credhub job from credhub/1.1.0
Github source:
beb5613
or
master branch
Properties¶
credhub
¶
authentication
¶
mutual_tls
¶
trusted_cas
¶List of certificates for accepted CAs trusted for signing mutual TLS certificates
- Default
[]- Example
- |+ -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- - |+ -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
uaa
¶
ca_certs
¶List of certificates of CAs trusted trusted for signing TLS certificates for UAA
url
¶URL of UAA instance for client to contact
verification_key
¶The public key for verifying tokens issued by the UAA instance
authorization
¶
acls
¶
enabled
¶Whether to enable or disable ACL enforcement
- Default
false
data_storage
¶
database
¶Name of database
- Default
credhub
host
¶Host for credhub’s database access
password
¶Password for credhub’s database access
port
¶Port for credhub’s database access
require_tls
¶If true, forbid insecure connections to MySQL. Does not apply to Postgres.
- Default
true
tls_ca
¶Certificate that database must supply when validation is required.
type
¶Database type, either in-memory (development only), mysql, or postgres, and there is no default
username
¶User name for credhub’s database access
encryption
¶
keys
¶A list of active and inactive encryption keys, specifying the provider name and the encryption key name or value. One key must be marked as active. See below for example keys for each supported provider type. The internal provider accepts an encryption_password (minimum length 20).
- Example
- active: true encryption_key_name: active-hsm-key-name provider_name: hsm-provider - encryption_key_name: inactive-hsm-key-name provider_name: hsm-provider - encryption_password: example-encryption-password provider_name: internal-provider
providers
¶A list of all providers used for the current set of encryption keys. See below for example structures of all supported provider types. HSM port will default to 1792, if not provided.
- Example
- client_certificate: |+ -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- client_key: |+ -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- name: hsm-provider partition: my-hsm-partition partition_password: example-hsm-password servers: - certificate: |+ -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- host: 10.0.1.1 partition_serial_number: 123123 port: 1792 - certificate: |+ -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- host: 10.0.1.2 partition_serial_number: 456456 port: 1792 type: hsm - name: internal-provider type: internal
java7_tls_ciphers_enabled
¶Allows legacy TLS cipher suites to enable TLS communication with Java 7 clients
- Default
false
log_level
¶Log level. Available levels are none, error, warn, info, debug
- Default
info
max_heap_size
¶Maximum memory heap size in MB for CredHub JVM
- Default
1024
port
¶Port for the CredHub server to listen on
- Default
8844
tls
¶Certificate and private key for TLS connection to CredHub API
- Example
|+ certificate: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- private_key: | -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----
Templates¶
Templates are rendered and placed onto corresponding
instances during the deployment process. This job's templates
will be placed into /var/vcap/jobs/credhub/
directory
(learn more).
bin/bbr/backup
(frombackup.erb
)bin/bbr/restore
(fromrestore.erb
)bin/configure_hsm.sh
(fromconfigure_hsm.erb
)bin/ctl
(fromctl.erb
)bin/drain
(fromdrain.erb
)bin/init_key_stores.sh
(frominit_key_stores.erb
)bin/post-start
(frompost-start.erb
)bin/pre-start
(frompre-start.erb
)config/application.yml
(fromapplication.yml.erb
)config/encryption.conf
(fromencryption.conf.erb
)config/log4j2.properties
(fromlog4j2.properties.erb
)
Packages¶
Packages are compiled and placed onto corresponding
instances during the deployment process. Packages will be
placed into /var/vcap/packages/
directory.