Skip to content

credhub job from credhub/2.1.3

Github source: afac82d or master branch

Properties

bpm

enabled

Enable Bosh Process Manager

Default
false

credhub

authentication

mutual_tls
trusted_cas

List of CAs trusted to sign client certificates for mutual TLS authentication

Default
[]
uaa
ca_certs

List of CAs trusted when making TLS connections to UAA server

enabled

Enables authentication via OAuth using UAA

Default
true
internal_url

Optional URL for reaching UAA server over internal networking

Example
https://uaa.example.internal:8443
url

URL of UAA server which issues trusted tokens for authentication

Example
https://uaa.example.com:8443

authorization

acls
enabled

Enables authorization via credential access control lists

Default
true
permissions

Giving permission for a path to an actor

Default
[]
Example
|+
  - path: /your/credential
    actors:
    - uaa-user:me
    - uaa-user:me2
    operations:
    - read
    - write
    - delete
    - read_acl
    - write_acl

ca_certificate

Optional parameter to provide the CA certificate for TLS connection to CredHub API as a link

Default
""
Example
|+
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----

data_storage

database

Name of database in which to store data on targeted database server (must exist prior to deployment)

Default
credhub
host

Host address of targeted database server

hostname_verification
enabled

Enables hostname verification for TLS connections to targeted database server. This property is only respected when targeting a MariaDB database. Hostname verification cannot be disabled for TLS connections to postgres databases.

Default
true
password

Password for authenticating with targeted database server

port

Listening port of targeted database server

require_tls

Requires only TLS connections to targeted database server

Default
true
tls_ca

CA trusted for making TLS connections to targeted database server

type

Database type. Accepted values are in-memory, mysql, or postgres

username

Username for authenticating with targeted database server

encryption

keys

A list of active and inactive encryption keys, specifying the provider name and the encryption key name or value. One key must be marked as active. See below for example keys for each supported provider type. The internal provider accepts an encryption_password (minimum length 20).

Example
- key_properties:
    encryption_password: example-encryption-password
  provider_name: internal-provider
- active: true
  key_properties:
    encryption_key_name: active-hsm-key-name
  provider_name: hsm-provider
- key_properties:
    encryption_key_name: inactive-hsm-key-name
  provider_name: hsm-provider
- key_properties:
    encryption_key_name: kms-plugin-key-name
  provider_name: kms-plugin
providers

A list of all providers used for the current set of encryption keys. See below for example structures of all supported provider types. HSM port will default to 1792, if not provided.

Example
- name: internal-provider
  type: internal
- connection_properties:
    endpoint: unix:///tmp/socketfile.sock
  name: kms-plugin-provider
  type: kms-plugin
- connection_properties:
    client_certificate: |+
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    client_key: |+
      -----BEGIN RSA PRIVATE KEY-----
      ...
      -----END RSA PRIVATE KEY-----
    partition: my-hsm-partition
    partition_password: example-hsm-password
    servers:
    - certificate: |+
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
      host: 10.0.1.1
      partition_serial_number: 123123
      port: 1792
    - certificate: |+
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
      host: 10.0.1.2
      partition_serial_number: 456456
      port: 1792
  name: hsm-provider
  type: hsm

health_endpoint_port

Listening port for the CredHub Health Endpoint

Default
8845

internal_url

Optional parameter to provide the CredHub internal URL as a link

Default
""
Example
credhub.service.cf.internal

java7_tls_ciphers_enabled

Enables CBC TLS cipher suites to enable TLS communication with Java 7 clients. Deprecated, as of CredHub 2.x.y. Java 7 was decommissioned by Oracle in 2015.

Default
false

log_level

Application log level. Accepted values are none, error, warn, info or debug

Default
info

max_heap_size

Maximum memory heap size in MB for CredHub JVM

Default
1024

port

Listening port for the CredHub API

Default
8844

tls

Certificate and private key for TLS connection to CredHub API

Example
|+
  certificate: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  private_key: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/credhub/ directory (learn more).

  • bin/bbr/identify-postgres-server-version (from identify-postgres-server-version.erb)
  • bin/bbr/post-backup-unlock (from post-backup-unlock.sh)
  • bin/bbr/post-bbr-start (from post-bbr-start.erb)
  • bin/bbr/post-restore-unlock (from post-restore-unlock.sh)
  • bin/bbr/pre-backup-lock (from pre-backup-lock.sh)
  • bin/bbr/pre-restore-lock (from pre-restore-lock.sh)
  • bin/bbr/wait-for-stop (from wait-for-stop.sh.erb)
  • bin/configure_hsm.sh (from configure_hsm.erb)
  • bin/credhub (from credhub.erb)
  • bin/ctl (from ctl.erb)
  • bin/dns_health_check (from dns_health_check.erb)
  • bin/drain (from drain.erb)
  • bin/init_key_stores.sh (from init_key_stores.erb)
  • bin/post-start (from post-start.erb)
  • bin/pre-start (from pre-start.erb)
  • config/application/auth-server.yml (from application_auth_server.yml.erb)
  • config/application/encryption.yml (from application_encryption.yml.erb)
  • config/application/logging.yml (from application_logging.yml)
  • config/application/security.yml (from application_security.yml.erb)
  • config/application/server.yml (from application_server.yml.erb)
  • config/application/spring.yml (from application_spring.yml.erb)
  • config/bpm.yml (from bpm.yml.erb)
  • config/database_ca.pem (from database_ca.pem.erb)
  • config/encryption.conf (from encryption.conf.erb)
  • config/log4j2.properties (from log4j2.properties.erb)
  • config/validation_authorization.yml (from validation_authorization.yml.erb)
  • config/validation_data_storage.yml (from validation_data_storage.yml.erb)
  • config/validation_encryption.yml (from validation_encryption.yml.erb)
  • config/validation_logging.yml (from validation_logging.yml.erb)
  • config/validation_uaa.yml (from validation_uaa.yml.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.