search

cloudfoundry-attic / cfdev

A fast and easy local Cloud Foundry experience on native hypervisors, powered by LinuxKit with VPNKit
Apache License 2.0
226 stars 64 forks source link

Access to Credhub using the CLI #59

Closed rhuiser closed 5 years ago

rhuiser commented 5 years ago

When I run credhub api -s http://$BOSH_ENVIRONMENT:8844 --skip-tls-validation, the command returns with the error: 

Setting the target url: http://10.245.0.2:8844
Error connecting to the targeted API: "Get http://10.245.0.2:8844/info: EOF". Please validate your target and retry your request.

It looks like there is some forwarding issue between the director and the credhub instance?

Using environment '10.245.0.2' as client 'admin'

Using deployment 'cf'

Task 626. Done
credhub/b25cfe85-c229-4b61-bc87-c91537107fe7: stderr | Warning: Permanently added '10.245.0.2' (RSA) to the list of known hosts.
credhub/b25cfe85-c229-4b61-bc87-c91537107fe7: stderr | Unauthorized use is strictly prohibited. All access and activity
credhub/b25cfe85-c229-4b61-bc87-c91537107fe7: stderr | is subject to logging and monitoring.
credhub/b25cfe85-c229-4b61-bc87-c91537107fe7: stderr | Unauthorized use is strictly prohibited. All access and activity
credhub/b25cfe85-c229-4b61-bc87-c91537107fe7: stderr | is subject to logging and monitoring.
credhub/b25cfe85-c229-4b61-bc87-c91537107fe7: stdout | vcap        5598       0  0 12:22 ?        00:01:24 java -Xmx1024m -Dspring.profiles.active=prod -Dspring.config.location=/var/vcap/jobs/credhub/config/application.yml -Dlog4j.configurationFile=/var/vcap/jobs/credhub/config/log4j2.properties -Djava.security.egd=file:/dev/urandom -Djna.boot.library.path=/var/vcap/packages/credhub/ -Djava.io.tmpdir=/var/vcap/jobs/credhub/tmp -Djdk.tls.ephemeralDHKeySize=4096 -Djdk.tls.namedGroups=secp384r1 -Djavax.net.ssl.trustStore=/var/vcap/jobs/credhub/config/trust_store.jks -Djavax.net.ssl.trustStorePassword=75Fp5mZJCwcZD0N9I4DWwvQXtAyNSzBg -ea -jar credhub.jar
credhub/b25cfe85-c229-4b61-bc87-c91537107fe7: stdout | bosh_45+    6350    6349  0 17:40 pts/1    00:00:00 bash -c ps -ef | grep java
credhub/b25cfe85-c229-4b61-bc87-c91537107fe7: stdout | bosh_45+    6352    6350  0 17:40 pts/1    00:00:00 grep java
credhub/b25cfe85-c229-4b61-bc87-c91537107fe7: stderr | Connection to 10.144.0.140 closed.

No messages are written to the logfiles under /var/vcap/sys/log/credhub upon connection attempts on this node.

Any idea?

aemengo commented 5 years ago

@rhuiser I believe there's some confusion with how cfdev is deployed. Distinct credhubs can exist for both the bosh director and for a given Cloud Foundry deployment. When you target with credhub api -s http://$BOSH_ENVIRONMENT:8844 (10.245.0.2:8844) ..., you are attempting to target the credhub for the bosh director. Cfdev does not have a credhub deployed with its bosh director so nothing exists at that ip and port - and thus the aforementioned command is expected to fail.

As you have noticed, there is a credhub deployed for the Cloud Foundry deployment. In your example, the ip and port is 10.144.0.140:8844. However, the second issue is that in cfdev, any ports that you wish to communicate with from outside of the VM must be explicitly forwarded or traffic will not reach, which we have not done for this particular case. Due to the dynamic nature of its ip (credhub could show up on any IP in the configured subnet), this is a non-trivial problem to solve.

In short, as of right now, there's no way to talk to the credhub deployed from outside of the VM.

sdawson-pivotal commented 5 years ago

@rhuiser would you mind sharing a bit about your use case? We are looking to better understand how people are using CF / PCF Dev, and what they are looking for. Your answers to this 4 question survey would be very helpful to us: https://goo.gl/forms/3OHzU2S5907hiu5r1

rhuiser commented 5 years ago

Hi Samuel,

I filled out the survey (submitted as robin.huiser@rdc.pt)

Regards, met vriendelijke groet,

Robin Huiser On 14 Jan 2019, 20:46 +0000, Samuel Dawson notifications@github.com, wrote:

@rhuiser would you mind sharing a bit about your use case? We are looking to better understand how people are using CF / PCF Dev, and what they are looking for. Your answers to this 4 question survey would be very helpful to us: https://goo.gl/forms/3OHzU2S5907hiu5r1 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.