forked from mboldt/docs-tiledev
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcredhub.html.md.erb
94 lines (61 loc) · 5.31 KB
/
credhub.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
---
title: How to use CredHub with your service tile
owner: Services
---
You can configure service tiles to store internal credentials in BOSH CredHub instead of
encoding them in product template and job template files.
BOSH CredHub is a secure credential management component that runs on the BOSH VM to minimize the surface area where
credentials can be compromised.
Credentials that service tiles store in BOSH CredHub for their own internal use are
distinct from [secure service instance credentials](./ssi-creds-tiledev.html) that <%= vars.app_runtime_full %> stores in runtime CredHub to activate apps to securely access services.
Both BOSH CredHub and runtime CredHub are instances of the CredHub credential management component.
See the [CredHub documentation](https://docs.cloudfoundry.org/credhub/index.html) for more information.
Many <%= vars.platform_name %> components use credentials to authenticate connections, and <%= vars.platform_name %> installations often have hundreds of active credentials. Secure credential management is essential to prevent data and security breaches.
In <%= vars.platform_name %> v1.11.0 and later, CredHub runs on the BOSH VM, alongside the
BOSH Director and UAA. Tanzu Operations Manager v1.11 and later stores its credentials in CredHub,
and you can retrieve them using the CredHub API or the **Credentials** tab of the BOSH Director tile.
You can embed CredHub calls in [manifest snippets](#snippets) and <%= vars.app_runtime_abbr %> apps can retrieve credentials using the CredHub API.ile developers
For more information about variable names and values, see [Fetching variable names and values](./get-credhub-vars.html) for how to fetch variable names and values using the CredHub API.
## <a id="types"></a> CredHub credential types
CredHub stores and retrieves the following types of credentials:
* `value` — single string value
* `json` — arbitrary JSON object
* `user` - user name
* `password` — password string
* `certificate` — object containing certificate authority (CA), certificate, and private key
* `ssh` — object containing SSH public key and private key
* `rsa` — object containing RSA public key and private key
For more information about Credhub credential types, see <a href="https://docs.cloudfoundry.org/credhub/credential-types.html">CredHub Credential Types</a>.
For more information about BOSH variable types, see <a href="https://bosh.io/docs/variable-types.html">BOSH Variable Types</a>.
## <a id="credential-names"></a>Creating new variables
To use CredHub in your deployment, you must create new variables and store them in CredHub. By default, variable namespaces are
written to prevent collision across deployments, but you can type variable names precisely if you want.
For more information on how to create new varaiables in Credhub, see <a href="./create-credhub-vars.html">Creating new variables in CredHub</a>.
## <a id="migrate-creds"></a>Migrating credentials
To migrate existing non-configurable credentials to CredHub, such as blobstore secrets and backup encryption keys,
use the JavaScript migration process. After a successful migration, Tanzu Operations Manager deletes the migrated credentials from installation.yml file.
For more information about migrating Credhub credentials, see [Migrating existing credentials to CredHub](./migrating-credhub-credentials.html).
For more information about the Credhub API, see the [CredHub CLI GitHub repository](https://github.com/cloudfoundry-incubator/credhub-cli), and the [CredHub Release GitHub repository](https://github.com/pivotal-cf/credhub-release).
## <a id="api-variables"></a>Fetching variable names and values
API endpoints are available to help you find variable names and values for products that are known to the BOSH Director.
For more information about variable names and values, see <a href="./get-credhub-vars.html" class="subnav">Fetching variable names and values</a>.
## <a id="snippets"></a> CredHub in manifest snippets
You can embed CredHub in product template and job template manifest snippets using
[triple-parenthesis notation](./property-template-references.html#job-manifest):
```
manifest: |
credhub:
concatenated_password: prefix-((( credhub-password )))-suffix
password: ((( credhub-password )))
```
## <a id="limitations"></a> <%= vars.platform_name %> limitations
<%= vars.platform_name %> supports CredHub for credential storage, but it does not support the following:
* Automatic backup and restore for CredHub and other <%= vars.platform_name %> system components.
* Automatic tile [upgrades](./tile-upgrades.html) that migrate all types of credentials defined in [property blueprints](./property-template-references.html#property-blueprints) in previous tile versions, to storage in CredHub.
* Using CredHub to generate new credentials.
You can choose to wait until <%= vars.platform_name %> supports some or all of these features before incorporating CredHub into their service.
## <a id="resources"></a> CredHub resources
The following resources can be helpful:
* A blog-post covering [CredHub basics](https://docs.vmware.com/en/VMware-Tanzu-Application-Service/4.0/tas-for-vms/credhub-index.html)
* The [CredHub repository](https://github.com/cloudfoundry-incubator/credhub)
* A recent Cloud Foundry Summit talk: [CredHub and Secure Credential Management](https://www.youtube.com/watch?v=6Hqq5avmwig)