Concourse를 효율적으로 사용하기 위해서는 Credential 저장소인 Credhub을 배포하여, 그 안에 credential등을
저장하여 variable로 사용할수 있어야 한다.
그러기 위해서는 Credhub uaa를 별도로 배포하여 concourse와 연동하는 작업이 선행 되어야 한다.
이번 포스팅에서는 그 부분을 다뤄보도록 하겠다.
Deployment 'credhub-uaa'
Instance Process State AZ IPs VM CID VM Type Active Stemcell
credhub-uaa/f6e4003a-fadb-49b4-9b6b-32f5413885f6 running ap-northeast-1d 10.0.6.97 i-025854947ab5452a0 m5.large true bosh-aws-xen-hvm-ubuntu-xenial-go_agent/621.211
(1) Install Credhub & UAA With BOSH
- Static IP 할당
- credhub-vars.yml 생성
- credhub-uaa-manifest.yml 생성
# static IP 할당
$ bosh cloud-config > cloud-config-0513.yml
# vim credhub-vars.yml
---
deployment-network: ert-subnet
external-ip-address: "10.0.6.97"
internal-ip-address: "10.0.6.97"
db_host: localhost
db_port: 5432
uaa_external_url: "https://10.0.6.97:8443"
uaa_internal_url: "https://10.0.6.97:8443"
uaa_version: "74.9.0"
uaa_sha1: "9647fff0fcb249e71ba2290849b4cdbbf7550165"
credhub_version: "2.5.7"
credhub_sha1: "9647fff0fcb249e71ba2290849b4cdbbf7550165"
postgres_version: "39"
postgres_sha1: "8ff395540e77a461322a01c41aa68973c10f1ffb"
bpm_version: "1.1.5"
bpm_sha1: "e612e88543012ae5d376dd3746159d5abe748076"
# vim credhub-uaa-manifest.yml
---
name: credhub-uaa
instance_groups:
- name: credhub-uaa
azs:
- ap-northeast-1d
instances: 1
vm_type: m5.large
persistent_disk_type: 51200
stemcell: xenial
networks:
- name: ((deployment-network))
static_ips:
- ((internal-ip-address))
jobs:
- name: uaa
release: uaa
properties:
encryption:
active_key_label: 'key-1'
encryption_keys:
- label: 'key-1'
passphrase: "((uaa_encryption_key))"
login:
saml:
serviceProviderCertificate: ((uaa_login_saml.certificate))
serviceProviderKey: ((uaa_login_saml.private_key))
uaa:
clients:
admin:
authorized-grant-types: client_credentials
scope: uaa.none
authorities: uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin
secret: "((uaa_admin_client_secret))"
credhub_cli:
authorized-grant-types: password,refresh_token
authorities: uaa.none
scope: credhub.read,credhub.write
secret: "" # credhub expects this to be empty
access-token-validity: 120
refresh-token-validity: 1800
override: true
concourse_client:
authorized-grant-types: client_credentials
authorities: credhub.read,credhub.write
scope: credhub.read,credhub.write
secret: "((concourse_credhub_client_secret))"
access-token-validity: 120
refresh-token-validity: 1800
override: true
jwt:
policy:
active_key_id: key-1
keys:
key-1:
signingKey: ((uaa_jwt_signing_key.private_key))
scim:
users:
- name: admin
password: "((cf_admin_password))"
groups:
- uaa.admin
- name: credhub
password: "((credhub_user_password))"
groups:
- credhub.read
- credhub.write
sslCertificate: ((uaa_ssl.certificate))
sslPrivateKey: ((uaa_ssl.private_key))
url: "((uaa_external_url))"
uaadb:
address: ((db_host))
tls: disabled
databases:
- name: uaadb
tag: uaa
db_scheme: postgres
port: ((db_port))
roles:
- name: uaaadmin
password: "((uaa_db_user_password))"
tag: admin
- name: credhub
release: credhub
properties:
credhub:
port: 8844
tls:
certificate: ((credhub_ssl.certificate))
private_key: ((credhub_ssl.private_key))
data_storage:
type: postgres
username: credhubadmin
password: ((credhub_db_user_password))
host: ((db_host))
port: ((db_port))
database: credhub
require_tls: false
authentication:
uaa:
ca_certs:
- ((credhub-ca.certificate))
enabled: true
url: "((uaa_external_url))"
wait_for_start: true
encryption:
keys:
- provider_name: internal-provider
key_properties:
encryption_password: "((credhub_encryption_key))"
active: true
providers:
- name: internal-provider
type: internal
authorization:
acls:
enabled: true
permissions:
- path: /*
actors:
- uaa-client:concourse_client
- uaa-client:credhub_cli
operations:
