Skip to content
This repository has been archived by the owner. It is now read-only.
Deploy a Credhub with your Concourse
Branch: master
Clone or download
zmb3 Merge pull request #8 from pivotalservices/revert-7-add-key-properties
Revert "Add 'key_properties' parent key"
Latest commit 2281527 Oct 11, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bbl-terraform Initial commit Jul 31, 2018
operations Revert "Add 'key_properties' parent key" Oct 11, 2018
LICENSE Initial commit Jul 31, 2018
README.md Change concourse local_user to admin. Aug 28, 2018
deploy-concourse.sh Rename CONCOURSE_URL to CONCOURSE_HOST Aug 20, 2018
target-concourse-credhub.sh Initial commit Jul 31, 2018
versions.yml Initial commit Jul 31, 2018

README.md

Concourse + Credhub

Opinionated operations files for deploying Concourse with Credhub.

These files collocate the Credhub and UAA jobs with Concourse's ATC. This configuration is documented in the Control Plane reference architectures and is depicted in the following diagram:

Credhub

Deployment

This repo contains operations files that are meant to be used in conjunction with the manifests and operations files located at https://github.com/concourse/concourse-bosh-deployment

Prerequisites

Concourse is now using Xenial stemcells, so upload the appropriate stemcells for your IaaS prior to running deploy-concourse.sh.

Additionally, Concourse 4.0 expects a local user to exist. You can use Credhub to generate this user:

$ credhub generate -t user -z admin -n /bosh-$(bbl env-id)/concourse/local_user

Note: See Connecting to your new Credhub for instructions on how to target Credhub.

BBL Load Balancer

By placing the Credhub and UAA servers on the same instances as Concourse's ATC, we require the load balancer fronting the ATC to be extended to allow for both Credhub (port 8844) and UAA (port 8443) traffic.

If you are using bbl to create this load balancer, you can leverage the terraform provided in the bbl-terraform directory to extend this load balancer to support these additional ports.

This is referred to as a plan patch.

The general flow is:

$ bbl plan --lb-type=concourse
$ cp bbl-terraform/<IAAS>/*.tf $BBL_STATE_DIRECTORY/terraform/
$ bbl up

Backup/Restore via BBR

If you wish to use bbr to backup and restore the deployment, you'll need to add some extra operations files to your deployment:

  • enable-db-backups.yml: Include the backup and restore SDK release and add backup-restorer job
  • backup-atc-db.yml: Backup Concourse's ATC database (pipelines, build logs, etc)
  • backup-uaa-db.yml: Backup the UAA database (users, clients, secrets, etc)
  • backup-credhub-db.yml: Backup the Credhub database (Credhub secrets)

Connecting to your new Credhub

The client secret for connecting to the Concourse Credhub is stored in the BOSH director's Credhub. This repo includes a target-concourse-credhub.sh script that you can source in order to target the Concourse Credhub.

$ CONCOURSE_URL=https://concourse.example.com source target-concourse-credhub.sh
$ credhub find

Connecting to Concourse

If you used Credhub to generate the local user (see Prerequisites) then you can retrieve the credentials with the following command:

$ credhub get -n bosh-$(bbl env-id)/concourse/local_user

Once you have the credentials, log in with the fly CLI:

$ fly -t concourse login -c $CONCOURSE_URL -k
You can’t perform that action at this time.