Support CredHub's CF Instance Identity roles #2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Cloud Foundry provides all apps with certificates containing their identity, a system called Instance Identity [1]. You can use these certificates to connect to CredHub using Mutual TLS, and when you do you get the role `mtls-app:APP_GUID` [2]. This PR adds a new `CREDHUB_USE_CF_INSTANCE_IDENTITY` environment variable. When set to true it will configure CredHub to use the Instance Identity certificates, and all CredHub commands will be run using that `mtls-app:APP_GUID` role. I think this has a lot of value in an automated, brokered CredHub like the one I'm working on in my `credhub-service-broker` [3]. This feature will only work if the buildpack is built to include a version of the CredHub CLI that supports using client certificates. I have a PR open for that [4]. [1] https://docs.cloudfoundry.org/devguide/deploy-apps/instance-identity.html [2] https://github.com/cloudfoundry-incubator/credhub/blob/master/docs/authentication-identities.md [3] https://github.com/46bit/credhub-service-broker [4] cloudfoundry/credhub-cli#103
andy-paine
reviewed
Aug 13, 2020
| @@ -6,6 +6,11 @@ | |||
| env_dir = ARGV[1] | |||
| file_dir = ARGV[2] | |||
|
|
|||
| if ENV["CREDHUB_USE_CF_INSTANCE_IDENTITY"] == "true" | |||
There was a problem hiding this comment.
Suggested change
| if ENV["CREDHUB_USE_CF_INSTANCE_IDENTITY"] == "true" | |
| if not ENV.key? 'CREDHUB_CLIENT' and ENV.key? 'CREDHUB_SECRET' |
I think make this the default auth method since it is the only one that doesn't require any external data. This leaves it really clean when you are using cert auth since you just include CREDHUB_SERVER and CREDHUB_CA_CERT.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi Andy 👋 This is to address #1.
What
Cloud Foundry provides all apps with certificates containing their identity, a system called Instance Identity [1]. You can use these certificates to connect to CredHub using Mutual TLS, and when you do you get the role
mtls-app:APP_GUID[2].This PR adds a new
CREDHUB_USE_CF_INSTANCE_IDENTITYenvironment variable. When set to true it will configure CredHub to use the Instance Identity certificates, and all CredHub commands will be run using thatmtls-app:APP_GUIDrole.I think this has a lot of value in an automated, brokered CredHub like the one I'm working on in my
credhub-service-broker[3].This feature will only work if the buildpack is built to include a version of the CredHub CLI that supports using client certificates. I have a PR open for that [4].
[1] https://docs.cloudfoundry.org/devguide/deploy-apps/instance-identity.html
[2] https://github.com/cloudfoundry-incubator/credhub/blob/master/docs/authentication-identities.md
[3] https://github.com/46bit/credhub-service-broker
[4] cloudfoundry/credhub-cli#103
How to review
For now I'm interested in whether you'd merge this. :)