This is a draft document that was built and uploaded automatically. It may document beta software and be incomplete or even incorrect. Use this document at your own risk.

Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Deployment, Administration, and User Guides › SUSE Cloud Application Platform Administration › Integrating CredHub with SUSE Cloud Application Platform
ContentsContents
Deployment, Administration, and User Guides
  1. About This Guide
  2. I Overview of SUSE Cloud Application Platform
    1. 1 About SUSE Cloud Application Platform
    2. 2 Other Kubernetes Systems
  3. II Deploying SUSE Cloud Application Platform
    1. 3 Deployment and Administration Notes
    2. 4 Deploying SUSE Cloud Application Platform on SUSE CaaS Platform
    3. 5 Deploying SUSE Cloud Application Platform on Microsoft Azure Kubernetes Service (AKS)
    4. 6 Deploying SUSE Cloud Application Platform on Amazon Elastic Kubernetes Service (EKS)
    5. 7 Deploying SUSE Cloud Application Platform on Google Kubernetes Engine (GKE)
    6. 8 Installing the Stratos Web Console
    7. 9 Eirini
    8. 10 Deploying SUSE Cloud Application Platform Using Terraform
    9. 11 Setting Up a Registry for an Air Gapped Environment
    10. 12 SUSE Private Registry
  4. III SUSE Cloud Application Platform Administration
    1. 13 Upgrading SUSE Cloud Application Platform
    2. 14 Configuration Changes
    3. 15 Creating Admin Users
    4. 16 Managing Passwords
    5. 17 Accessing the UAA User Interface
    6. 18 Container Memory Limits and Requests
    7. 19 Cloud Controller Database Secret Rotation
    8. 20 Rotating Automatically Generated Secrets
    9. 21 Backup and Restore
    10. 22 Service Brokers
    11. 23 App-AutoScaler
    12. 24 Integrating CredHub with SUSE Cloud Application Platform
    13. 25 Buildpacks
  5. IV SUSE Cloud Application Platform User Guide
    1. 26 Deploying and Managing Applications with the Cloud Foundry Client
  6. V Troubleshooting
    1. 27 Troubleshooting
  7. A Appendix
  8. B GNU Licenses
Navigation
Deployment, Administration, and User Guides › SUSE Cloud Application Platform Administration › Integrating CredHub with SUSE Cloud Application Platform
Top
Applies to SUSE Cloud Application Platform 2.1.1

24 Integrating CredHub with SUSE Cloud Application Platform

  • File Name: cap_admin_credhub.xml
  • ID: no ID found
24.1 Installing the CredHub Client
24.2 Enabling and Disabling CredHub
24.3 Connecting to the CredHub Service

SUSE Cloud Application Platform supports CredHub integration. You should already have a working CredHub instance, a CredHub service on your cluster, then apply the steps in this chapter to connect SUSE Cloud Application Platform.

24.1 Installing the CredHub Client

  • File Name: cap_admin_credhub.xml
  • ID: sec-cap-credhub

Start by creating a new directory for the CredHub client on your local workstation, then download and unpack the CredHub client. The following example is for the 2.2.0 Linux release. For other platforms and current releases, see the cloudfoundry-incubator/credhub-cli at https://github.com/cloudfoundry-incubator/credhub-cli/releases 

tux > mkdir chclient
tux > cd chclient
tux > wget https://github.com/cloudfoundry-incubator/credhub-cli/releases/download/2.2.0/credhub-linux-2.2.0.tgz
tux > tar zxf credhub-linux-2.2.0.tgz

24.2 Enabling and Disabling CredHub

  • File Name: cap_admin_credhub.xml
  • ID: sec-cap-credhub-enable

CredHub is enabled by default. To disable it, add the following the following block to your kubecf-config-values.yaml file. 

features:
  credhub:
    enabled: false

To enable CredHub again, update the above block in your kubecf-config-values.yaml so that enabled is set to true.

After making the change above, and any other configuration changes, apply the update by doing the following:

Warning
Warning

On occasion, the credhub pod may fail to start due to database migration failures; this has been spotted intermittently on Microsoft Azure Kubernetes Service and to a lesser extent, other public clouds. In these situations, manual intervention is required to track the last completed transaction in credhub_user database and update the flyway schema history table with the record of the last completed transaction. Please contact support for further instructions.

24.3 Connecting to the CredHub Service

  • File Name: cap_admin_credhub.xml
  • ID: sec-cap-credhub-connect

Set environment variables for the CredHub client, your CredHub service location, and Cloud Application Platform namespace. In these guides the example namespace is kubecf: 

tux > CH_CLI=~/chclient/credhub
tux > CH_SERVICE=https://credhub.example.com
tux > NAMESPACE=kubecf

Set up the CredHub service location: 

tux > SECRET="$(kubectl get secrets --namespace "${NAMESPACE}" | awk '/^secrets-/ { print $1 }')"
tux > CH_SECRET="$(kubectl get secrets --namespace "${NAMESPACE}" "${SECRET}" --output jsonpath="{.data['uaa-clients-credhub-user-cli-secret']}"|base64 --decode)"
tux > CH_CLIENT=credhub_user_cli
tux > echo Service ......@ $CH_SERVICE
tux > echo CH cli Secret @ $CH_SECRET

Set the CredHub target through its Kubernetes service, then log into CredHub: 

tux > "${CH_CLI}" api --skip-tls-validation --server "${CH_SERVICE}"
tux > "${CH_CLI}" login --client-name="${CH_CLIENT}" --client-secret="${CH_SECRET}"

Test your new connection by inserting and retrieving some fake credentials: 

tux > "${CH_CLI}" set --name FOX --type value --value 'fox over lazy dog'
tux > "${CH_CLI}" set --name DOG --type user --username dog --password fox
tux > "${CH_CLI}" get --name FOX
tux > "${CH_CLI}" get --name DOG
Chapter 25 BuildpacksChapter 23 App-AutoScaler
Print this page

© 2022 SUSE