Cloud Controller Database Secret Rotation | Deployment, Administration, and User Guides

Deployment, Administration, and User Guides › SUSE Cloud Application Platform Administration › Cloud Controller Database Secret Rotation

ContentsContents

Deployment, Administration, and User Guides

Navigation←→

Applies to SUSE Cloud Application Platform 2.1.1

19 Cloud Controller Database Secret Rotation #

File Name: cap_admin_ccdb_key_rotation.xml
ID: no ID found

19.1 Tables with Encrypted Information

The Cloud Controller Database (CCDB) encrypts sensitive information like passwords. The encryption key is generated when KubeCF is deployed. If it is compromised or needs to be rotated for any other reason, new keys can be added. Note that existing encrypted information will not be updated. The encrypted information must be set again to have them re-encrypted with the new key. The old key cannot be dropped until all references to it are removed from the database.

Updating these secrets is a manual process that involves decrypting the current contents of the database using the old key and re-encrypting the contents using a new key. The following procedure outlines how this is done.

For each label under key_labels, KubeCF will generate an encryption key. The current_key_label indicates which key is currently being used.
```
ccdb:
  encryption:
    rotation:
      key_labels:
      - encryption_key_0
      current_key_label: encryption_key_0
```

In order to rotate the CCDB encryption key, add a new label to key_labels (keeping the old labels), and mark the current_key_label with the newly added label:

ccdb:
  encryption:
    rotation:
      key_labels:
      - encryption_key_0
      - encryption_key_1
      current_key_label: encryption_key_1

Save the above information into a file, for example rotate-secret.yaml, and perform the rotation:

Update the KubeCF Helm installation:

tux > helm upgrade kubecf --namespace kubecf --values rotate-secret.yaml --reuse-values

After Helm finishes its updates, trigger the rotate-cc-database-key errand:

tux > kubectl patch qjob kubecf-rotate-cc-database-key \
--namespace kubecf \
--type merge \
--patch '{"spec":{"trigger":{"strategy":"now"}}}'

19.1 Tables with Encrypted Information #

File Name: cap_admin_ccdb_key_rotation.xml
ID: sec-cap-ccdb-tables

The CCDB contains several tables with encrypted information as follows:

apps: Environment variables
buildpack_lifecycle_buildpacks: Buildpack URLs may contain passwords
buildpack_lifecycle_data: Buildpack URLs may contain passwords
droplets: May contain Docker registry passwords
env_groups: Environment variables
packages: May contain Docker registry passwords
service_bindings: Contains service credentials
service_brokers: Contains service credentials
service_instances: Contains service credentials
service_keys: Contains service credentials
tasks: Environment variables

19.1.1 Update Existing Data with New Encryption Key #

File Name: cap_admin_ccdb_key_rotation.xml
ID: sec-cap-ccdb-update-existing-table-data

To ensure the encryption key is updated for existing data, the command (or its update- equivalent) can be run again with the same parameters. Some commands need to be deleted/recreated to update the label.

apps: Run cf set-env again
buildpack_lifecycle_buildpacks, buildpack_lifecycle_data, droplets: cf restage the app
packages: cf delete, then cf push the app (Docker apps with registry password)
env_groups: Run cf set-staging-environment-variable-group or cf set-running-environment-variable-group again
service_bindings: Run cf unbind-service and cf bind-service again
service_brokers: Run cf update-service-broker with the appropriate credentials
service_instances: Run cf update-service with the appropriate credentials
service_keys: Run cf delete-service-key and cf create-service-key again
tasks: While tasks have an encryption key label, they are generally meant to be a one-off event, and left to run to completion. If there is a task still running, it could be stopped with cf terminate-task, then run again with cf run-task.

Print this page