Generate new secrets for Concourse

After upgrading to >= 3.7.0 we have to introduce new properties to atc, tsa and groundcrew as outlined here: concourse/concourse#1834 Three new keys will be generated: concourse_token_signing_key, concourse_tsa_host_key and concourse_worker_key.
alphagov · Dec 21, 2017 · b1ac3c4 · b1ac3c4
1 parent 451bfbd
commit b1ac3c4
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/manifests/concourse-manifest/concourse-base.yml b/manifests/concourse-manifest/concourse-base.yml
@@ -110,6 +110,7 @@ jobs:
             role:
               name: atc
               password: (( grab secrets.concourse_postgres_password ))
+          token_signing_key: (( grab secrets.concourse_token_signing_key ))
 
       - name: groundcrew
         release: concourse
@@ -119,13 +120,17 @@ jobs:
           tsa:
             host: 127.0.0.1
             port: 2222
+            worker_key: (( grab secrets.concourse_worker_key ))
 
       - name: tsa
         release: concourse
         properties:
           forward_host: 127.0.0.1
           atc:
             address: 127.0.0.1:8080
+          host_key: (( grab secrets.concourse_tsa_host_key ))
+          token_signing_key: (( grab secrets.concourse_token_signing_key ))
+          authorized_keys: [(( grab secrets.concourse_worker_key.public_key ))]
 
       - name: baggageclaim
         release: concourse

diff --git a/manifests/concourse-manifest/scripts/generate-concourse-secrets.rb b/manifests/concourse-manifest/scripts/generate-concourse-secrets.rb
@@ -8,6 +8,9 @@
   "concourse_vcap_password" => :sha512_crypted,
   "concourse_atc_password" => :simple,
   "concourse_postgres_password" => :simple,
+  "concourse_token_signing_key" => :bosh_rsa_key,
+  "concourse_tsa_host_key" => :bosh_ssh_key,
+  "concourse_worker_key" => :bosh_ssh_key,
 )
 
 option_parser = OptionParser.new do |opts|