You can develop your Tanzu Operations Manager service tile to support secure service instance (SSI) credentials using Runtime CredHub.
For more information about Runtime CredHub, see Runtime CredHub in the TAS for VMs documentation.
Background required for securing your service credentials
When developers bind an app to a service instance, the binding typically includes the binding credentials required to access the service.
In VMware Tanzu Application Service for VMs, service brokers can store binding credentials as SSI credentials in Runtime CredHub and apps can retrieve these credentials from CredHub.
This secures service instance credential management by avoiding the following:
- Leaking environment variables to logs, which increases risk of disclosure
- Sending credentials between components, which increases risk of disclosure
- Requiring users to rotate credentials through the environment, which requires container recreation
To store binding credentials in Runtime CredHub, your service tile should be able to:
- Discover the location of Runtime CredHub.
- Provide this CredHub location to the broker app. The service broker uses the provided location to store binding credentials in CredHub.
- Select the SSI credentials option in the tile UI.
Difference between SSI and internal service credentials
You can use SSI credentials to grant apps access to services through service instances, which are distinct from the credentials that service tiles store in BOSH CredHub for internal use.
When a service uses SSI credentials, the service broker stores the binding credentials in Runtime CredHub. When TAS for VMs binds an app to an instance of the service, the broker retrieves the credentials from Runtime CredHub and delivers them to the Cloud Controller (CC) to activate the app to access the service.
These SSI credentials are different from credentials that the tile uses internally; for example, to give the service broker access to an internal database. TAS for VMs generates the internal tile credentials for a service when the service is first installed and stores them in BOSH CredHub, not Runtime CredHub.
For more information about the CredHub credential management component, see the CredHub topics in the TAS for VMs documentation.
See the following example implementation for adding SSI credentials capability to a service tile:
Step 1: Edit your BOSH release
To use Runtime CredHub, your service tile must retrieve the location of the CredHub server, which is published in the TAS for VMs tile, through a BOSH link.
If you are using the BOSH Links, you can have multiple jobs share deployment-time configuration properties. This helps to avoid redundant configurations in BOSH releases and deployment manifests.
Update spec file and templates
The location of Runtime CredHub is stored in the credhub.internal_url and credhub.port properties of the TAS for VMs tile. To activate your service tile to retrieve these CredHub-provided properties, add a consumes: section with the BOSH link from the TAS for VMs tile to the spec file of the BOSH job that uses them, and edit the job templates to access the values in the link:
For example:
consumes:
- {name: credhub, type: credhub}
For information about using BOSH links in the specifications file and templates of a job, and consuming shared properties provided by other jobs, see Links in spec files and Links in templates.
Save the Runtime CredHub location
To use the Runtime CredHub location retrieved from the TAS for VMs tile, you must write a post_deploy tile errand that saves the value and activates the service broker to access it.
Depending on how your tile deploys the service broker app, the service instance errand can save the CredHub location in different ways. If the tile pushes the broker as a Cloud Foundry app, the errand can store the location in an environment variable such as CREDHUB_URL for the service broker to call. If BOSH deploys the service broker outside of TAS for VMs, the errand can write the CredHub location to a templated configuration file that the service broker reads.
Update deployment manifest
In the BOSH release for your tile, edit the deployment manifest YAML file so that it contains the BOSH link to CredHub:
- name: broker
release: my-broker-release
consumes:
credhub:
from: credhub
deployment: cf-XXXXXXXXX
For more information about using BOSH links in deployment manifests, see Links in deployments
Step 2: Activate your tile to find Runtime CredHub
To activate your service tile to discover Runtime CredHub, edit your product template so that it consumes the location of CredHub. See the following example:
job_types:
- name: JOB-NAME
resource_label: LABEL-NAME
templates:
- name: TEMPLATE-NAME
release: RELEASE-NAME
consumes: |
credhub: {from: credhub, deployment: "(( ..cf.deployment_name ))"}
You can also use the address from the BOSH link to verify that the CredHub server is available at that address during tile installation.
For example:
properties:
aliases:
(( dig credhub.service.cf.internal @169.254.0.2 )):
- '*.credhub.(( ..cf.credhub.network )).(( ..cf.deployment_name )).bosh'
In the example, the Runtime CredHub instance is accessed at credhub.service.cf.internal. If your broker runs as an app, you can resolve this address with BOSH DNS. If your broker runs on a VM with a Consul agent, you can resolve the address with Consul. Alternatively, from a VM, you can resolve the address with dig credhub.service.cf.internal @169.254.0.2. This command uses the TAS for VMs BOSH DNS server to do the lookup.
