calebwashburn/credhub.yml

## credhub.yml
---
- type: replace
  path: /instance_groups/name=web/jobs/name=atc/properties/credhub?
  value:
    client_id: concourse_to_credhub
    client_secret: ((concourse_to_credhub_secret))
    tls:
      ca_cert:
        certificate: ((atc_tls.ca))
    url: https://((concourse_host_name)):8844

- type: replace
  path: /instance_groups/name=web/jobs/name=uaa/properties/uaa/clients?
  value:
    concourse_to_credhub:
      access-token-validity: 1200
      authorities: credhub.read,credhub.write
      authorized-grant-types: client_credentials
      override: true
      refresh-token-validity: 3600
      scope: ""
      secret: ((concourse_to_credhub_secret))
    credhub_cli:
      access-token-validity: 1200
      authorities: uaa.resource
      authorized-grant-types: password,refresh_token
      override: true
      refresh-token-validity: 3600
      scope: credhub.read,credhub.write
      secret: ""

- type: replace
  path: /instance_groups/name=web/jobs/name=uaa/properties/uaa/scim/users/0/groups/-
  value:
    credhub.read
- type: replace
  path: /instance_groups/name=web/jobs/name=uaa/properties/uaa/scim/users/0/groups/-
  value:
    credhub.write

- type: replace
  path: /instance_groups/name=web/jobs/-
  value:
    name: credhub
    properties:
      credhub:
        authentication:
          uaa:
            ca_certs:
            - ((atc_tls.ca))
            url: https://((concourse_host_name)):8443
            verification_key: ((uaa-jwt.public_key))
        data_storage:
          database: credhub
          password: ((credhub-db-password))
          require_tls: false
          type: postgres
          username: credhub
        encryption:
          keys:
          - active: true
            encryption_password: ((credhub-encryption-password))
            provider_name: int
          providers:
          - name: int
            type: internal

        port: 8844
        tls: ((atc_tls))
    release: credhub

- type: replace
  path: /instance_groups/name=db/jobs/name=postgres/properties/databases/databases/-
  value:
    name: credhub

- type: replace
  path: /instance_groups/name=db/jobs/name=postgres/properties/databases/roles/-
  value:
    name: credhub
    password: ((credhub-db-password))

- type: replace
  path: /releases/-
  value:
    name: credhub
    sha1: ((credhub_sha1))
    url: https://bosh.io/d/github.com/pivotal-cf/credhub-release?v=((credhub_version))
    version: ((credhub_version))

- type: replace
  path: /variables/-
  value:
    name: credhub-db-password
    type: password

- type: replace
  path: /variables/-
  value:
    name: credhub-encryption-password
    options:
      length: 40
    type: password

- type: replace
  path: /variables/-
  value:
    name: concourse_to_credhub_secret
    type: password

## deploy-concourse.sh
vars_file=$(mktemp)

cat <<EOF > ${vars_file}
web_ip: 10.244.0.34
concourse_host_name: 10.244.0.34
db_vm_type: default
db_persistent_disk_type: default
web_vm_type: default
worker_vm_type: default
concourse_sha1: 6be91b70ecc7ce233d2aff5d03ed28c8eab3d132
concourse_version: "3.14.1"
deployment_name: concourse
external_url: https://10.244.0.34:4443
garden_runc_sha1: be5e6d6a263be1437d99dc5e818deeb8ab2a03a4
garden_runc_version: "1.14.0"
network_name: default
postgres_sha1: 20929ee4b0c64fd97072a266311a6d00714124a7
postgres_version: "25"
uaa_sha1: 8153dc927d6af2a839f7c6f128c9e8aea315dad6
uaa_version: "58.1"
credhub_version: "1.9.5"
credhub_sha1: 2390e855f092b0fb9c58f9cb88853ea938e87a3e
tsa_host: 10.244.0.34
atc_basic_auth:
  username: concourse
  password: password
instances: 1
azs: [z1]
EOF

bosh -e vbox deploy -d concourse concourse-bosh-deployment/cluster/concourse.yml \
  -o concourse-bosh-deployment/cluster/operations/basic-auth.yml \
  -o concourse-bosh-deployment/cluster/operations/static-web.yml \
  -o concourse-bosh-deployment/cluster/operations/tls-vars.yml \
  -o concourse-bosh-deployment/cluster/operations/tls.yml \
  -o operations/uaa.yml \
  -o operations/credhub.yml \
  -o operations/update-watch-time.yml \
  -l ${vars_file} \
  --vars-store concourse-creds.yml -n

