You can use CredHub to create new variables and manage variables in the context of a larger deployment.

When a tile author defines a top-level variables section in the product template, VMware Tanzu Operations Manager passes the variables section to the product manifest.

You can define variables in the product template as follows:

variables:
  - name: EXAMPLE-CREDHUB-PASSWORD
    type: password

You can reference these variables in the manifest snippets in their tile metadata using triple parentheses syntax:

((( EXAMPLE-CREDHUB-PASSWORD )))

When you use triple parentheses, use VMware Tanzu Operations Manager to identify CredHub variables, while still supporting the BOSH double parentheses syntax. A variable that is referenced within triple parentheses is added with double parentheses in the generated manifest. After contacting CredHub, BOSH populates that variable value internally.

The benefit of this approach is that the VMware Tanzu Operations Manager YAML file does not contain sensitive credentials when the metadata manifest snippets have triple parentheses. The resulting manifest file contains variables within double parentheses, rather than unobscured credentials.

For example, a tile author adds credentials to a manifest snippet in the following format:

  key: ((( EXAMPLE-CREDHUB-PASSWORD )))
  key: prefix-((( ANOTHER-CREDHUB-PASSWORD )))-suffix

VMware Tanzu Operations Manager then evaluates the preceding example to generate the following section in the product manifest:

  (( EXAMPLE-CREDHUB-PASSWORD ))
  prefix-(( ANOTHER-CREDHUB-PASSWORD ))-suffix

How CredHub works in a deployment

CredHub is distributed as a BOSH release. As part of this installation, VMware Tanzu Operations Manager co-locates the CredHub release on the BOSH Director, including the CredHub job configurations, and the BOSH Director is configured to point to the CredHub API.

After CredHub is deployed and configured on the BOSH Director, any BOSH Director deployment can use CredHub variables in place of credential values. When you use variables, rather than values, it provides an extra layer of security when credentials are transmitted within your deployment.

Changing your deployment manifest to include CredHub variables

The BOSH Director interpolates credential values into manifests that use the ((variables)) syntax. When the BOSH Director encounters a variable using this syntax, it requests the credential value from CredHub. If the credential does not exist and the release or manifest contains generation properties, the credential value is generated automatically.

The following manifest excerpt includes references to two credentials, EXAMPLE-PASSWORD and EXAMPLE-TLS.

When this manifest is deployed, the BOSH Director retrieves the stored variables and replaces them with the credential values associated with each variable. The EXAMPLE-TLS variables include property accessors, because only the certificate and private_key components are interpolated.

name: demo-deploy

instance_groups:
  jobs:
  - name: demo
    release: demo
    properties:
      demo:
        password: ((EXAMPLE-PASSWORD))
        tls:
          certificate: ((EXAMPLE-TLS.certificate))
          private_key: ((EXAMPLE-TLS.private_key))

VMware Tanzu Operations Manager configures the BOSH Director to generate a credential if it does not exist. The manifest includes generation parameters that define how the credential must be generated. These generation parameters are defined in the variables section.

---
name: demo deploy

variables:
- name: EXAMPLE-PASSWORD
  type: password
- name: EXAMPLE-CA
  type: certificate
  options:
    is_ca: true
    common_name: 'Example Certificate Authority'
- name: EXAMPLE-TLS
  type: certificate
  options:
    ca: EXAMPLE-CA
    common_name: example.com

instance_groups:
  jobs:
  - name: demo
    release: demo
    properties:
      demo:
        password: (( EXAMPLE-PASSWORD ))
        tls:
          certificate: (( EXAMPLE-TLS.certificate ))
          private_key: (( EXAMPLE-TLS.private_key ))

Variable namespacing

Deployment manifests often use common variable names, for example, (( PASSWORD )). To avoid variable name collisions between deployments, the BOSH Director automatically stores variables with the BOSH Director name and deployment name.

For example, the variable (( EXAMPLE-PASSWORD )) is stored in CredHub as /BOSH-Director-name/deployment-name/example-password.

Other namespacing options

Use a BOSH link to share credentials across deployments. Alternatively, if you want to use an exact name, prefixing the variable with a forward slash (/) configures the BOSH Director to use the exact name you type.

Here is an example of a precisely typed variable:

((/EXAMPLE-PASSWORD))

Reference existing CAs in CredHub variables

This section describes how to correctly reference existing CAs stored in CredHub in your tile’s property configuration.

In VMware Tanzu Operations Manager v2.9 and later, you can perform a bulk rotation of all CAs and certificates in a foundation, which might include leaf certificates used by individual service tiles. VMware Tanzu Operations Manager invokes CredHub Maestro to perform this operation.

CredHub Maestro requires that any triple parentheses references to CAs that sign leaf certificates must return a concatenated version of the CA. The concatenated version, which includes the older and newer CA, ensures that jobs using leaf certificates do not lose trusted state during CA rotation. This translates to the shortest possible downtime of your tile’s services during certificate rotation.

When referencing a CA stored in CredHub, use the format LEAF-CERTIFICATE-NAME.ca to ensure that a concatenated version of the CA is returned. Do not reference the CA directly with the format CA-CERTIFICATE-NAME.certificate.

The following table presents examples of the correct and incorrect way to reference CAs and leaf certificates to support certificate rotation using CredHub Maestro.

Correct Format Incorrect Format
templates:
 - name: bpm
   release: bpm
 - manifest: |
...
.properties.routing_backends_client_cert_with_san.cert_pem ))
    private_key: (( .properties.routing_backends_client_cert_with_san.private_key_pem ))
    ca_certs: |
      (( .properties.routing_custom_ca_certificates.value ))
      (( $ops_manager.ca_certificate ))
      ((( /cf/some-diego-leaf-cert.ca )))
      ((( /cf/some-diego-leaf-2-6.ca)))
      forwarded_client_cert: (( .properties.routing_tls_termination.selected_option.parsed_manifest(gorouter_forwarded_client_cert) ))
variables:
 - name: /cf/diego-instance-identity-root-ca
    options:
      common_name: Diego Instance Identity Root CA
      duration: 1095
      is_ca: true
      type: certificate
 - name: /cf/diego-instance-identity-root-ca-2-6
    options:
      common_name: Diego Instance Identity Root CA
      duration: 1095
      is_ca: true
      type: certificate
  - name: /cf/some-diego-leaf-cert.ca
    options:
      ca: /cf/diego-instance-identity-root-ca
      type: certificate
  - name: /cf/some-diego-leaf-2-6.ca
    options:
      ca: /cf/diego-instance-identity-root-ca-2-6
      type: certificate 
templates:
 - name: bpm
   release: bpm
 - manifest: |
...
.properties.routing_backends_client_cert_with_san.cert_pem ))
    private_key: (( .properties.routing_backends_client_cert_with_san.private_key_pem ))
    ca_certs: |
      (( .properties.routing_custom_ca_certificates.value ))
      (( $ops_manager.ca_certificate ))
      ((( /cf/diego-instance-identity-root-ca.certificate )))
      ((( /cf/diego-instance-identity-root-ca-2-6.certificate )))
      forwarded_client_cert: (( .properties.routing_tls_termination.selected_option.parsed_manifest(gorouter_forwarded_client_cert) ))
variables:
 - name: /cf/diego-instance-identity-root-ca
   options:
     common_name: Diego Instance Identity Root CA
     duration: 1095
     is_ca: true
     type: certificate
- name: /cf/diego-instance-identity-root-ca-2-6
  options:
     common_name: Diego Instance Identity Root CA
     duration: 1095
     is_ca: true
     type: certificate
check-circle-line exclamation-circle-line close-line
Scroll to top icon