Last active
February 1, 2018 17:27
-
-
Save crawsible/8a09a99cc2dc7d7deafaeb1138c6a2a6 to your computer and use it in GitHub Desktop.
PAS CredHub Seeding
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Obtaining the App GUID required when writing the credential to credhub in order to ensure only that App can access the credential. | |
# 1. Push an application that displays the contents of the VCAP_SERVICES environment variable: | |
cf target -o apps -s app | |
cf push credapp | |
# 2. Fetch the app guid of the pushed app: | |
cf app credapp --guid | |
# > <app-guid> | |
# Writing the credential to CredHub. | |
# 1. Fetch the UAA admin password (the password used to log in to CF as “admin”) from the PAS tile credentials page on OpsMan. | |
# 2. SSH onto the OpsMan instance, and then use BOSH SSH to SSH onto a VM that is running the consul-agent (such as one of the CredHub instances). | |
# NB: CredHub has no externally routable interface and must be accessed from a host that can route to it. An alternative would be to access CredHub with a custom Service Broker / pipeline running on its own VM with access to the platform subnet. | |
# 3. Download the credhub CLI to the VM: | |
curl -L https://github.com/cloudfoundry-incubator/credhub-cli/releases/download/1.5.3/credhub-linux-1.5.3.tgz | tar xz | |
# 4. Use the credhub CLI to set a new credential of type json at path /test/credentials | |
./credhub api https://credhub.service.cf.internal:8844 | |
./credhub login | |
# > username: admin | |
# > password: <uaa-admin-password> | |
./credhub set -t json -v '{"test-key": "test-value"}' -n /test/credentials | |
# 5. Use curl to create a new access control entry for the new credential, granting “read” access to user “mtls-app:<app-guid>”. | |
curl -k https://credhub.service.cf.internal:8844/api/v1/permissions \ | |
-X POST -d '{ | |
"credential_name": "/test/credentials", | |
"permissions": [ | |
{ | |
"actor": "mtls-app:<app-guid>", | |
"operations": ["read"] | |
} | |
] | |
}' \ | |
-H "authorization: $(./credhub --token)" \ | |
-H "content-type: application/json" | |
# Create the CUPS entry for the application using the credhub reference associated with the credential that was written to credhub | |
# 1. Create custom user provided service with cf create-user-provided service: | |
cf create-user-provided-service credhub-preseeded \ | |
-p {"credhub-ref": "/test/credentials"} | |
# 2. Bind custom user provided service to application. | |
cf bind-service credapp credhub-preseeded | |
# 3. In order for apps to be able to reach CredHub, create application security group granting tcp egress on port 8844 to internal subnet (e.g. 10.0.0.0/16): | |
cat asg.json | |
> [ | |
> { | |
> "protocol": "tcp", | |
> "destination": "<subnet-cidr>", | |
> "ports": "8844", | |
> "log": true, | |
> "description": "Allow credhub traffic to internal networks" | |
> } | |
> ] | |
cf create-security-group credhub asg.json | |
# 4. Bind security group to application’s space for the staging and running lifecycles. | |
cf bind-security-group credhub apps app --lifecycle staging | |
cf bind-security-group credhub apps app --lifecycle running | |
# 5. Restart the application, and see dummy JSON from CredHub interpolated into VCAP_SERVICES. If after restarting, the dummy values are not present in VCAP_SERVICES, try restaging the application. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment