Skip to content

credhub job from credhub/1.3.3

Github source: 6661d6d or master branch

Properties

credhub

authentication

mutual_tls
trusted_cas

List of CAs trusted to sign client certificates for mutual TLS authentication

Default
[]
uaa
ca_certs

List of CAs trusted when making TLS connections to UAA server

url

URL of UAA server which issues trusted tokens for authentication

Example
https://uaa.example.com:8443
verification_key

Public key of UAA server for verifying signature of tokens presented for authentication

authorization

acls
enabled

Enables authorization via credential access control lists

Default
false

data_storage

database

Name of database in which to store data on targeted database server (must exist prior to deployment)

Default
credhub
host

Host address of targeted database server

password

Password for authenticating with targeted database server

port

Listening port of targeted database server

require_tls

Requires only TLS connections to targeted database server

Default
true
tls_ca

CA trusted for making TLS connections to targeted database server

type

Database type. Accepted values are in-memory, mysql, or postgres

username

Username for authenticating with targeted database server

encryption

keys

A list of active and inactive encryption keys, specifying the provider name and the encryption key name or value. One key must be marked as active. See below for example keys for each supported provider type. The internal provider accepts an encryption_password (minimum length 20).

Example
- encryption_password: example-encryption-password
  provider_name: internal-provider
- active: true
  encryption_key_name: active-hsm-key-name
  provider_name: hsm-provider
- encryption_key_name: inactive-hsm-key-name
  provider_name: hsm-provider
providers

A list of all providers used for the current set of encryption keys. See below for example structures of all supported provider types. HSM port will default to 1792, if not provided.

Example
- name: internal-provider
  type: internal
- client_certificate: |+
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  client_key: |+
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
  name: hsm-provider
  partition: my-hsm-partition
  partition_password: example-hsm-password
  servers:
  - certificate: |+
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    host: 10.0.1.1
    partition_serial_number: 123123
    port: 1792
  - certificate: |+
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    host: 10.0.1.2
    partition_serial_number: 456456
    port: 1792
  type: hsm

java7_tls_ciphers_enabled

Enables CBC TLS cipher suites to enable TLS communication with Java 7 clients

Default
false

log_level

Application log level. Accepted values are none, error, warn, info or debug

Default
info

max_heap_size

Maximum memory heap size in MB for CredHub JVM

Default
1024

port

Listening port for the CredHub API

Default
8844

tls

Certificate and private key for TLS connection to CredHub API

Example
|+
  certificate: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  private_key: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/credhub/ directory (learn more).

  • bin/bbr/backup (from backup.erb)
  • bin/bbr/restore (from restore.erb)
  • bin/configure_hsm.sh (from configure_hsm.erb)
  • bin/ctl (from ctl.erb)
  • bin/drain (from drain.erb)
  • bin/init_key_stores.sh (from init_key_stores.erb)
  • bin/post-start (from post-start.erb)
  • bin/pre-start (from pre-start.erb)
  • config/application.yml (from application.yml.erb)
  • config/database_ca.pem (from database_ca.pem.erb)
  • config/encryption.conf (from encryption.conf.erb)
  • config/log4j2.properties (from log4j2.properties.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.