We have an existing CredHub in PAS 2.0 and I wanted to use it with Concourse so that I can pull newly rotated keys along with my custom values.
So here is what I did:
# Get authenticated so that you can create a new credhub client:
$ uaac target https://IPOFCREDHUBHOST:8443 –skip-ssl-validation
https://OPSMAN/api/v0/deployed/director/credentials/uaa_login_client_credentials
{“credential”:{“type”:”simple_credentials”,”value”:{“identity”:”MYLOGINNAME”,”password”:”PASSWORDHERE”}}}
https://OPSMAN/api/v0/deployed/director/credentials/uaa_admin_user_credentials
{“credential”:{“type”:”simple_credentials”,”value”:{“identity”:”MYADMINNAME”,”password”:”PASSWORDHERE”}}}
$ uaac token owner get login -s PASSWORDHERE #### the SECRET from the UAA LOGIN CLIENT
User name: MYADMINNAME #### the username from the UAA ADMIN USER
Password: ********* #### the SECRET from the UAA ADMIN USER goes here
Successfully fetched token via owner password grant.
Target: https://OPSMAN:8443
Context: MYADMINNAME, from client login
# Add a credhub client:
$ uaac client add –name MYCREDCLIENT –scope uaa.none –authorized_grant_types client_credentials –authorities “credhub.write,credhub.read”;
Client ID: MYCREDCLIENT
New client secret: **************
Verify new client secret: **************
scope: uaa.none
client_id: MYCREDCLIENT
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
authorities: credhub.write credhub.read
name: MYCREDCLIENT
required_user_groups:
lastmodified: 1528
id: MYCREDCLIENT
created_by: 027
# Now get logged in:
$ uaac token client get MYCREDCLIENT -s PASSWORDHERE
$ credhub api OPSMANIP:8844 –skip-tls-validation
$ credhub login –client-name=MYCREDCLIENT –client-secret=PASSWORDHERE
# Now see what is already in CREDHUB:
$ credhub f
credentials:
– name: /bosh_dns_health_client
version_created_at:
…
$ credhub set -n /concourse/test –type value –value MYVALUE
id: e4bd-324-34-34b5
name: /concourse/test
type: value
value: MYVALUE
version_created_at:
$ credhub get -n /concourse/test
id: e4bd-324-34-34b5
name: /concourse/test
type: value
value: MYVALUE
version_created_at:
$ credhub delete -n /concourse/test
# ADD the lines after ###### NEW STUFF STARTS HERE ###### to your
concourse.yml file then redeploy concourse (I have my command below)
instance_groups:
– name: web
instances: 1
azs: [z1]
networks: [{name: ((network_name))}]
stemcell: HERE
vm_type: ((web_vm_type))
jobs:
– release: concourse
name: atc
properties:
log_level: debug
token_signing_key: ((token_signing_key))
external_url: ((external_url))
###### NEW STUFF STARTS HERE ######
credhub:
url: https://OPSMAN:8844
client_id: MYCREDCLIENT
client_secret: PASSWORDHERE
tls:
insecure_skip_verify: false
credhub_ca_cert: |
—–BEGIN CERTIFICATE—–
KEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEY
KEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEY
KEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEY
KEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEY
KEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEY
KEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEY
KEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEY
—–END CERTIFICATE—–
###### NEW STUFF ENDS HERE ######
^^^^ the credhub_ca_cert is from https://OPSMAN/api/v0/deployed/products/cf-BLAH/credentials/.properties.credhub_tls ((the second key))
# After this, you just redeploy your concourse… Prob shouldnt use mine — yours will be different
bosh -e BOSHDIRECTORIP deploy -d concourse concourse.yml -l ../versions.yml –vars-store cluster-creds.yml -o operations/static-web.yml –var web_ip=WEBSERVERIP –var external_url=https://CONCOURSEFQDN –var network_name=default –var web_vm_type=small –var db_vm_type=medium –var db_persistent_disk_type=db –var worker_vm_type=worker –var deployment_name=concourse
##### I did have to pay with this a bit and the easiest way to see what was happening was to `BOSH -e ENV -d concourse ssh web/STUFFSTUFFSTUFF` then watch /var/vcap/sys/log/atc/ stdout and stderr.
Also, I created a little pipeline to test with:
test.yml:
jobs:
– name: credhub-test
plan:
– do:
– task: credhub-test
config:
platform: linux
image_resource:
type: docker-image
source:
repository: ubuntu
run:
path: sh
args:
– -exc
– |
echo “Did it work? $TEST_PARAM”
params:
TEST_PARAM: ((test))
# Then I added the value to credhub like above:
$ credhub set -n /concourse/test –type value –value “It worked!”
# Tested with:
$ fly -t MYENV login
$ fly -t MYENV set-pipeline -p CredHubTest -c test.yml
$ fly -t MYENV unpause-pipeline –pipeline CredHubTest
$ fly -t MYENV trigger-job -j CredHubTest/credhub-test -w
started CredHubTest/credhub-test #3
initializing
Pulling ubuntu@sha256:4592d67b6d…
…
running sh -exc echo “Did it work? $TEST_PARAM”
+ echo Did it work? It worked!
Did it work? It worked!
succeeded
# Make your victory lap around the office and be thrilled to get your SECRETS off of your local machine