Support Secure Service Credential Delivery for apps using file-based service bindings

### Proposed Change

Cloud Foundry supports a feature where service brokers can store service credentials in CredHub instead of within Cloud Controller's database. The broker will create credentials and grant access to apps based on their GUID. Cloud Controller receives a reference to the credential which is provided to the app via VCAP_SERVICES. The buildpack/docker app launchers then call CredHub (using the app's instance identity certs for auth(n/z)) to deference these values and interpolate them back into VCAP_SERVICES.

A [new feature](https://github.com/cloudfoundry/community/blob/4f05e2e08700ef388e3857c7c225c7e3cb565a1b/toc/rfc/rfc-0030-add-support-for-file-based-service-binding.md) allows apps to opt in to having service binding credentials provided via files instead of in the `VCAP_SERVICES` environment variable. We should extend the buildpackapplifecycle's Secure Service Credential Delivery functionality to also support file-based bindings.

### Acceptance criteria

**Scenario**: K8s Style Service Bindings
**Given** I have enabled the `service-binding-k8s` feature flag on my app (https://v3-apidocs.cloudfoundry.org/version/3.194.0/index.html#supported-app-features)
**And** I have pushed an app that reads and displays service binding credentials from `$SERVICE_BINDING_ROOT`
**When** I bind the app to a Credhub-enabled service broker ([use this one in CATS](https://github.com/cloudfoundry/cf-acceptance-tests/tree/main/assets/credhub-service-broker))
**And** I inspect the app
**Then** I see the CredHub credentials have been dereferenced

**Scenario**: File-based VCAP Services
**Given** I have enabled the `file-based-vcap-services` feature flag on my app (https://v3-apidocs.cloudfoundry.org/version/3.194.0/index.html#supported-app-features)
**And** I have pushed an app that reads and displays service binding credentials from `$VCAP_SERVICES_FILE_PATH`
**When** I bind the app to a Credhub-enabled service broker ([use this one in CATS](https://github.com/cloudfoundry/cf-acceptance-tests/tree/main/assets/credhub-service-broker))
**And** I inspect the app
**Then** I see the CredHub credentials have been dereferenced

### Related links

- https://github.com/cloudfoundry/community/blob/4f05e2e08700ef388e3857c7c225c7e3cb565a1b/toc/rfc/rfc-0030-add-support-for-file-based-service-binding.md?plain=1#L27
- https://github.com/cloudfoundry/cnbapplifecycle/issues/92
- https://github.com/cloudfoundry/credhub/blob/main/docs/secure-service-credentials.md#secure-service-credential-delivery

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support Secure Service Credential Delivery for apps using file-based service bindings #76

Proposed Change

Acceptance criteria

Related links

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Support Secure Service Credential Delivery for apps using file-based service bindings #76

Description

Proposed Change

Acceptance criteria

Related links

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions