credhub job from credhub/1.9.4

Github source: 89a89f7 or master branch

Properties¶

bpm¶

enabled¶

Enable Bosh Process Manager

Default

false

credhub¶

authentication¶

mutual_tls¶

trusted_cas¶

List of CAs trusted to sign client certificates for mutual TLS authentication

Default

[]

uaa¶

ca_certs¶

List of CAs trusted when making TLS connections to UAA server

enabled¶

Enables authentication via OAuth using UAA

Default

true

internal_url¶

Optional URL for reaching UAA server over internal networking

Example

https://uaa.example.internal:8443

url¶

URL of UAA server which issues trusted tokens for authentication

Example

https://uaa.example.com:8443

authorization¶

acls¶

enabled¶

Enables authorization via credential access control lists

Default

false

ca_certificate¶

Optional parameter to provide the CA certificate for TLS connection to CredHub API as a link

Default

""

Example

|+
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----

data_storage¶

database¶

Name of database in which to store data on targeted database server (must exist prior to deployment)

Default

credhub

host¶

Host address of targeted database server

password¶

Password for authenticating with targeted database server

port¶

Listening port of targeted database server

require_tls¶

Requires only TLS connections to targeted database server

Default

true

tls_ca¶

CA trusted for making TLS connections to targeted database server

type¶

Database type. Accepted values are in-memory, mysql, or postgres

username¶

Username for authenticating with targeted database server

encryption¶

keys¶

A list of active and inactive encryption keys, specifying the provider name and the encryption key name or value. One key must be marked as active. See below for example keys for each supported provider type. The internal provider accepts an encryption_password (minimum length 20).

Example

- encryption_password: example-encryption-password
  provider_name: internal-provider
- active: true
  encryption_key_name: active-hsm-key-name
  provider_name: hsm-provider
- encryption_key_name: inactive-hsm-key-name
  provider_name: hsm-provider

providers¶

A list of all providers used for the current set of encryption keys. See below for example structures of all supported provider types. HSM port will default to 1792, if not provided.

Example

- name: internal-provider
  type: internal
- client_certificate: |+
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  client_key: |+
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
  name: hsm-provider
  partition: my-hsm-partition
  partition_password: example-hsm-password
  servers:
  - certificate: |+
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    host: 10.0.1.1
    partition_serial_number: 123123
    port: 1792
  - certificate: |+
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    host: 10.0.1.2
    partition_serial_number: 456456
    port: 1792
  type: hsm

internal_url¶

Optional parameter to provide the CredHub internal URL as a link

Default

""

Example

credhub.service.cf.internal

java7_tls_ciphers_enabled¶

Enables CBC TLS cipher suites to enable TLS communication with Java 7 clients

Default

false

log_level¶

Application log level. Accepted values are none, error, warn, info or debug

Default

info

max_heap_size¶

Maximum memory heap size in MB for CredHub JVM

Default

1024

port¶

Listening port for the CredHub API

Default

8844

tls¶

Certificate and private key for TLS connection to CredHub API

Example

|+
  certificate: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  private_key: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----

Templates¶

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/credhub/ directory (learn more).

• bin/bbr/identify-postgres-server-version (from identify-postgres-server-version.erb)
• bin/bbr/post-backup-unlock (from post-backup-unlock.sh)
• bin/bbr/post-bbr-start (from post-bbr-start.erb)
• bin/bbr/post-restore-unlock (from post-restore-unlock.sh)
• bin/bbr/pre-backup-lock (from pre-backup-lock.sh)
• bin/bbr/pre-restore-lock (from pre-restore-lock.sh)
• bin/bbr/wait-for-stop (from wait-for-stop.sh.erb)
• bin/configure_hsm.sh (from configure_hsm.erb)
• bin/credhub (from credhub.erb)
• bin/ctl (from ctl.erb)
• bin/dns_health_check (from dns_health_check.erb)
• bin/drain (from drain.erb)
• bin/init_key_stores.sh (from init_key_stores.erb)
• bin/post-start (from post-start.erb)
• bin/pre-start (from pre-start.erb)
• config/bpm.yml (from bpm.yml.erb)
• config/config.json (from config.json.erb)
• config/database_ca.pem (from database_ca.pem.erb)
• config/encryption.conf (from encryption.conf.erb)
• config/log4j2.properties (from log4j2.properties.erb)
• config/validation.yml.bak (from validation.yml.erb)

Packages¶

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.

• configurator
• credhub
• golang-1.9-linux
• lunaclient
• openjdk_1.8.0