## uaa.yml
---
- type: replace
  path: /instance_groups/name=web/jobs/-
  value:
    name: uaa
    properties:
      encryption:
        active_key_label: KEY-1
        encryption_keys:
        - label: KEY-1
          passphrase: ((encryption-keys-passphrase))
      login:
        saml:
          serviceProviderCertificate: ((atc_tls.certificate))
          serviceProviderKey: ((atc_tls.private_key))
          serviceProviderKeyPassword: ""
      uaa:
        port: 8081
        logging_level: INFO
        admin:
          client_secret: ((uaa-admin))
        jwt:
          policy:
            active_key_id: key-1
            keys:
              key-1:
                signingKey: ((uaa-jwt.private_key))
          revocable: true
        login:
          client_secret: ((uaa-login))
        scim:
          users:
          - groups:
            - scim.write
            - scim.read
            - bosh.admin
            name: admin
            password: ((uaa-users-admin))
        sslCertificate: ((atc_tls.certificate))
        sslPrivateKey: ((atc_tls.private_key))
        url: https://((concourse_host_name)):8443
        zones:
          internal:
            hostnames: []
      uaadb:
        databases:
        - name: uaa
          tag: uaa
        db_scheme: postgresql
        port: 5432
        roles:
        - name: uaa
          password: ((uaa-db-password))
          tag: admin
    release: uaa

- type: replace
  path: /instance_groups/name=db/jobs/name=postgres/properties/databases/databases/-
  value:
    name: uaa

- type: replace
  path: /instance_groups/name=db/jobs/name=postgres/properties/databases/roles/-
  value:
    name: uaa
    password: ((uaa-db-password))

- type: replace
  path: /releases/-
  value:
    name: uaa
    sha1: ((uaa_sha1))
    url: https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=((uaa_version))
    version: ((uaa_version))

- type: replace
  path: /variables/-
  value:
    name: uaa-users-admin
    type: password
- type: replace
  path: /variables/-
  value:
    name: uaa-admin
    type: password
- type: replace
  path: /variables/-
  value:
    name: uaa-login
    type: password
- type: replace
  path: /variables/-
  value:
    name: uaa-credhub-admin
    type: password
- type: replace
  path: /variables/-
  value:
    name: uaa-db-admin
    type: password
- type: replace
  path: /variables/-
  value:
    name: uaa-db-password
    type: password
- type: replace
  path: /variables/-
  value:
    name: encryption-keys-passphrase
    options:
      length: 40
    type: password

- type: replace
  path: /variables/-
  value:
    name: uaa-jwt
    options:
      key_length: 4096
    type: rsa

## update-watch-time.yml
---
- type: replace
  path: /update/canary_watch_time
  value: 1000-100000

- type: replace
  path: /update/update_watch_time
  value: 1000-100000
	---
	- type: replace
	path: /instance_groups/name=web/jobs/name=atc/properties/credhub?
	value:
	client_id: concourse_to_credhub
	client_secret: ((concourse_to_credhub_secret))
	tls:
	ca_cert:
	certificate: ((atc_tls.ca))
	url: https://((concourse_host_name)):8844

	- type: replace
	path: /instance_groups/name=web/jobs/name=uaa/properties/uaa/clients?
	value:
	concourse_to_credhub:
	access-token-validity: 1200
	authorities: credhub.read,credhub.write
	authorized-grant-types: client_credentials
	override: true
	refresh-token-validity: 3600
	scope: ""
	secret: ((concourse_to_credhub_secret))
	credhub_cli:
	access-token-validity: 1200
	authorities: uaa.resource
	authorized-grant-types: password,refresh_token
	override: true
	refresh-token-validity: 3600
	scope: credhub.read,credhub.write
	secret: ""

