You can deploy a BOSH Director with CredHub so that you can use credential variables in your deployment manifests.
If you use the bosh-deployment repository on GitHub, include the credhub.yml file to enable CredHub on the BOSH Director VM.
CredHub exists on a virtual machine (VM) with the BOSH Director, UAA, and other high level components. A deployment manifest configured with variables calls to CredHub which passes the credential to the appropriate components.
Once configured, any variable in a BOSH deployment manifest with the syntax ((variable-name)) causes the BOSH Director to retrieve the variable value from CredHub at deployment time. You can tell your manifest already uses CredHub if the fields with secure data have ((variables)) formatted with double parentheses.
Preparing for deployment
To prepare to deploy a BOSH Director with CredHub:
-
Set up your BOSH Director.
The following configuration steps assume that you have an existing BOSH Director. If you do not have a BOSH Director, see Deploying BOSH with create-env in the BOSH documentation. -
Configure UAA on your Director.
CredHub uses UAA for user and client authentication. You need a UAA server that is configured on the BOSH Director to enable CredHub. For more information about provisioning UAA on the BOSH Director, see Configuring Director in the BOSH documentation. -
(Optional) Configure an external database.
To optimize fault tolerance, store CredHub data in an external database. To accomplish this, you must create a database and user on your database server before deployment. You can use the internal BOSH Director database to store CredHub data, but be careful to avoid data loss when you provision or update the BOSH Director VM. -
(Optional) Configure a Luna HSM.
If you use an external Hardware Security Module (HSM) to perform cryptographic operations:- Configure the HSM to allow access from the deployed CredHub instance.
- Grant the operator all of the required permissions to use the HSM.
For more information about the required HSM values and how to configure an HSM, see Using hardware security modules with CredHub.
Configuring the BOSH Director
To configure your BOSH Director with CredHub:
-
Download the latest CredHub release from the Releases page in the CredHub repository on GitHub.
-
Update the deployment manifest to include the latest CredHub release. For example:
releases: - name: bosh url: https://bosh.io/d/github.com/cloudfoundry/bosh?v=261.2 version: 261.2 sha1: d4635b4b82b0dc5fd083b83eb7e7405832f6654b # ... - name: credhub url: https://bosh.io/d/github.com/pivotal-cf/credhub-release?v=0.6.1 version: 0.6.1 sha1: 5ab4c4ef3d67f8ea07d78b1a87707e7520a97ab7For more information, see Latest Version in credhub Release in the BOSH documentation.
-
Add the CredHub job to the BOSH Director instance:
instance_groups: - name: bosh instances: 1 jobs: - {name: nats, release: bosh} - {name: redis, release: bosh} - {name: postgres, release: bosh} - {name: blobstore, release: bosh} - {name: director, release: bosh} - {name: health_monitor, release: bosh} - {name: uaa, release: uaa-release} - {name: credhub, release: credhub} resource_pool: default # ... -
(Optional) Add variable generation specifications for CredHub properties.
You can generate values that CredHub requires automatically with the BOSH CLI. To enable generation, add the variable specifications to the manifest, as in the following example. You can adjust or remove these if you prefer to provide your own values.variables: - name: credhub-ca type: certificate options: is_ca: true common_name: 'CredHub CA' - name: credhub-tls type: certificate options: ca: credhub-ca common_name: credhub.example.com alternative_names: - 10.0.0.10 - 127.0.0.1 - name: credhub-encryption-password type: password -
Add CredHub properties to the deployment manifest, as in the following example. This example includes a configuration to use a hardware security module (HSM) for encryption.
properties: credhub: port: 8844 log_level: info tls: certificate: ((credhub-tls.certificate)) private_key: ((credhub-tls.private_key)) data_storage: type: mysql host: mysql.example.com port: 3306 database: credhub username: user password: PASSWORD require_tls: true tls_ca: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- authentication: uaa: url: "https://uaa.example.com:8443" verification_key: | -----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY----- mutual_tls: trusted_cas: - | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- encryption: keys: - provider_name: corp-hsm encryption_key_name: KEY-NAME active: true providers: - name: corp-hsm type: hsm partition: PARTITION-NAME partition_password: PARTITION-PASSWORD client_certificate: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- client_key: | -----BEGIN EXAMPLE RSA PRIVATE KEY----- ... -----END EXAMPLE RSA PRIVATE KEY----- servers: - host: hsm.example.com port: 1792 partition_serial_number: 123456 certificate: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----Where: *
PASSWORDis the password for your CredHub instance. *KEY-NAMEis your CredHub encryption key. *PARTITION-NAMEis the name of the HSM partition on which your CredHub encryption key is stored. *PARTITION-PASSWORDis the password of the HSM partition on which your CredHub encryption key is stored.
