Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

121 lines (115 sloc) 3.5 KB
# Notes: there are some dependencies while enabling this ops file:
# - /operations/tls.yml: for TLS
# - /operations/uaa.yml: for client/user authentication
# release
- path: /releases/-
type: replace
value:
name: credhub
url: https://bosh.io/d/github.com/pivotal-cf/credhub-release?v=((credhub_version))
sha1: ((credhub_sha1))
version: ((credhub_version))
# variables
- path: /variables?/name=credhub_db_password?
type: replace
value:
name: credhub_db_password
type: password
- path: /variables?/name=credhub_encryption_password?
type: replace
value:
name: credhub_encryption_password
type: password
options:
length: 40
- path: /variables?/name=concourse_to_credhub_client_secret?
type: replace
value:
name: concourse_to_credhub_client_secret
type: password
- path: /variables?/name=credhub_admin_secret?
type: replace
value:
name: credhub_admin_secret
type: password
# add credhub job to web instance group
- path: /instance_groups/name=web/jobs/-
type: replace
value:
name: credhub
release: credhub
properties:
credhub:
port: 8844
tls: ((atc_tls))
authentication:
uaa:
enabled: true
url: "((external_url)):8443"
ca_certs: [((atc_tls.ca))]
authorization:
acls:
enabled: false
data_storage:
type: postgres
database: &credhub_db credhub
username: &credhub_db_role credhub
password: &credhub_db_passwd ((credhub_db_password))
require_tls: false
log_level: info
encryption:
providers:
- name: internal-provider
type: internal
keys:
- provider_name: internal-provider
key_properties:
encryption_password: ((credhub_encryption_password))
active: true
# update DB instance to include credhub database
- path: /instance_groups/name=db/jobs/name=postgres/properties/databases/databases/-
type: replace
value:
name: *credhub_db
- path: /instance_groups/name=db/jobs/name=postgres/properties/databases/roles/-
type: replace
value:
name: *credhub_db
password: *credhub_db_passwd
# update UAA job by adding new client(s)
# concourse_to_credhub_client is used for concourse<->credhub integration
- path: /instance_groups/name=web/jobs/name=uaa/properties/uaa/clients?/concourse_to_credhub_client
type: replace
value:
id: concourse_to_credhub_client
secret: ((concourse_to_credhub_client_secret))
override: true
authorized-grant-types: client_credentials
scope: ""
authorities: credhub.read,credhub.write
access-token-validity: 1200
refresh-token-validity: 3600
# credhub_admin is used as the CredHub Admin
- path: /instance_groups/name=web/jobs/name=uaa/properties/uaa/clients?/credhub_admin
type: replace
value:
id: credhub_admin
secret: ((credhub_admin_secret))
override: true
authorized-grant-types: client_credentials
scope: ""
authorities: credhub.read,credhub.write
access-token-validity: 3600
refresh-token-validity: 3600
# add credhub integration with concourse
- path: /instance_groups/name=web/jobs/name=web/properties/credhub?
type: replace
value:
url: ((external_url)):8844
tls:
ca_cert: ((atc_tls.ca))
client_cert: ((atc_tls.certificate))
insecure_skip_verify: false
client_id: concourse_to_credhub_client
client_secret: ((concourse_to_credhub_client_secret))
path_prefix: /concourse
You can’t perform that action at this time.