CredHub Variable Types¶
(See Variable Interpolation for introduction.)
Currently CLI supports password, certificate, rsa, and ssh types whose
supported generation options are detailed below. The Director (connected to a
config server, typically CredHub) may support additional types known by the
config server.
Please refer to CredHub documentation for full details over CredHub supported credentials types and their associated available generation options.
Please also refer to variables block for useful
options like update_mode: converge (knowing that when the Bosh CLI generates
secrets in a local --vars-store file for bosh create-env, the
update_mode: converge is not honored, though).
Note that <value> indicates value obtained via ((var)) variable syntax.
Password¶
[String]: Password value. A random string containing a fixed set of characters: lowercase letters (from atoz) and figures (from0to9).
Generation options:
- length [Number, optional]: The length of password to generate. Defaults
to
20with the Bosh CLI (whereas the default length with CredHub is30).
Certificate¶
-
[Hash]: Certificate. -
ca [String]: Certificate's CA (PEM encoded).
- certificate [String]: Certificate (PEM encoded).
- private_key [String]: Private key (PEM encoded).
Since Sept 8th, 2017, the Bosh CLI generates private keys which are
3072bits long, and doesn't provide any parameter for this, whereas CredHub default is 2048.
Generation options:
- common_name [String, required]: the Common Name (CN) used in the certificate subject. Example:
foo.com. - organization [String, optional]: The organization name (O) used in the certificate subject. Defaults to
Cloud Foundry. - alternative_names [Array, optional]: Subject alternative names. Example:
["foo.com", "*.foo.com"]. - is_ca [Boolean, required]: Indicates whether this is a CA certificate (root or intermediate). Defaults to
false. - ca [String, optional]: Specifies name of a CA certificate to use for making this certificate. Can be specified in conjunction with
is_cato produce an intermediate certificate. - extended_key_usage [Array, optional]: List of extended key usage. Possible values:
client_authand/orserver_auth. Default:[](empty list). Example:["client_auth"]. - duration [Number, optional]: Duration in days of generated credential value. Default:
365. If a minimum duration is configured in CredHub and is greater than the user provided duration, the certificate will be generated using the minimum duration instead.
Example:
- name: bosh_ca
type: certificate
options:
is_ca: true
common_name: bosh
- name: mbus_bootstrap_ssl
type: certificate
options:
ca: bosh_ca
common_name: ((internal_ip))
alternative_names: [((internal_ip))]
Example of certificates used for mutual TLS:
variables:
- name: cockroachdb_ca
type: certificate
options:
is_ca: true
common_name: cockroachdb
- name: cockroachdb_server_ssl
type: certificate
options:
ca: cockroachdb_ca
common_name: node
alternative_names: ["*.cockroachdb.default.cockroachdb.bosh"]
extended_key_usage:
- server_auth
- client_auth
- name: cockroachdb_user_root
type: certificate
options:
ca: cockroachdb_ca
common_name: root
extended_key_usage:
- client_auth
- name: cockroachdb_user_test
type: certificate
options:
ca: cockroachdb_ca
common_name: test
extended_key_usage:
- client_auth
RSA¶
2048 bits long, and doesn't provide any parameter for this.
- private_key [String]: Private key (PEM encoded).
- public_key [String]: Public key (PEM encoded).
SSH¶
-
[Hash]: SSH key. The Bosh CLI generates a RSA private key which is 2048bits long, and doesn't provide any parameter for this. -
private_key [String]: Private key (PEM encoded).
- public_key [String]: Public key (OpenSSH format, "ssh-rsa ...").
- public_key_fingerprint [String]: Public key's MD5 fingerprint. Example:
c3:ae:51:ec:cb:a8:09:ac:43:fd:84:dd:11:dd:fe:c7.