Skip to content

CredHub

In this lab we explore Credhub, and more specifically, how Concourse leverages Credhub for managing secrets securely.

Credhub Basics

Review the CredHub documentation for Pivotal Platform here.

In the Concourse lab, you generated and stored the credentials for the Concourse local user in CredHub.

One important point is that CredHub can be used in many scenarios and contexts.

Bosh vs Concourse CredHub

Bosh CredHub

An instance of CredHub is running on the Bosh Director VM. You can read about it here.

Verify this:

  • Navigate to ~/workspace/concourse-bosh-deployment
  • Run the command bosh-env and make note of the IP address of the bosh director
  • Next, echo the contents of the environment variable $CREDHUB_SERVER
  • The CredHub server url has the same IP address

This instance of CredHub exists to ensure that credentials used by bosh deployments are managed securely.

For example:

  • Open your concourse deployment manifest, concourse.yml in a text editor
  • Around line 32, note that the concourse web server requires a token signing key
  • See if you can find that token signing key in credhub (Hint: use the credhub find command)

When a bosh deployment takes place, bosh notices that it requires a credential of a particular type, and either resolves it against a supplied variable, or generates the credentials it needs along the way and stores them in credhub.

Other products have similar needs.

Concourse CredHub

Concourse is a CI/CD server. It executes jobs. Those jobs often need access to credentials in order to fetch or store information in git repositories, artifact repositories, databases, etc..

Concourse supports a number of credential managers, including CredHub.

  • Navigate to the (Concourse web site](https://concourse-ci.org/)
  • Click on the docs tab
  • From the navbar, navigate to Operation, then to Credential Management
  • Select the sub-item The CredHub credentials manager

Question: Was the Concourse you deployed configured with a CredHub instance?

Hint: Look at the command you invoked to deploy Concourse, in deploy.sh and review the list of operations files provided along with that command.

Connect to the Concourse Credhub

The .envrc file in ~/workspace/concourse-bosh-deployment configures the credhub cli to target the bosh CredHub. It does this via the om bosh-env command.

  • Can you identify which environment variables do this?

Hint: the environment variables all begin with the prefix CREDHUB.

Setup Concourse CredHub access with direnv

Navigate up to ~/workspace and author a separate .envrc file for accessing the Concourse CredHub this time.

The four environment variables that need to be set are:

  • CREDHUB_SERVER
  • CREDHUB_CLIENT
  • CREDHUB_SECRET
  • CREDHUB_CA_CERT

We know that the server is colocated with the concourse web vm. But on what port? The answer to that question (and the next one: the name of the credhub client) can be found in the ops file, credhub-colocated.yml. The secret and ca cert are stored in the bosh credhub.

If you're stuck, feel free to glance at the solution below.

Answer

  • CredHub server port number: 8844

    Around line 46 of credhub-colocated.yml, the value of port

  • CredHub client name: credhub_admin

    Around lines 97 - 108 of credhub-colocated.yml

  • CredHub password: value of variable credhub_admin_secret in bosh credhub

    Retrieve with:

    credhub get -n /p-bosh/concourse/credhub_admin_secret -q

  • Credhub CA Certificate: value of variable atc_tls in bosh credhub

    Retrieve with:

    credhub get -n /p-bosh/concourse/atc_tls -k ca

The final .envrc file should resemble this:

#!/bin/sh

# __Concourse CredHub__

export CREDHUB_SERVER="https://ci.myenv.pal4pe.com:8844/"

export CREDHUB_CLIENT="credhub_admin"
export CREDHUB_SECRET="thats-not-right"

export CREDHUB_CA_CERT="$(cat <<END_CERT
-----BEGIN CERTIFICATE-----
insert certificate contents here
-----END CERTIFICATE-----
END_CERT)"

Verify

  1. Be sure to direnv allow this new direnv file.

  2. From the ~/workspace directory, run credhub find. This instance of credhub does not yet have any secrets in it.

Leverage Credhub in a Pipeline

  • Navigate to ~/workspace/pipelines
  • Edit hello.yml
  • Replace the hard-coded "Hello, World!" with "Hello, ((secret_agent))!"

Next:

  • Use the fly command to update your hello pipeline with this updated yaml file.
  • Run the job.

Does it succeed? What is the error message?

Store the secret

  1. Study the help documentation for the credhub set command

  2. Study the Concourse to Credhub Credential Lookup Rules.

  3. Figure out what the fully qualified name or path for your secret needs to be.

  4. Use the credhub set command to store a value for your secret_agent.

Make it pass

Re-run the job. This time it should pass.