add credhub sample ops file

[patrickhuber]

I see a vault sample ops file, adding one for credhub will help others set that up as well.

Here is the sample from my deployment:

- type: replace
  path: /instance_groups/name=web/jobs/name=atc/properties/credhub?
  value:
    client_id: ((credhub_client_id))
    client_secret: ((credhub_client_secret))
    path_prefix: /concourse
    tls:
      insecure_skip_verify: false
      ca_cert: ((credhub_ca.ca))
    url: https://((credhub_ip)):8844

Based off of this repo: https://github.com/nsagoo-pivotal/concourse-credhub-bosh-deployment/blob/master/concourse.yml

And this ops file: https://github.com/concourse/concourse-deployment/blob/master/cluster/operations/vault-tls-cert-auth.yml

Optionally could use a ((credhub_url)) variable instead of the IP, but the sample comes from a deployment where credhub is on the same VM as the bosh director.

[deadlysyn]

for posterity... see also: https://github.com/pivotal-cf/pcf-pipelines/blob/master/docs/samples/colocated-credhub-ops/add-credhub-to-atcs.yml

@patrickhuber 's example was useful for me to simply point concourse to an existing credhub (deployed on my bosh director in my case)...but the emerging pattern seems to be keeping concourse-facing credhub separate and scaled with atcs.

[haydonryan]

I second the emerging pattern that @deadlysyn mentioned. If you use the credhub on bosh director then it will cause downtime when bosh director is updated, this way you get minimal downtime that is coupled to concourse upgrades rather than a 3rd component.