forked from mboldt/docs-tiledev
-
Notifications
You must be signed in to change notification settings - Fork 0
/
migrating-credhub-credentials.html.md.erb
122 lines (98 loc) · 4.23 KB
/
migrating-credhub-credentials.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
---
title: Migrating existing credentials to CredHub
owner: CredHub
---
You can migrate non-configurable secrets from Tanzu Operations Manager into CredHub.
CredHub uses BOSH credential types, which can have different names than Tanzu Operations Manager credential types.
The following table lists the Tanzu Operations Manager credential types you can migrate to CredHub and the
corresponding CredHub credential types:
<table class=“table”>
<thead>
<tr>
<th>Tanzu Operations Manager Credential Type</th>
<th>CredHub Credential Type</th>
<th>Supported Tanzu Operations Manager Version</th>
</tr>
</thead>
<tr>
<td><code>secret</code></td>
<td><code>password</code></td>
<td>1.11.1</td>
</tr>
<tr>
<td><code>simple_credential</code></td>
<td><code>user</code></td>
<td>1.12 Alpha 1</td>
</tr>
<tr>
<td><code>salted_credential</code></td>
<td><code>user</code></td>
<td>1.12 Beta 1</td>
</tr>
<tr>
<td><code>rsa_pkey_credential</code></td>
<td><code>rsa</code></td>
<td>1.12 Alpha 1</td>
</tr>
</table>
CredHub does not retain the salt when you migrate <code>salted_credentials</code>.
See [Property and template references](./property-template-references.html#secret) for more information about credential types.
## <a id="javascript"></a> Use the javaScript migration process
You can write a JavaScript migration to move their existing non-configurable secrets into CredHub. After a successful migration, Tanzu Operations Manager deletes credentials from the `installation.yml` file.
1. Use the following example to write the JavaScript migration.
Save the JavaScript file to the `PRODUCT/migrations/v1` directory of your `.pivotal` tile,
following the naming conventions in the [Update Values or Property Names using JavaScript](./tile-upgrades.html) topic.
```js
exports.migrate = function(input) {
input.variable_migrations.push({
from: input.properties['.PROPERTY-REFERENCE.EXAMPLE-SECRET'],
to_variable: 'SECRET-VARIABLE'
});
return input;
};
```
Replace the example text as follows:
* `PROPERTY-REFERENCE`: Replace with the property reference that corresponds to the metadata file, such as `properties`. See [Tile Upgrades](./tile-upgrades.html#import) for more information about migrating properties.
* `EXAMPLE-SECRET`: Replace with the name of the key.
* `SECRET-VARIABLE`: Select a variable name for the migrated secret.
1. Remove the property blueprint for the secret and replace it with a CredHub variable.
* In your metadata, remove the block that includes the credential. For example, remove
the block that includes `-name: EXAMPLE-SECRET` and `type: secret`:
```
property_blueprints:
- name: EXAMPLE-SECRET
type: secret
- name: generated_uuid
type: uuid
- name: configured_secret
type: secret
configurable: true
optional: true
- name: configured_simple_credentials
type: simple_credentials
configurable: true
optional: true
```
* In the `handcraft.yml` file, add a variables section and include the variable name and type:
```
variables:
- name: SECRET-VARIABLE
type: password
```
<p class="note">
<span class="note__title">Note</span>
While the property blueprint refers to the type as <code>secret</code>, BOSH refers to the
type as <code>password</code>. See the <a href="#cred-types">CredHub credential types</a> table at the beginning of this topic for more information about credential types.
</p>
1. In your manifest snippet, replace the existing secret value with the new triple-parenthesis syntax.
* Remove the existing secret from the manifest snippet:
```
secret: (( .PROPERTY-REFERENCE.SECRET-VARIABLE.SECRET-VALUE ))
```
* Add the new CredHub variable to the manifest snippet:
```
secret: ((( SECRET-VARIABLE )))
```
2. Run a [test deploy](./testing.html) of your tile.
3. Use an API endpoint to confirm that the credential is stored in the variable.
For more information about the endpoint, see [Fetching variable names and values](./get-credhub-vars.html).