credhub job from credhub/2.12.18

Github source: 138030d or master branch

Properties¶

`bpm`¶

enabled¶

Enable Bosh Process Manager. Deprecated; CredHub 3.x.x and later with require BPM to be enabled.
Default
false

`credhub`¶

authentication¶
mutual_tls¶
trusted_cas¶

List of CAs trusted to sign client certificates for mutual TLS authentication
Default
[]
uaa¶
ca_certs¶

List of CAs trusted when making TLS connections to UAA server

enabled¶

Enables authentication via OAuth using UAA
Default
true
internal_url¶

Optional URL for reaching UAA server over internal networking
Example
https://uaa.example.internal:8443
url¶

URL of UAA server which issues trusted tokens for authentication
Example
https://uaa.example.com:8443
wait_for_start¶

Waits for UAA to be available before starting CredHub
Default
true
wait_for_start_connect_timeout¶

Connect timeout in seconds for curl to UAA during wait-for-start script
Default
120
wait_for_start_max_timeout¶

Max timeout in seconds for curl to UAA during wait-for-start script
Default
300
authorization¶
acls¶
enabled¶

Enables authorization via credential access control lists
Default
true
permissions¶

Giving permission for a path to an actor
Default
[]
Example
|+
  - path: /your/credential
    actors:
    - uaa-user:me
    - uaa-user:me2
    operations:
    - read
    - write
    - delete
    - read_acl
    - write_acl
backend¶
ca_cert¶

CA cert used to sign the backend’s certificate
Default
""
Example
|+
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----
enable_swappable_backend¶

Enable the use of swappable backends for CredHub to use in place of the default CredHub backend
Default
false
host¶

Common name of the backend’s certificate
Default
""
Example
example.com
socket_file¶

Path of socket file for swappable backend to use
Default
""
Example
/tmp/socket/test.sock
ca_certificate¶

Optional parameter to provide the CA certificate for TLS connection to CredHub API as a link
Default
""
Example
|+
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----
certificates¶
ca_minimum_duration_in_days¶

CA certificates will be generated/regenerated with this value when the user provided duration is shorter, ensuring that every certificate is created with at least this value.
Default
0
concatenate_cas¶

Enables the concatenation of CAs when there is a transitional CA for a certificate.
Default
true
leaf_minimum_duration_in_days¶

Leaf certificates will be generated/regenerated with this value when the user provided duration is shorter, ensuring that every certificate is created with at least this value.
Default
0
connection-timeout¶

The maximum amount of time the server will wait for the client to make their request after connecting before the connection is closed
Default
5s
data_storage¶
database¶

Name of database in which to store data on targeted database server (must exist prior to deployment)
Default
credhub
host¶

Host address of targeted database server

hostname_verification¶
enabled¶

Enables hostname verification for TLS connections to targeted database server. This property is only respected when targeting a MariaDB database. Hostname verification cannot be disabled for TLS connections to postgres databases.
Default
true
password¶

Password for authenticating with targeted database server

port¶

Listening port of targeted database server

require_tls¶

Requires only TLS connections to targeted database server
Default
true
tls_ca¶

CA trusted for making TLS connections to targeted database server

type¶

Database type. Accepted values are in-memory, mysql, or postgres

username¶

Username for authenticating with targeted database server
encryption¶
keys¶

A list of active and inactive encryption keys, specifying the provider name and the encryption key name or value. One key must be marked as active. See below for example keys for each supported provider type. The internal provider accepts an encryption_password (minimum length 20).
Example
- key_properties:
    encryption_password: example-encryption-password
  provider_name: internal-provider
- active: true
  key_properties:
    encryption_key_name: active-hsm-key-name
  provider_name: hsm-provider
- key_properties:
    encryption_key_name: inactive-hsm-key-name
  provider_name: hsm-provider
- key_properties:
    encryption_key_name: kms-plugin-key-name
  provider_name: kms-plugin
providers¶

A list of all providers used for the current set of encryption keys. See below for example structures of all supported provider types. HSM port will default to 1792, if not provided.
Example
- name: internal-provider
  type: internal
- connection_properties:
    ca: |+
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    endpoint: unix:///tmp/socketfile.sock
    host: example.com
  name: kms-plugin-provider
  type: kms-plugin
- connection_properties:
    client_certificate: |+
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    client_key: |+
      -----BEGIN RSA PRIVATE KEY-----
      ...
      -----END RSA PRIVATE KEY-----
    partition: my-hsm-partition
    partition_password: example-hsm-password
    servers:
    - certificate: |+
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
      host: 10.0.1.1
      partition_serial_number: 123123
      port: 1792
    - certificate: |+
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
      host: 10.0.1.2
      partition_serial_number: 456456
      port: 1792
  name: hsm-provider
  type: hsm
health_endpoint_port¶

Listening port for the CredHub Health Endpoint
Default
8845
internal_url¶

Optional parameter to provide the CredHub internal URL as a link
Default
""
Example
credhub.service.cf.internal
java7_tls_ciphers_enabled¶

