This guide provides instructions on how to enable Secure Service Delivery for Cloud Foundry using cf-deployment.
- Setup your CF infrastructure. More details are in the cf-deployment repo.
- Create a load balancer for the CredHub cluster. It has to be a TCP load balancer to ensure no TLS termination at the load balancer. The firewall rules need to allow traffic on CredHub's default port
8844. - Create DNS entry
credhub.((system_domain))to point at the CredHub's load balancer from previous step. - Update cloud config on your BOSH director to include VM Extension for the load balancer. The name of the VM extension has to be
credhub-lbas that is what the ops file references.
Required manifest modifications are in the secure-service-credentials.yml ops file. Here is the summary the changes:
- Adds a CredHub instance group to cf deployment
- Adds a database
- Adds CredHub's server CA to the container and diego cell trust stores
- Provides CredHub's server CA to the Cloud Controller job
bosh -e <env> deploy \
cf-deployment.yml \
-d cf \
-v system_domain=<your_system_domain> \
-o operations/experimental/enable-instance-identity-credentials.yml \
-o operations/experimental/secure-service-credentials.ymlAfter deploying cloud foundry with the above configuration, you need to set running environment for the CredHub API:
cf set-running-environment-variable-group '{"CREDHUB_API":"https://credhub.<your_system_domain>:8844"}'