Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to SUSE Cloud Application Platform 1.5.2

26 Integrating CredHub with SUSE Cloud Application Platform

SUSE Cloud Application Platform supports CredHub integration. You should already have a working CredHub instance, a CredHub service on your cluster, then apply the steps in this chapter to connect SUSE Cloud Application Platform.

26.1 Installing the CredHub Client

Start by creating a new directory for the CredHub client on your local workstation, then download and unpack the CredHub client. The following example is for the 2.2.0 Linux release. For other platforms and current releases, see the cloudfoundry-incubator/credhub-cli at https://github.com/cloudfoundry-incubator/credhub-cli/releases

tux > mkdir chclient
tux > cd chclient
tux > wget https://github.com/cloudfoundry-incubator/credhub-cli/releases/download/2.2.0/credhub-linux-2.2.0.tgz
tux > tar zxf credhub-linux-2.2.0.tgz

26.2 Enabling and Disabling CredHub

Enable CredHub for your deployment using the --set "enable.credhub=true" flag when running helm install or helm upgrade.

If this is an initial deployment, use helm install to deploy scf with CredHub enabled:

Note
Note: Setting UAA_CA_CERT

Starting with SUSE Cloud Application Platform 1.5.2, you no longer need to set UAA_CA_CERT when using an external UAA with a certificate signed by a well known Certificate Authority (CA). It is only needed when you use an external UAA with either a certificate generated by the secret-generator or a self-signed certificate.

If you need to set UAA_CA_CERT:

  1. Obtain your UAA secret and certificate:

    tux > SECRET=$(kubectl get pods --namespace uaa \
    --output jsonpath='{.items[?(.metadata.name=="uaa-0")].spec.containers[?(.name=="uaa")].env[?(.name=="INTERNAL_CA_CERT")].valueFrom.secretKeyRef.name}')
    
    tux > CA_CERT="$(kubectl get secret $SECRET --namespace uaa \
    --output jsonpath="{.data['internal-ca-cert']}" | base64 --decode -)"
  2. Then pass --set "secrets.UAA_CA_CERT=${CA_CERT}" as part of your helm command.

tux > helm install suse/cf \
--name susecf-scf \
--namespace scf \
--values scf-config-values.yaml \
--set "enable.credhub=true"

If this is an existing deployment, use helm upgrade to enable CredHub:

tux > helm upgrade susecf-scf suse/cf \
--values scf-config-values.yaml \
--set "secrets.UAA_CA_CERT=${CA_CERT}" \
--set "enable.credhub=true" \
--version 2.20.3
Warning
Warning

On occasion, the credhub pod may fail to start due to database migration failures; this has been spotted intermittently on Microsoft Azure Kubernetes Service and to a lesser extent, other public clouds. In these situations, manual intervention is required to track the last completed transaction in credhub_user database and update the flyway schema history table with the record of the last completed transaction. Please contact support for further instructions.

To disable CredHub, run helm upgrade with the --set "enable.credhub=false" flag. Be sure to pass your uaa secret and certificate to scf first:

tux > SECRET=$(kubectl get pods --namespace uaa \
--output jsonpath='{.items[?(.metadata.name=="uaa-0")].spec.containers[?(.name=="uaa")].env[?(.name=="INTERNAL_CA_CERT")].valueFrom.secretKeyRef.name}')

tux > CA_CERT="$(kubectl get secret $SECRET --namespace uaa \
--output jsonpath="{.data['internal-ca-cert']}" | base64 --decode -)"

tux > helm upgrade susecf-scf suse/cf \
--values scf-config-values.yaml \
--set "secrets.UAA_CA_CERT=${CA_CERT}" \
--set "enable.credhub=false" \
--version 2.20.3

26.3 Upgrade Considerations

The following applies to upgrades from SUSE Cloud Application Platform 1.3.1 to SUSE Cloud Application Platform 1.4:

If CredHub is enabled on your deployment of SUSE Cloud Application Platform 1.3.1, then you must specify --set "enable.credhub=true" during the upgrade to keep the feature installed. Sizing values previously set to have a count of 1, which is the new minimum setting, to enable the service no longer need to be set explicitly. The following values in your scf-config-values.yaml file can be removed:

sizing:
  credhub_user:
    count: 1

26.4 Connecting to the CredHub Service

Set environment variables for the CredHub client, your CredHub service location, and Cloud Application Platform namespace. In these guides the example namespace is scf:

tux > CH_CLI=~/.chclient/credhub
tux > CH_SERVICE=https://credhub.example.com
tux > NAMESPACE=scf

Set up the CredHub service location:

tux > SECRET="$(kubectl get secrets --namespace "${NAMESPACE}" | awk '/^secrets-/ { print $1 }')"
tux > CH_SECRET="$(kubectl get secrets --namespace "${NAMESPACE}" "${SECRET}" --output jsonpath="{.data['uaa-clients-credhub-user-cli-secret']}"|base64 --decode)"
tux > CH_CLIENT=credhub_user_cli
tux > echo Service ......@ $CH_SERVICE
tux > echo CH cli Secret @ $CH_SECRET

Set the CredHub target through its Kubernetes service, then log into CredHub:

tux > "${CH_CLI}" api --skip-tls-validation --server "${CH_SERVICE}"
tux > "${CH_CLI}" login --client-name="${CH_CLIENT}" --client-secret="${CH_SECRET}"

Test your new connection by inserting and retrieving some fake credentials:

tux > "${CH_CLI}" set --name FOX --type value --value 'fox over lazy dog'
tux > "${CH_CLI}" set --name DOG --type user --username dog --password fox
tux > "${CH_CLI}" get --name FOX
tux > "${CH_CLI}" get --name DOG
Print this page