa.none
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
authorities: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
lastmodified: 1535891189507
metskem@athena ~/workspace/boshlite/deployments/vbox
And there we see the user credhub-admin, that one is what we need for managing credhub. So let's credhub-login with that:
CredHub on PCF#
/:~# ps -ef|grep -i credh vcap 35083 1 0 Jan26 ? 00:05:10 java -Dspring.profiles.active=prod -Dspring.config.location=/var/vcap/jobs/credhub/config/application.yml -Dlog4j.configurationFile=/var/vcap/jobs/credhub/config/log4j2.properties -Djava.security.egd=file:/dev/urandom -Djava.io.tmpdir=/var/vcap/jobs/credhub/tmp -ea -jar credhub.jar ....
This listens on port 8844.
There is an interesting config file @ /var/vcap/jobs/credhub/config/application.yml
Logging is @ /var/vcap/sys/log/credhub/credhub.log
Setting the target#
metskeh@admin-d01we-cis:~$ ./credhub api --skip-tls-validation --server 10.253.6.11:8844 Warning: The targeted TLS certificate has not been verified for this connection. Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead. Setting the target url: https://10.253.6.11:8844
Getting info and health#
metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/info | jq
{
"auth-server": {
"url": "https://10.253.6.11:8443"
},
"app": {
"name": "CredHub",
"version": "1.0.8"
}
}
metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/health | jq
{
"status": "UP"
}