- read
- write
- delete
- read_acl
- write_acl
- name: bpm
release: bpm
- name: postgres
release: postgres
properties:
databases:
address: 127.0.0.1
port: 5432
databases:
- name: credhub
- name: uaadb
roles:
- name: admin
password: ((database-admin))
- name: uaaadmin
password: ((uaa_db_user_password))
- name: credhubadmin
password: ((credhub_db_user_password))
tls:
ca: ((database-tls.ca))
certificate: ((database-tls.certificate))
private_key: ((database-tls.private_key))
releases:
- name: uaa
version: "((uaa_version))"
- name: credhub
version: "((credhub_version))"
- name: postgres
version: "((postgres_version))"
- name: bpm
version: "((bpm_version))"
variables:
- name: uaa_encryption_key
type: password
- name: uaa_admin_client_secret
type: password
- name: cf_admin_password
type: password
- name: uaa_jwt_signing_key
type: rsa
- name: concourse_credhub_client_secret
type: password
- name: credhub_client_secret
type: password
- name: credhub_user_password
type: password
- name: credhub_encryption_key
type: password
- name: credhub_db_user_password
type: password
- name: uaa_db_user_password
type: password
- name: database-admin
type: password
- name: credhub-ca
type: certificate
options:
is_ca: true
common_name: CredHub CA
- name: database-tls
type: certificate
options:
ca: credhub-ca
common_name: ((external-ip-address))
alternative_names:
- ((external-ip-address))
- ((internal-ip-address))
- 127.0.0.1
- localhost
- name: uaa_ssl
type: certificate
options:
ca: credhub-ca
common_name: ((external-ip-address))
alternative_names:
- ((external-ip-address))
- ((internal-ip-address))
- 127.0.0.1
- localhost
- name: credhub_ssl
type: certificate
options:
ca: credhub-ca
common_name: ((external-ip-address))
alternative_names:
- ((external-ip-address))
- ((internal-ip-address))
- 127.0.0.1
- localhost
- name: uaa_login_saml
type: certificate
options:
ca: credhub-ca
common_name: ((external-ip-address))
alternative_names:
- ((external-ip-address))
- ((internal-ip-address))
- 127.0.0.1
- localhost
stemcells:
- alias: xenial
os: ubuntu-xenial
version: latest
update:
canaries: 1
canary_watch_time: 10000-200000
max_in_flight: 3
serial: false
update_watch_time: 10000-200000
$ bosh deploy -d credhub-uaa credhub-uaa-manifest.yml \
--vars-file credhub-vars.yml \
--vars-store credhub-vars-store.yml
(2) Concourse 재배포
- Cluster-creds.yml 에 ca_cert 추가
- Concourse 재배포
- 검증
cluster-creds.yml 수정
# vim cluster-creds.yml
...
credhub_ca_cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
credhub_url: "https://EXTERNAL-IP-OR-URL-OF-CREDHUB:8844"
credhub_client_id: "concourse_client"
credhub_client_secret: "CLIENT-SECRET"
ca_cert는 Credhub & UAA를 배포할때 생성되었던 credhub-vars-store.yml에서
복사하여 붙여 넣습니다.
credhub-ca:
ca: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
# 이 부분만 복사함
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
# vim에서 앞에 들여쓰기 없애는법
:%s/\v^\s+//g
concourse 재배포
bosh deploy \
-d concourse01 ./cluster/concourse.yml \
-l versions.yml \
-l variables.yml \
-o ./cluster/operations/backup-atc.yml \
-o ./cluster/operations/basic-auth.yml \
-o ./cluster/operations/static-web.yml \
-o ./cluster/operations/credhub.yml \
--vars-store cluster-creds.yml
검증
# vim ~/test/concourse-bosh-deployment/cluster/credhub-ca.crt
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
$ credhub login --ca-cert ~/test/concourse-bosh-deployment/cluster/credhub-ca.crt \
--client-name concourse_client \
--client-secret nladn6eysrmn3b6mbjya
'VMware > 구축(TAS)' 카테고리의 다른 글
[Tanzu] Cloud Foundry와 K8s 비교 (컨테이너) (0) | 2023.06.04 |
---|---|
[Tanzu 구축] (3) Concourse 구축 (0) | 2022.05.09 |
[Tanzu 구축] (2) OpsManager TAS 타일 설치 (0) | 2022.05.09 |
[Tanzu 구축] (1) OpsManager 설치 (0) | 2022.04.11 |