Alternatively, you can use the internal software-based encryption provider with the configuration below. This method derives a 256-bit key from the provided encryption password and utilized AES256-GCM encryption.... encryption: providers: - name: main type: internal keys: - provider_name: main encryption_password: ((credhub-encryption-password)) active: true ...For the full list of CredHub properties and default values, see credhub job in the BOSH documentation.
-
Add CredHub CLI and your BOSH Director and CredHub UAA clients.
properties: uaa: clients: credhub_cli: override: true authorized-grant-types: password,refresh_token scope: credhub.read,credhub.write authorities: uaa.none access-token-validity: 120 refresh-token-validity: 1800 secret: "" director_to_credhub: override: true authorized-grant-types: client_credentials scope: uaa.none authorities: credhub.read,credhub.write access-token-validity: 43200 secret: CUSTOM-CLIENT-SECRETWhere
CUSTOM-CLIENT-SECRETis the client secret you set for the BOSH Director. -
Enable the configuration server feature of the BOSH Director and configure it to utilize CredHub:
properties: director: address: bosh.EXAMPLE.com name: director-name config_server: enabled: true url: "https://127.0.0.1:8844/api/" ca_cert: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- uaa: url: "https://127.0.0.1:8443" client_id: director_to_credhub client_secret: EXAMPLE-SECRET ca_cert: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -
(Optional) Configure the BOSH Director Postgres server with an additional database named
credhub. If you are using the internal BOSH Director database, you must provision an additional database for the CredHub data. If you use an external database, you must create the database on your database server before deploying.properties: postgres: &db host: 127.0.0.1 port: 5432 user: postgres password: POSTGRES-PASSWORD database: bosh additional_databases: [credhub] adapter: postgresWhere
POSTGRES-PASSWORDis the password for your Postgres server. -
(Optional) Seed initial CredHub users to UAA. Users must have both
credhub.readandcredhub.write accessscopes.properties: uaa: scim: users: - name: CREDHUB-USER password: USER-PASSWORD groups: - credhub.read - credhub.write - name: OTHER-CREDHUB-USER password: OTHER-USER-PASSWORD groups: - credhub.read - credhub.writeWhere: *
CREDHUB-USERandOTHER-CREDHUB-USERare the CredHub users you want to seed to UAA. *CREDHUB-PASSWORDandOTHER-CREDHUB-PASSWORDare the passwords for the CredHub users you want to seed to UAA. -
Deploy the BOSH Director. For more information, see Deploying in the BOSH documentation.
Using CredHub
To use CredHub:
-
Create CredHub users in UAA. To authenticate with CredHub to manage credentials, you must have a UAA user account with the scopes
credhub.readandcredhub.write. To create users in UAA, see Creating and managing users with the UAA CLI. Alternatively, you can configure UAA with an external LDAP provider. For more information, see User Account and Authentication LDAP Integration in the CloudFoundry User Account and Authentication (UAA) Server repository on GitHub. -
Install the CredHub CLI to manage stored credentials. Download the CredHub CLI from the Releases page in the CredHub CLI repository on GitHub.
-
Target the CredHub API by running:
credhub api CREDHUB-API-TARGETWhere
CREDHUB-API-TARGETis the URL of your CredHub API server. -
Authenticate with CredHub by running:
credhub login --client-name= CLIENT-NAME --client-secret= CLIENT-SECRETWhere: *
CLIENT-NAMEis the name of the UAA client. *CLIENT-SECRETis the secret for the UAA client. -
Place or generate credentials in CredHub using the CredHub CLI:
-
To place credentials in CredHub, run:
credhub set --type ssh --name /static/ssh_key --public ~/ssh.pub --private ~/ssh.key -
To generate credentials in CredHub, run:
credhub generate --type ssh --name /generated/ssh_key
-
-
Update your BOSH deployment manifests. Once you have a BOSH Director that integrates with CredHub, you can update your deployment manifests to use it. The following example is a deployment manifest using two credentials: one stored in CredHub, and one that is generated by CredHub. You can define credentials that you want to be generated automatically in the
variablessection.name: Sample-Manifest releases: - name: shell url: https://bosh.io/d/github.com/cloudfoundry-community/shell-boshrelease?v=3.2.0 sha1: 893b10af531a7519da99bb8656cc07b8277d1692 #... variables: - name: generated/ssh\_key type: ssh jobs: - name: shell instances: 1 persistent\_disk: 0 resource\_pool: vms networks: - name: private static\_ips: 10.0.0.100 default: [dns, gateway] templates: - name: shell release: shell properties: shell: users: - name: shell ssh\_keys: - ((/static/ssh\_key)) - ((generated/ssh\_key))
