search

Azure / open-service-broker-azure

The Open Service Broker API Server for Azure Services
https://osba.sh
MIT License
248 stars 101 forks source link

Support optional Credhub Delivery mode #623

Open zhongyi-zhang opened 5 years ago

zhongyi-zhang commented 5 years ago

It is for secure binding delivery. See overview https://github.com/cloudfoundry-incubator/credhub/blob/master/docs/secure-service-credentials.md and the example service broker for POC https://github.com/cloudfoundry/secure-credentials-broker. OSBA can support fetching Credhub connection info from the environment variables like these:

CREDHUB_SERVER: https://credhub.service.cf.internal:8844
CREDHUB_CLIENT: secure-credentials-broker
CREDHUB_SECRET: my-secret

Then OSBA stores credentials to Credhub and returns Credhub ref uri to the platform: https://github.com/Azure/open-service-broker-azure/blob/master/pkg/api/bind.go#L285. Of course unbinding should also delete the credentials from Credhub before deleting the binding from broker store: https://github.com/Azure/open-service-broker-azure/blob/master/pkg/api/unbind.go#L98.

Though Credhub is designed in CF world, the feature in OSBA won't depend on CF. Someday Credhub published a K8s deployment, K8s users can also benefit from it.

jeremyrickard commented 5 years ago

We should probably have an explicit flag to enable credhub integration as well?

zhongyi-zhang commented 5 years ago

Yes, I agree. It helps OSBA to determine whether it fetches Credhub info from env vars.