Creating New Variables in CredHub
Page last updated:
This topic explains how CredHub manages variables in the context of a larger deployment, and how to create new variables for use in CredHub.
Background
When a tile author defines a top-level variables section in the product template, Ops Manager passes the variables section to the product manifest.
tile authors can define variables in the product template as follows:
variables:
- name: EXAMPLE-CREDHUB-PASSWORD
type: password
You can reference these variables in the manifest snippets in their tile metadata using a triple parentheses syntax:
((( EXAMPLE-CREDHUB-PASSWORD )))
Using triple parentheses lets Ops Manager identify CredHub variables while still supporting the BOSH double parentheses syntax. A variable referenced within triple parentheses is replaced by double parentheses in the generated manifest. After contacting CredHub, BOSH populates that variable value internally.
The benefit of this approach is that the Ops Manager YAML file does not contain sensitive credentials when the metadata manifest snippets have triple parentheses. The resulting manifest file contains variables within double parentheses, rather than unobscured credentials.
For example, a tile author adds credentials to a manifest snippet in the following format:
key: ((( EXAMPLE-CREDHUB-PASSWORD )))
key: prefix-((( ANOTHER-CREDHUB-PASSWORD )))-suffix
Ops Manager evaluates the above example to generate the following section in the product manifest:
(( EXAMPLE-CREDHUB-PASSWORD ))
prefix-(( ANOTHER-CREDHUB-PASSWORD ))-suffix
How CredHub Works Within a Deployment
CredHub is distributed as a BOSH release. As part of this installation, Ops Manager co-locates the CredHub release on the BOSH Director, including the CredHub job configurations, and the Director is configured to point to the CredHub API.
Once CredHub has been deployed and configured on the Director, any Director deployment can use CredHub variables in place of credential values. Using variables, rather than values, provides an extra layer of security when transmitting credentials within your deployment.
Changing Your Deployment Manifest to Include CredHub Variables
The BOSH Director interpolates credential values into manifests that use the ((variables)) syntax. When the Director encounters a variable using this syntax, it requests the credential value from CredHub. If the credential does not exist and the release or manifest contains generation properties, the credential value is generated automatically.
The manifest excerpt below includes references to two credentials, EXAMPLE-PASSWORD and EXAMPLE-TLS.
When this manifest is deployed, the BOSH Director retrieves the stored variables and replaces them with the credential values associated with each variable. The EXAMPLE-TLS variables include property accessors, so only the certificate and private_key components are interpolated.
name: demo-deploy
instance_groups:
jobs:
- name: demo
release: demo
properties:
demo:
password: ((EXAMPLE-PASSWORD))
tls:
certificate: ((EXAMPLE-TLS.certificate))
private_key: ((EXAMPLE-TLS.private_key))
Ops Manager configures the Director to generate a credential if it does not exist. The manifest includes generation parameters that define how the credential should be generated. These generation parameters are defined in the variables section as shown below.
---
name: demo deploy
variables:
- name: EXAMPLE-PASSWORD
type: password
- name: EXAMPLE-CA
type: certificate
options:
is_ca: true
common_name: 'Example Certificate Authority'
- name: EXAMPLE-TLS
type: certificate
options:
ca: EXAMPLE-CA
common_name: example.com
instance_groups:
jobs:
- name: demo
release: demo
properties:
demo:
password: (( EXAMPLE-PASSWORD ))
tls:
certificate: (( EXAMPLE-TLS.certificate ))
private_key: (( EXAMPLE-TLS.private_key ))
Variable Namespacing
Deployment manifests often use common variable names; for example, (( PASSWORD )). To avoid variable name collisions between deployments, the BOSH Director automatically stores variables with the BOSH Director name and deployment name. For example, the variable (( EXAMPLE-PASSWORD )) is stored in CredHub as /BOSH-Director-name/deployment-name/example-password.
Other Namespacing Options
Use a BOSH link to share credentials across deployments. You can read about BOSH links in the v1.11 Release Notice. Alternatively, if you want to use an exact name, prefixing the variable with a forward slash (/) will cause the Director to use the exact name you type. An example of a precisely typed variable follows.
((/EXAMPLE-PASSWORD))
Reference Existing CAs in CredHub Variables
This section describes how to reference existing CAs stored in CredHub correctly in your tile’s property configuration.
In Ops Manager v2.9 and later, operators can perform a bulk rotation of all CAs and certificates in a foundation, which may include leaf certificates used by individual service tiles. Ops Manager invokes CredHub Maestro to perform this operation.
CredHub Maestro requires that any triple parentheses references to CAs that sign leaf certificates must return a concatenated version of the CA. The concatenated version, which includes the older and newer CA, ensures that jobs using leaf certificates do not lose trusted state during CA rotation. This translates to the least amount of downtime of your tile’s services during certificate rotation.
When referencing a CA stored in CredHub, use the format LEAF-CERTIFICATE-NAME.ca to ensure that a concatenated version of the CA is returned. Do not reference the CA directly with the format CA-CERTIFICATE-NAME.certificate.
The following table presents examples of the correct and incorrect way to reference CAs and leaf certificates in order to support certificate rotation by CredHub Maestro.
| Correct Format | Incorrect Format |
|---|---|
templates:
- name: bpm
release: bpm
- manifest: |
...
.properties.routing_backends_client_cert_with_san.cert_pem ))
private_key: (( .properties.routing_backends_client_cert_with_san.private_key_pem ))
ca_certs: |
(( .properties.routing_custom_ca_certificates.value ))
(( $ops_manager.ca_certificate ))
((( /cf/some-diego-leaf-cert.ca )))
((( /cf/some-diego-leaf-2-6.ca)))
forwarded_client_cert: (( .properties.routing_tls_termination.selected_option.parsed_manifest(gorouter_forwarded_client_cert) ))
variables:
- name: /cf/diego-instance-identity-root-ca
options:
common_name: Diego Instance Identity Root CA
duration: 1095
is_ca: true
type: certificate
- name: /cf/diego-instance-identity-root-ca-2-6
options:
common_name: Diego Instance Identity Root CA
duration: 1095
is_ca: true
type: certificate
- name: /cf/some-diego-leaf-cert.ca
options:
ca: /cf/diego-instance-identity-root-ca
type: certificate
- name: /cf/some-diego-leaf-2-6.ca
options:
ca: /cf/diego-instance-identity-root-ca-2-6
type: certificate |
templates:
- name: bpm
release: bpm
- manifest: |
...
.properties.routing_backends_client_cert_with_san.cert_pem ))
private_key: (( .properties.routing_backends_client_cert_with_san.private_key_pem ))
ca_certs: |
(( .properties.routing_custom_ca_certificates.value ))
(( $ops_manager.ca_certificate ))
((( /cf/diego-instance-identity-root-ca.certificate )))
((( /cf/diego-instance-identity-root-ca-2-6.certificate )))
forwarded_client_cert: (( .properties.routing_tls_termination.selected_option.parsed_manifest(gorouter_forwarded_client_cert) ))
variables:
- name: /cf/diego-instance-identity-root-ca
options:
common_name: Diego Instance Identity Root CA
duration: 1095
is_ca: true
type: certificate
- name: /cf/diego-instance-identity-root-ca-2-6
options:
common_name: Diego Instance Identity Root CA
duration: 1095
is_ca: true
type: certificate |