Enables CBC TLS cipher suites to enable TLS communication with Java 7 clients. Deprecated, as of CredHub 2.x.y. Java 7 was decommissioned by Oracle in 2015.
Default
false
log_level¶

Application log level. Accepted values are none, error, warn, info or debug
Default
info
max_heap_size¶

Maximum memory heap size in MB for CredHub JVM
Default
1024
port¶

Listening port for the CredHub API
Default
8844
tls¶

Certificate and private key for TLS connection to CredHub API
Example
|+
  certificate: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  private_key: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----

Templates¶

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/credhub/ directory (learn more).

bin/bbr/identify-postgres-server-version (from identify-postgres-server-version.erb)
bin/bbr/metadata (from metadata.sh.erb)
bin/bbr/post-backup-unlock (from post-backup-unlock.sh)
bin/bbr/post-bbr-start (from post-bbr-start.erb)
bin/bbr/post-restore-unlock (from post-restore-unlock.sh)
bin/bbr/pre-backup-lock (from pre-backup-lock.sh)
bin/bbr/pre-restore-lock (from pre-restore-lock.sh)
bin/bbr/wait-for-stop (from wait-for-stop.sh.erb)
bin/configure_hsm.sh (from configure_hsm.erb)
bin/credhub (from credhub.erb)
bin/ctl (from ctl.erb)
bin/dns_health_check (from dns_health_check.erb)
bin/drain (from drain.erb)
bin/init_key_stores.sh (from init_key_stores.erb)
bin/post-start (from post-start.erb)
bin/pre-start (from pre-start.erb)
bin/utils.sh (from utils.sh)
bin/wait_for_uaa (from wait_for_uaa.erb)
config/application/auth-server.yml (from application_auth_server.yml.erb)
config/application/encryption.yml (from application_encryption.yml.erb)
config/application/logging.yml (from application_logging.yml)
config/application/security.yml (from application_security.yml.erb)
config/application/server.yml (from application_server.yml.erb)
config/application/spring.yml (from application_spring.yml.erb)
config/bpm.yml (from bpm.yml.erb)
config/database_ca.pem (from database_ca.pem.erb)
config/encryption.conf (from encryption.conf.erb)
config/log4j2.properties (from log4j2.properties.erb)
config/validation_authorization.yml (from validation_authorization.yml.erb)
config/validation_data_storage.yml (from validation_data_storage.yml.erb)
config/validation_encryption.yml (from validation_encryption.yml.erb)
config/validation_logging.yml (from validation_logging.yml.erb)
config/validation_uaa.yml (from validation_uaa.yml.erb)

Packages¶

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.

credhub job from credhub/2.12.18

Properties¶

bpm¶

enabled¶

credhub¶

authentication¶

mutual_tls¶

trusted_cas¶

uaa¶

ca_certs¶

enabled¶

internal_url¶

url¶

wait_for_start¶

wait_for_start_connect_timeout¶

wait_for_start_max_timeout¶

authorization¶

acls¶

enabled¶

permissions¶

backend¶

ca_cert¶

enable_swappable_backend¶

host¶

socket_file¶

ca_certificate¶

certificates¶

ca_minimum_duration_in_days¶

concatenate_cas¶

leaf_minimum_duration_in_days¶

connection-timeout¶

data_storage¶

database¶

host¶

hostname_verification¶

enabled¶

password¶

port¶

require_tls¶

tls_ca¶

type¶

username¶

encryption¶

keys¶

providers¶

health_endpoint_port¶

internal_url¶

java7_tls_ciphers_enabled¶

log_level¶

max_heap_size¶

port¶

tls¶

Templates¶

Packages¶

`bpm`¶

`enabled`¶

`credhub`¶

`authentication`¶

`mutual_tls`¶

`trusted_cas`¶

`uaa`¶

`ca_certs`¶

`enabled`¶

`internal_url`¶

`url`¶

`wait_for_start`¶

`wait_for_start_connect_timeout`¶

`wait_for_start_max_timeout`¶

`authorization`¶

`acls`¶

`enabled`¶

`permissions`¶

`backend`¶

`ca_cert`¶

`enable_swappable_backend`¶

`host`¶

`socket_file`¶

`ca_certificate`¶

`certificates`¶

`ca_minimum_duration_in_days`¶

`concatenate_cas`¶

`leaf_minimum_duration_in_days`¶

`connection-timeout`¶

`data_storage`¶

`database`¶

`host`¶

`hostname_verification`¶

`enabled`¶

`password`¶

`port`¶

`require_tls`¶

`tls_ca`¶

`type`¶

`username`¶

`encryption`¶

`keys`¶

`providers`¶

`health_endpoint_port`¶

`internal_url`¶

`java7_tls_ciphers_enabled`¶

`log_level`¶

`max_heap_size`¶

`port`¶

`tls`¶