credhub job from credhub/1.6.0
Github source:
d2da3fd
or
master branch
Properties¶
bpm
¶
enabled
¶Enable Bosh Process Manager
- Default
false
credhub
¶
authentication
¶
mutual_tls
¶
trusted_cas
¶List of CAs trusted to sign client certificates for mutual TLS authentication
- Default
[]
uaa
¶
ca_certs
¶List of CAs trusted when making TLS connections to UAA server
url
¶URL of UAA server which issues trusted tokens for authentication
- Example
https://uaa.example.com:8443
verification_key
¶Public key of UAA server for verifying signature of tokens presented for authentication
authorization
¶
acls
¶
enabled
¶Enables authorization via credential access control lists
- Default
false
ca_certificate
¶Optional parameter to provide the CA certificate for TLS connection to CredHub API as a link
- Default
""- Example
|+ -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
data_storage
¶
database
¶Name of database in which to store data on targeted database server (must exist prior to deployment)
- Default
credhub
host
¶Host address of targeted database server
password
¶Password for authenticating with targeted database server
port
¶Listening port of targeted database server
require_tls
¶Requires only TLS connections to targeted database server
- Default
true
tls_ca
¶CA trusted for making TLS connections to targeted database server
type
¶Database type. Accepted values are in-memory, mysql, or postgres
username
¶Username for authenticating with targeted database server
encryption
¶
keys
¶A list of active and inactive encryption keys, specifying the provider name and the encryption key name or value. One key must be marked as active. See below for example keys for each supported provider type. The internal provider accepts an encryption_password (minimum length 20).
- Example
- encryption_password: example-encryption-password provider_name: internal-provider - active: true encryption_key_name: active-hsm-key-name provider_name: hsm-provider - encryption_key_name: inactive-hsm-key-name provider_name: hsm-provider
providers
¶A list of all providers used for the current set of encryption keys. See below for example structures of all supported provider types. HSM port will default to 1792, if not provided.
- Example
- name: internal-provider type: internal - client_certificate: |+ -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- client_key: |+ -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- name: hsm-provider partition: my-hsm-partition partition_password: example-hsm-password servers: - certificate: |+ -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- host: 10.0.1.1 partition_serial_number: 123123 port: 1792 - certificate: |+ -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- host: 10.0.1.2 partition_serial_number: 456456 port: 1792 type: hsm
java7_tls_ciphers_enabled
¶Enables CBC TLS cipher suites to enable TLS communication with Java 7 clients
- Default
false
log_level
¶Application log level. Accepted values are none, error, warn, info or debug
- Default
info
max_heap_size
¶Maximum memory heap size in MB for CredHub JVM
- Default
1024
port
¶Listening port for the CredHub API
- Default
8844
tls
¶Certificate and private key for TLS connection to CredHub API
- Example
|+ certificate: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- private_key: | -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----
Templates¶
Templates are rendered and placed onto corresponding
instances during the deployment process. This job's templates
will be placed into /var/vcap/jobs/credhub/
directory
(learn more).
bin/bbr/backup
(frombackup.erb
)bin/bbr/restore
(fromrestore.erb
)bin/configure_hsm.sh
(fromconfigure_hsm.erb
)bin/credhub
(fromcredhub.erb
)bin/ctl
(fromctl.erb
)bin/dns_health_check
(fromdns_health_check.erb
)bin/drain
(fromdrain.erb
)bin/init_key_stores.sh
(frominit_key_stores.erb
)bin/post-start
(frompost-start.erb
)bin/pre-start
(frompre-start.erb
)config/application.yml
(fromapplication.yml.erb
)config/bpm.yml
(frombpm.yml.erb
)config/database_ca.pem
(fromdatabase_ca.pem.erb
)config/encryption.conf
(fromencryption.conf.erb
)config/log4j2.properties
(fromlog4j2.properties.erb
)
Packages¶
Packages are compiled and placed onto corresponding
instances during the deployment process. Packages will be
placed into /var/vcap/packages/
directory.