crawsible/pas_credhub_seeding.sh

## pas_credhub_seeding.sh
# Obtaining the App GUID required when writing the credential to credhub in order to ensure only that App can access the credential.

# 1. Push an application that displays the contents of the VCAP_SERVICES environment variable:
cf target -o apps -s app
cf push credapp

# 2. Fetch the app guid of the pushed app:
cf app credapp --guid
# > <app-guid>

# Writing the credential to CredHub.

# 1. Fetch the UAA admin password (the password used to log in to CF as “admin”) from the PAS tile credentials page on OpsMan.

# 2. SSH onto the OpsMan instance, and then use BOSH SSH to SSH onto a VM that is running the consul-agent (such as one of the CredHub instances).
#   NB: CredHub has no externally routable interface and must be accessed from a host that can route to it. An alternative would be to access CredHub with a custom Service Broker / pipeline running on its own VM with access to the platform subnet.

# 3. Download the credhub CLI to the VM:
curl -L https://github.com/cloudfoundry-incubator/credhub-cli/releases/download/1.5.3/credhub-linux-1.5.3.tgz | tar xz

# 4. Use the credhub CLI to set a new credential of type json at path /test/credentials
./credhub api https://credhub.service.cf.internal:8844
./credhub login
# > username: admin
# > password: <uaa-admin-password>
./credhub set -t json -v '{"test-key": "test-value"}' -n /test/credentials

# 5. Use curl to create a new access control entry for the new credential, granting “read” access to user “mtls-app:<app-guid>”.
curl -k https://credhub.service.cf.internal:8844/api/v1/permissions \
  -X POST -d '{
    "credential_name": "/test/credentials",
    "permissions": [
      {
        "actor": "mtls-app:<app-guid>",
        "operations": ["read"]
      }
    ]
  }' \
  -H "authorization: $(./credhub --token)" \
  -H "content-type: application/json"

# Create the CUPS entry for the application using the credhub reference associated with the credential that was written to credhub

# 1. Create custom user provided service with cf create-user-provided service:
cf create-user-provided-service credhub-preseeded \
  -p {"credhub-ref": "/test/credentials"}

# 2. Bind custom user provided service to application.
cf bind-service credapp credhub-preseeded

# 3. In order for apps to be able to reach CredHub, create application security group granting tcp egress on port 8844 to internal subnet (e.g. 10.0.0.0/16):
cat asg.json
> [
>   {
>     "protocol": "tcp",
>     "destination": "<subnet-cidr>",
>     "ports": "8844",
>     "log": true,
>    "description": "Allow credhub traffic to internal networks"
>   }
> ]
cf create-security-group credhub asg.json

# 4. Bind security group to application’s space for the staging and running lifecycles.
cf bind-security-group credhub apps app --lifecycle staging
cf bind-security-group credhub apps app --lifecycle running

# 5. Restart the application, and see dummy JSON from CredHub interpolated into VCAP_SERVICES. If after restarting, the dummy values are not present in VCAP_SERVICES, try restaging the application.
	# Obtaining the App GUID required when writing the credential to credhub in order to ensure only that App can access the credential.

	# 1. Push an application that displays the contents of the VCAP_SERVICES environment variable:
	cf target -o apps -s app
	cf push credapp

	# 2. Fetch the app guid of the pushed app:
	cf app credapp --guid
	# > <app-guid>

	# Writing the credential to CredHub.

	# 1. Fetch the UAA admin password (the password used to log in to CF as “admin”) from the PAS tile credentials page on OpsMan.

	# 2. SSH onto the OpsMan instance, and then use BOSH SSH to SSH onto a VM that is running the consul-agent (such as one of the CredHub instances).
	# NB: CredHub has no externally routable interface and must be accessed from a host that can route to it. An alternative would be to access CredHub with a custom Service Broker / pipeline running on its own VM with access to the platform subnet.

	# 3. Download the credhub CLI to the VM:
	curl -L https://github.com/cloudfoundry-incubator/credhub-cli/releases/download/1.5.3/credhub-linux-1.5.3.tgz \| tar xz

	# 4. Use the credhub CLI to set a new credential of type json at path /test/credentials
	./credhub api https://credhub.service.cf.internal:8844
	./credhub login
	# > username: admin
	# > password: <uaa-admin-password>
	./credhub set -t json -v '{"test-key": "test-value"}' -n /test/credentials

	# 5. Use curl to create a new access control entry for the new credential, granting “read” access to user “mtls-app:<app-guid>”.
	curl -k https://credhub.service.cf.internal:8844/api/v1/permissions \
	-X POST -d '{
	"credential_name": "/test/credentials",
	"permissions": [
	{
	"actor": "mtls-app:<app-guid>",
	"operations": ["read"]
	}
	]
	}' \
	-H "authorization: $(./credhub --token)" \
	-H "content-type: application/json"

	# Create the CUPS entry for the application using the credhub reference associated with the credential that was written to credhub

	# 1. Create custom user provided service with cf create-user-provided service:
	cf create-user-provided-service credhub-preseeded \
	-p {"credhub-ref": "/test/credentials"}

	# 2. Bind custom user provided service to application.
	cf bind-service credapp credhub-preseeded

	# 3. In order for apps to be able to reach CredHub, create application security group granting tcp egress on port 8844 to internal subnet (e.g. 10.0.0.0/16):
	cat asg.json
	> [
	> {
	> "protocol": "tcp",
	> "destination": "<subnet-cidr>",
	> "ports": "8844",
	> "log": true,
	> "description": "Allow credhub traffic to internal networks"
	> }
	> ]
	cf create-security-group credhub asg.json

	# 4. Bind security group to application’s space for the staging and running lifecycles.
	cf bind-security-group credhub apps app --lifecycle staging
	cf bind-security-group credhub apps app --lifecycle running

	# 5. Restart the application, and see dummy JSON from CredHub interpolated into VCAP_SERVICES. If after restarting, the dummy values are not present in VCAP_SERVICES, try restaging the application.