-
Notifications
You must be signed in to change notification settings - Fork 46
/
Copy pathcredhub.yml
266 lines (254 loc) · 6.85 KB
/
credhub.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
## This manifest deploys CredHub, a PostgreSQL database server and UAA on one VM.
##
## This deployment is intended for development testing only. You will lose all of your stored data in the event of an issue with the VM or mounted disks.
##
## This manifest assumes that you are deploying with a BOSH Director that has CredHub enabled. If this is not the case, you must replace the values below with ((variable)) syntax with actual values. If you are using BOSH with CredHub enabled, these values will be generated automatically.
##
## You must update the vm_type (currently 'medium') and network name (currently 'west') according to your cloud config. You must also replace the external_ip and uaa_url with an accurate values.
---
name: credhub
releases:
- name: credhub
version: latest
- name: postgres
version: latest
- name: uaa
version: latest
- name: backup-and-restore-sdk
version: latest
- name: os-conf
version: latest
- name: bpm
version: latest
stemcells:
- alias: default
os: ubuntu-xenial
version: latest
update:
canaries: 1
max_in_flight: 10
update_watch_time: 10000-200000
canary_watch_time: 10000-200000
variables:
- name: credhub-encryption-password
type: password
options:
length: 40
- name: credhub-ca
type: certificate
options:
is_ca: true
common_name: CredHub CA
- name: credhub-tls
type: certificate
options:
ca: credhub-ca
common_name: ((external-ip-address))
alternative_names:
- ((external-ip-address))
- ((internal-ip-address))
- 127.0.0.1
- name: database-tls
type: certificate
options:
ca: credhub-ca
common_name: ((external-ip-address))
alternative_names:
- ((external-ip-address))
- ((internal-ip-address))
- 127.0.0.1
- localhost
- name: database-admin
type: password
- name: uaa-tls
type: certificate
options:
ca: credhub-ca
common_name: ((external-ip-address))
alternative_names:
- ((external-ip-address))
- localhost
- name: uaa-jwt
type: rsa
options:
key_length: 4096
- name: uaa-users-admin
type: password
- name: uaa-admin
type: password
- name: uaa-login
type: password
- name: credhub-admin-client-password
type: password
- name: credhub-admin-user-password
type: password
- name: credhub-mtls-ca
type: certificate
options:
is_ca: true
common_name: credhub-mtls-ca
- name: jumpbox-ssh
type: ssh
- name: uaa-encryption-password
type: password
instance_groups:
- name: credhub
instances: 1
vm_type: medium
azs: [z1]
stemcell: default
networks:
- name: default
static_ips: [((internal-ip-address))]
default: [dns, gateway]
- name: public
static_ips: [((external-ip-address))]
jobs:
- name: credhub
release: credhub
properties:
credhub:
tls: ((credhub-tls))
authorization:
permissions:
- path: /*
actors: ["uaa-client:credhub_admin_client"]
operations: [read,write,delete,read_acl,write_acl]
authentication:
uaa:
url: &uaa-url https://((external-ip-address)):8443
internal_url: https://localhost:8443
verification_key: ((uaa-jwt.public_key))
ca_certs:
- ((uaa-tls.ca))
mutual_tls:
trusted_cas: [((credhub-mtls-ca.certificate))]
data_storage:
type: postgres
username: admin
password: ((database-admin))
host: localhost
port: 5432
database: credhub
require_tls: true
tls_ca: ((database-tls.ca))
encryption:
keys:
- provider_name: int
key_properties:
encryption_password: ((credhub-encryption-password))
active: true
providers:
- name: int
type: internal
bpm:
enabled: true
- name: postgres
release: postgres
properties:
databases:
address: 127.0.0.1
port: 5432
databases:
- name: credhub
- name: uaa
roles:
- name: admin
password: ((database-admin))
tls:
ca: ((database-tls.ca))
certificate: ((database-tls.certificate))
private_key: ((database-tls.private_key))
- name: uaa
release: uaa
properties:
bpm:
enabled: false
uaa:
url: *uaa-url
catalina_opts: -Djava.security.egd=file:/dev/./urandom -Xmx768m -XX:MaxMetaspaceSize=256m
scim:
users:
- name: admin
password: ((uaa-users-admin))
groups:
- scim.write
- scim.read
- bosh.admin
- credhub.read
- credhub.write
- name: credhub_admin_user
password: ((credhub-admin-user-password))
groups:
- credhub.read
- credhub.write
clients:
credhub_cli:
override: true
authorized-grant-types: password,refresh_token
scope: credhub.read,credhub.write
authorities: uaa.resource
access-token-validity: 30
refresh-token-validity: 3600
secret: ""
credhub_admin_client:
override: true
authorized-grant-types: client_credentials
scope: uaa.none
authorities: credhub.read,credhub.write
access-token-validity: 3600
secret: ((credhub-admin-client-password))
admin: {client_secret: ((uaa-admin))}
login: {client_secret: ((uaa-login))}
zones: {internal: {hostnames: []}}
sslCertificate: ((uaa-tls.certificate))
sslPrivateKey: ((uaa-tls.private_key))
jwt:
revocable: true
policy:
active_key_id: key-1
keys:
key-1:
signingKey: ((uaa-jwt.private_key))
uaadb:
address: 127.0.0.1
port: 5432
db_scheme: postgresql
tls_enabled: true
databases:
- tag: uaa
name: uaa
roles:
- tag: admin
name: admin
password: ((database-admin))
login:
saml:
serviceProviderCertificate: ((uaa-tls.certificate))
serviceProviderKey: ((uaa-tls.private_key))
serviceProviderKeyPassword: ""
encryption:
active_key_label: key1
encryption_keys:
- label: key1
passphrase: ((uaa-encryption-password))
- name: user_add
release: os-conf
properties:
users:
- name: bbr
public_key: ((jumpbox-ssh.public_key))
- name: bbr-credhubdb
release: credhub
properties:
release_level_backup: true
- name: database-backup-restorer
release: backup-and-restore-sdk
properties: {}
- name: ca_certs
release: os-conf
properties:
certs: ((database-tls.certificate))
- name: bpm
release: bpm
properties: {}