Step 3: Provide operators with the choice to use CredHub
To provide the choice to select the SSI credentials option, edit your product template as shown in the following example:
form_types:
- name: FORM-NAME
label: LABEL-NAME
description: DESCRIPTION
property_inputs:
- reference: .JOB-NAME.secure_credentials
label: Secure service instance credentials
description: "When checked, service instance credentials are stored in CredHub. Activate only when you install with
Tanzu Operations Manager and this feature is activated in the TAS for VMs tile."
property_blueprints:
- name: hidden_credhub_selector
type: selector
configurable: false
default: "default"
option_templates:
- name: default_option
select_value: "default"
named_manifests:
- name: consumes_section_credhub_disabled
manifest: |
credhub: nil
- name: consumes_section_credhub_enabled
manifest: |
credhub: {from: credhub, deployment: "(( ..cf.deployment_name ))"}
job_types:
- name: JOB-NAME
resource_label: LABEL-NAME
templates:
- name: TEMPLATE-NAME
release: RELEASE-NAME
consumes: |
"(( secure_credentials.value ? .properties.hidden_credhub_selector.selected_option.parsed_manifest(consumes_section_credhub_enabled) : .properties.hidden_credhub_selector.selected_option.parsed_manifest(consumes_section_credhub_disabled) ))"
errand: true
resource_definitions:
...
property_blueprints:
...
- name: secure_credentials
type: boolean
configurable: true
default: false
Step 4: Store binding credentials in Runtime CredHub
When the Cloud Controller (CC) receives a request to bind a service instance to an app, it forwards the request to the service broker. The service broker returns the binding credentials that allow access to the service.
To activate your service broker to store binding credentials in Runtime CredHub and make them SSI credentials, do the following:
-
In your service broker code, locate where your broker handles binding requests from the CC.
-
Add code that authenticates your service broker to CredHub using OAuth2 tokens from UAA. Each call to the CredHub API must include an authorization header.
-
Update your code to store your binding credentials in CredHub using the CredHub API endpoint for setting the
jsoncredential type with a user-provided value.See the following example for how to format your API call:
curl "https://CREDHUB.INTERNAL_URL:CREDHUB.PORT/api/v1/data" \ -X PUT \ -d '{ "name": "/c/CLIENT-IDENTIFIER/SERVICE-IDENTIFIER/BINDING-GUID/CREDENTIAL-NAME", "type": "json", "value": { "uri": "SERVICE-URL", "username": "USERNAME", "password": "PASSWORD" } }' \ -H 'Content-type: application/json'Where:
CREDHUB.INTERNAL_URLandCREDHUB.PORTare the address and port of CredHub.CLIENT-IDENTIFIERis a value provided by the service broker to uniquely identify the broker.SERVICE-IDENTIFIERis the name of the service offering as shown in the services catalog.BINDING-GUIDis the GUID created by the Cloud Controller and passed to the service broker in the service binding request.CREDENTIAL-NAMEis a value provided by the service broker to name the credential.SERVICE-URLis the URL of your service.-
USERNAMEandPASSWORDare your binding credentials.See also Set CredHub Credentials in the TAS for VMs documentation.
-
Grant your application permission to read the credential from CredHub:
curl "https://CREDHUB.INTERNAL_URL:CREDHUB.PORT/api/v2/permissions" \ -X POST \ -d ' { "path": "/c/CLIENT-IDENTIFIER/SERVICE-IDENTIFIER/BINDING-GUID/CREDENTIAL-NAME", "actor": "mtls-app:APP-GUID" "operations": ["read"] }' \ -H "authorization: bearer [TOKEN]" \ -H 'content-type: application/json'Where
APP-GUIDis the GUID of the CF application being used -
Edit your service broker so that it returns a reference to the stored credentials in response to the binding request from the CC. Return the credentials as a single key
credhub-refwith thee value formatted as/c/CLIENT-IDENTIFIER/SERVICE-IDENTIFIER/BINDING-GUID/CREDENTIAL-NAME.For example, the binding response might look like the following:
{ "credentials": { "credhub-ref": "/c/example-service-broker/example-service/faa677f5-25cd-4f1e-8921-14a9d5ab48b8/credentials" } }
Note If you are using the Java Virtual Machine (JVM), apps can use Spring CredHub to access the CredHub API.
