credhub job from credhub/1.0.11

Github source: ef26560 or master branch

Properties¶

credhub¶

authentication¶

mutual_tls¶

trusted_cas¶

List of certificates for accepted CAs trusted for signing mutual TLS certificates

Default

[]

Example

- |+
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----
- |+
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----

uaa¶

ca_certs¶

List of certificates of CAs trusted trusted for signing TLS certificates for UAA

url¶

URL of UAA instance for client to contact

verification_key¶

The public key for verifying tokens issued by the UAA instance

authorization¶

acls¶

enabled¶

Whether to enable or disable ACL enforcement

Default

false

data_storage¶

database¶

Name of database

Default

credhub

host¶

Host for credhub’s database access

password¶

Password for credhub’s database access

port¶

Port for credhub’s database access

require_tls¶

If true, forbid insecure connections to MySQL. Does not apply to Postgres.

Default

true

tls_ca¶

Certificate that database must supply when validation is required.

type¶

Database type, either in-memory (development only), mysql, or postgres, and there is no default

username¶

User name for credhub’s database access

encryption¶

keys¶

A list of active and inactive encryption keys, specifying the provider name and the encryption key name or value. One key must be marked as active. See below for example keys for each supported provider type. The internal provider accepts an encryption_password (minimum length 20).

Example

- active: true
  encryption_key_name: active-hsm-key-name
  provider_name: hsm-provider
- encryption_key_name: inactive-hsm-key-name
  provider_name: hsm-provider
- encryption_password: example-encryption-password
  provider_name: internal-provider

providers¶

A list of all providers used for the current set of encryption keys. See below for example structures of all supported provider types. HSM port will default to 1792, if not provided.

Example

- client_certificate: |+
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  client_key: |+
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
  name: hsm-provider
  partition: my-hsm-partition
  partition_password: example-hsm-password
  servers:
  - certificate: |+
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    host: 10.0.1.1
    partition_serial_number: 123123
    port: 1792
  - certificate: |+
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    host: 10.0.1.2
    partition_serial_number: 456456
    port: 1792
  type: hsm
- name: internal-provider
  type: internal

log_level¶

Log level. Available levels are none, error, warn, info, debug

Default

info

port¶

Port for the CredHub server to listen on

Default

8844

tls¶

Certificate and private key for TLS connection to CredHub API

Example

|+
  certificate: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  private_key: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----

Templates¶

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/credhub/ directory (learn more).

• bin/bbr/backup (from backup.erb)
• bin/bbr/restore (from restore.erb)
• bin/configure_hsm.sh (from configure_hsm.erb)
• bin/ctl (from ctl)
• bin/drain (from drain.erb)
• bin/init_key_stores.sh (from init_key_stores.erb)
• bin/post-start (from post-start.erb)
• bin/pre-start (from pre-start.erb)
• config/application.yml (from application.yml.erb)
• config/encryption.conf (from encryption.conf.erb)
• config/log4j2.properties (from log4j2.properties.erb)

Packages¶

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.

• credhub
• lunaclient
• openjdk_1.8.0