	- type: replace
	path: /instance_groups/name=web/jobs/name=uaa/properties/uaa/scim/users/0/groups/-
	value:
	credhub.read
	- type: replace
	path: /instance_groups/name=web/jobs/name=uaa/properties/uaa/scim/users/0/groups/-
	value:
	credhub.write

	- type: replace
	path: /instance_groups/name=web/jobs/-
	value:
	name: credhub
	properties:
	credhub:
	authentication:
	uaa:
	ca_certs:
	- ((atc_tls.ca))
	url: https://((concourse_host_name)):8443
	verification_key: ((uaa-jwt.public_key))
	data_storage:
	database: credhub
	password: ((credhub-db-password))
	require_tls: false
	type: postgres
	username: credhub
	encryption:
	keys:
	- active: true
	encryption_password: ((credhub-encryption-password))
	provider_name: int
	providers:
	- name: int
	type: internal

	port: 8844
	tls: ((atc_tls))
	release: credhub

	- type: replace
	path: /instance_groups/name=db/jobs/name=postgres/properties/databases/databases/-
	value:
	name: credhub

	- type: replace
	path: /instance_groups/name=db/jobs/name=postgres/properties/databases/roles/-
	value:
	name: credhub
	password: ((credhub-db-password))

	- type: replace
	path: /releases/-
	value:
	name: credhub
	sha1: ((credhub_sha1))
	url: https://bosh.io/d/github.com/pivotal-cf/credhub-release?v=((credhub_version))
	version: ((credhub_version))

	- type: replace
	path: /variables/-
	value:
	name: credhub-db-password
	type: password

	- type: replace
	path: /variables/-
	value:
	name: credhub-encryption-password
	options:
	length: 40
	type: password

	- type: replace
	path: /variables/-
	value:
	name: concourse_to_credhub_secret
	type: password
	vars_file=$(mktemp)

	cat <<EOF > ${vars_file}
	web_ip: 10.244.0.34
	concourse_host_name: 10.244.0.34
	db_vm_type: default
	db_persistent_disk_type: default
	web_vm_type: default
	worker_vm_type: default
	concourse_sha1: 6be91b70ecc7ce233d2aff5d03ed28c8eab3d132
	concourse_version: "3.14.1"
	deployment_name: concourse
	external_url: https://10.244.0.34:4443
	garden_runc_sha1: be5e6d6a263be1437d99dc5e818deeb8ab2a03a4
	garden_runc_version: "1.14.0"
	network_name: default
	postgres_sha1: 20929ee4b0c64fd97072a266311a6d00714124a7
	postgres_version: "25"
	uaa_sha1: 8153dc927d6af2a839f7c6f128c9e8aea315dad6
	uaa_version: "58.1"
	credhub_version: "1.9.5"
	credhub_sha1: 2390e855f092b0fb9c58f9cb88853ea938e87a3e
	tsa_host: 10.244.0.34
	atc_basic_auth:
	username: concourse
	password: password
	instances: 1
	azs: [z1]
	EOF

	bosh -e vbox deploy -d concourse concourse-bosh-deployment/cluster/concourse.yml \
	-o concourse-bosh-deployment/cluster/operations/basic-auth.yml \
	-o concourse-bosh-deployment/cluster/operations/static-web.yml \
	-o concourse-bosh-deployment/cluster/operations/tls-vars.yml \
	-o concourse-bosh-deployment/cluster/operations/tls.yml \
	-o operations/uaa.yml \
	-o operations/credhub.yml \
	-o operations/update-watch-time.yml \
	-l ${vars_file} \
	--vars-store concourse-creds.yml -n
	---
	- type: replace
	path: /update/canary_watch_time
	value: 1000-100000

	- type: replace
	path: /update/update_watch_time
	value: 1000-100000