본문 바로가기

VMware/구축(TAS)

[Tanzu 구축] (4) Concourse Credhub 구축

 

Concourse를 효율적으로 사용하기 위해서는 Credential 저장소인 Credhub을 배포하여, 그 안에 credential등을 

저장하여 variable로 사용할수 있어야 한다.

그러기 위해서는 Credhub uaa를 별도로 배포하여 concourse와 연동하는 작업이 선행 되어야 한다.

이번 포스팅에서는 그 부분을 다뤄보도록 하겠다.

Deployment 'credhub-uaa'

Instance                                          Process State  AZ               IPs        VM CID               VM Type   Active  Stemcell
credhub-uaa/f6e4003a-fadb-49b4-9b6b-32f5413885f6  running        ap-northeast-1d  10.0.6.97  i-025854947ab5452a0  m5.large  true    bosh-aws-xen-hvm-ubuntu-xenial-go_agent/621.211

 

(1) Install Credhub & UAA With BOSH

  • Static IP 할당
  • credhub-vars.yml 생성
  • credhub-uaa-manifest.yml 생성
# static IP 할당

$ bosh cloud-config > cloud-config-0513.yml
# vim credhub-vars.yml
---
deployment-network: ert-subnet
external-ip-address: "10.0.6.97"
internal-ip-address: "10.0.6.97"
db_host: localhost
db_port: 5432
uaa_external_url: "https://10.0.6.97:8443"
uaa_internal_url: "https://10.0.6.97:8443"
uaa_version: "74.9.0"
uaa_sha1: "9647fff0fcb249e71ba2290849b4cdbbf7550165"
credhub_version: "2.5.7"
credhub_sha1: "9647fff0fcb249e71ba2290849b4cdbbf7550165"
postgres_version: "39"
postgres_sha1: "8ff395540e77a461322a01c41aa68973c10f1ffb"
bpm_version: "1.1.5"
bpm_sha1: "e612e88543012ae5d376dd3746159d5abe748076"
# vim credhub-uaa-manifest.yml

---
name: credhub-uaa
instance_groups:
- name: credhub-uaa
  azs:
  - ap-northeast-1d
  instances: 1
  vm_type: m5.large
  persistent_disk_type: 51200
  stemcell: xenial
  networks:
  - name: ((deployment-network))
    static_ips:
    - ((internal-ip-address))
  jobs:
  - name: uaa
    release: uaa
    properties:
      encryption:
        active_key_label: 'key-1'
        encryption_keys:
          - label: 'key-1'
            passphrase: "((uaa_encryption_key))"
      login:
        saml:
          serviceProviderCertificate: ((uaa_login_saml.certificate))
          serviceProviderKey: ((uaa_login_saml.private_key))
      uaa:
        clients:
          admin:
            authorized-grant-types: client_credentials
            scope: uaa.none
            authorities: uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin
            secret: "((uaa_admin_client_secret))"
          credhub_cli:
            authorized-grant-types: password,refresh_token
            authorities: uaa.none
            scope: credhub.read,credhub.write
            secret: "" # credhub expects this to be empty
            access-token-validity: 120
            refresh-token-validity: 1800
            override: true
          concourse_client:
            authorized-grant-types: client_credentials
            authorities: credhub.read,credhub.write
            scope: credhub.read,credhub.write
            secret: "((concourse_credhub_client_secret))"
            access-token-validity: 120
            refresh-token-validity: 1800
            override: true
        jwt:
          policy:
            active_key_id: key-1
            keys:
              key-1:
                signingKey: ((uaa_jwt_signing_key.private_key))
        scim:
          users:
            - name: admin
              password: "((cf_admin_password))"
              groups:
                - uaa.admin
            - name: credhub
              password: "((credhub_user_password))"
              groups:
                - credhub.read
                - credhub.write
        sslCertificate: ((uaa_ssl.certificate))
        sslPrivateKey: ((uaa_ssl.private_key))
        url: "((uaa_external_url))"
      uaadb:
        address: ((db_host))
        tls: disabled
        databases:
        - name: uaadb
          tag: uaa
        db_scheme: postgres
        port: ((db_port))
        roles:
        - name: uaaadmin
          password: "((uaa_db_user_password))"
          tag: admin
  - name: credhub
    release: credhub
    properties:
      credhub:
        port: 8844
        tls:
          certificate: ((credhub_ssl.certificate))
          private_key: ((credhub_ssl.private_key))
        data_storage:
          type: postgres
          username: credhubadmin
          password: ((credhub_db_user_password))
          host: ((db_host))
          port: ((db_port))
          database: credhub
          require_tls: false
        authentication:
          uaa:
            ca_certs:
              - ((credhub-ca.certificate))
            enabled: true
            url: "((uaa_external_url))"
            wait_for_start: true
        encryption:
          keys:
            - provider_name: internal-provider
              key_properties:
                encryption_password: "((credhub_encryption_key))"
              active: true
          providers:
            - name: internal-provider
              type: internal
        authorization:
          acls:
            enabled: true
          permissions:
            - path: /*
              actors:
                - uaa-client:concourse_client
                - uaa-client:credhub_cli
              operations:
                - read
                - write
                - delete
                - read_acl
                - write_acl
  - name: bpm
    release: bpm
  - name: postgres
    release: postgres
    properties:
      databases:
        address: 127.0.0.1
        port: 5432
        databases:
        - name: credhub
        - name: uaadb
        roles:
        - name: admin
          password: ((database-admin))
        - name: uaaadmin
          password: ((uaa_db_user_password))
        - name: credhubadmin
          password: ((credhub_db_user_password))
        tls:
          ca: ((database-tls.ca))
          certificate: ((database-tls.certificate))
          private_key: ((database-tls.private_key))

