search

orange-cloudfoundry / static-creds-broker

A CloudFoundry service broker to ease exposition of static credentials
Apache License 2.0
7 stars 1 forks source link

Add support for credhub #51

Open gberche-orange opened 6 years ago

gberche-orange commented 6 years ago

With upcoming credhub support in cloudfoundry, see specs https://docs.google.com/document/d/1Sp7gNqyOyJgsaMUIGde6BCvSiqwvSQQK9PNdZycIBnM/edit# the brokers are expected to move from returning plain credentials such as

{
  "credentials": {
    "access_token_uri": "https://p-example-services.cf.example.com/oauth/token",
    "client_id": "p-example-server-876cd13b-1564-4a9a-9d44-c7c8a6257b73",
    "client_secret": "rU7dMUw6bQjR",
    "uri": "https://config-86b38ce0-eed8-4c01-adb4-1a651a6178e2.apps.example.com"
    }
}

into credhub references of the following form, after having written them into credhub:

{
  "credentials": {
    "credhub-ref": "((/c/p-example-services/p-example-server/86b38ce0-eed8-4c01-adb4-1a651a6178e2/credentials-json))"
  }
}

Static-creds should support a syntax allowing users to specify credhub-ref (pointing to credentials that are populated out of band by static-creds operator). At binding time, the broker should grant the bound application credhub permission to fetch the associated reference.

gberche-orange commented 6 years ago

See somewhat related https://github.com/cloudfoundry/secure-credentials-broker and associated stories in the services api backlog This broker is similar to a user-provider-service but instead stores user-provided-credentials (at service provision time using arbitrary params) into credhub in order to securely serve them to apps.