releases:
- name: uaa
  version: "((uaa_version))"

- name: credhub
  version: "((credhub_version))"

- name: postgres
  version: "((postgres_version))"

- name: bpm
  version: "((bpm_version))"

variables:
- name: uaa_encryption_key
  type: password

- name: uaa_admin_client_secret
  type: password

- name: cf_admin_password
  type: password

- name: uaa_jwt_signing_key
  type: rsa

- name: concourse_credhub_client_secret
  type: password

- name: credhub_client_secret
  type: password

- name: credhub_user_password
  type: password

- name: credhub_encryption_key
  type: password

- name: credhub_db_user_password
  type: password

- name: uaa_db_user_password
  type: password

- name: database-admin
  type: password

- name: credhub-ca
  type: certificate
  options:
    is_ca: true
    common_name: CredHub CA

- name: database-tls
  type: certificate
  options:
    ca: credhub-ca
    common_name: ((external-ip-address))
    alternative_names:
    - ((external-ip-address))
    - ((internal-ip-address))
    - 127.0.0.1
    - localhost

- name: uaa_ssl
  type: certificate
  options:
    ca: credhub-ca
    common_name: ((external-ip-address))
    alternative_names:
    - ((external-ip-address))
    - ((internal-ip-address))
    - 127.0.0.1
    - localhost

- name: credhub_ssl
  type: certificate
  options:
    ca: credhub-ca
    common_name: ((external-ip-address))
    alternative_names:
    - ((external-ip-address))
    - ((internal-ip-address))
    - 127.0.0.1
    - localhost

- name: uaa_login_saml
  type: certificate
  options:
    ca: credhub-ca
    common_name: ((external-ip-address))
    alternative_names:
    - ((external-ip-address))
    - ((internal-ip-address))
    - 127.0.0.1
    - localhost

stemcells:
- alias: xenial
  os: ubuntu-xenial
  version: latest

update:
  canaries: 1
  canary_watch_time: 10000-200000
  max_in_flight: 3
  serial: false
  update_watch_time: 10000-200000
$ bosh deploy -d credhub-uaa credhub-uaa-manifest.yml \
  --vars-file credhub-vars.yml \
  --vars-store credhub-vars-store.yml

(2) Concourse 재배포

  • Cluster-creds.yml 에 ca_cert 추가
  • Concourse 재배포
  • 검증

cluster-creds.yml 수정

# vim cluster-creds.yml

...
credhub_ca_cert: |
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----
credhub_url: "https://EXTERNAL-IP-OR-URL-OF-CREDHUB:8844"
credhub_client_id: "concourse_client"
credhub_client_secret: "CLIENT-SECRET"


ca_cert는 Credhub & UAA를 배포할때 생성되었던 credhub-vars-store.yml에서 
복사하여 붙여 넣습니다.

credhub-ca:
ca: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

# 이 부분만 복사함
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE----- 
# vim에서 앞에 들여쓰기 없애는법
:%s/\v^\s+//g

concourse 재배포

bosh deploy \
  -d concourse01 ./cluster/concourse.yml \
  -l versions.yml \
  -l variables.yml \
  -o ./cluster/operations/backup-atc.yml \
  -o ./cluster/operations/basic-auth.yml \
  -o ./cluster/operations/static-web.yml \
  -o ./cluster/operations/credhub.yml \
  --vars-store cluster-creds.yml

검증

# vim ~/test/concourse-bosh-deployment/cluster/credhub-ca.crt
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
  
$ credhub login --ca-cert ~/test/concourse-bosh-deployment/cluster/credhub-ca.crt \
--client-name concourse_client \
--client-secret nladn6eysrmn3b6mbjya