as a bosh operator i want to run an import without manual steps

[ramonskie]

as a bosh operator i want to run an import without manual steps. like creating a token. setting the core, ca-cert, username, password.

my proposal as to add optional parameters

[jhunt]

@rkoster and I discussed this just the other day. How do you feel about falling back to just using the interactive stuff like $SHIELD_TENANT / --tenant, $SHIELD_CORE / --core, and the session from your last shield login against the given core?

[rkoster]

something like adding the following to https://github.com/starkandwayne/shield-boshrelease/blob/master/jobs/import/templates/bin/run

export SHIELD_TENANT=<%= p('shield.tenant') %>
export SHIELD_CORE=<%= p('shield.core') %>
<% if_p('shield.username', 'shield.password') do |username,password| %>
shield login --username  <%= username %> --password <%= password %>
<% end %>

[jhunt]

Are we talking about for interactive use or for the import errand?

I liken the access tokens to those of Github. You woudn't put credentials in a pipeline, which is why we embed personal access tokens instead.

[rkoster]

Would it then be an option to seed an access token, say have it be generated via bosh variables? Similar to what we have with uaa client secrets. Since with the current implementation deploying shield needs to happing in 5 steps:

• bosh deploy shield
• generate auth token with shield cli
• update deployment manifest with auth token
• bosh deploy shield
• bosh run-errand import

It would be nice to be able to do this in 1 or 2 (if we need to use the errand instead of seeding config via core directly).

[jhunt]

why not:

1. deploy
2. login
3. run shield import

?

(i.e. don't use the errand)

[ramonskie]

than whats the point of the errand that should make it easy to setup your shield? we are trying to achieve a completely setup shield. and the only thing required afterwords is logging in and set the master key.

what we are trying is to do is adding shield as an addon for bucc. so we are trying to add it as press of a button as much as possible

[jhunt]

Is this for BUCC?

The point of the SHIELD import errand is to allow people who want to pipeline ongoing maintenance of their SHIELD to do so easily. In that case, having a token generated beforehand is not really a problem.

If we implement interactive import support, the story gets even easier -- deploy, login, import your data! One reason we pulled the autoprovisioning from the BOSH release is that it was a bit onerous to have to deploy SHIELD just to update your configuration.

[ramonskie]

yes its for bucc we are setting up bbr taks in shield so that it will backup the director, uaa, concourse, credhub

[jhunt]

In that case, can't you just script something in the Concourse pipeline that does the auth token generation, and run the import manually? (BUCC uses pipelines to deploy all the things, right?)

[ramonskie]

yes we can do this but it bring its own set off complexity. so thats why we where looking into the errnand so we could just create an extra opsfile for it

[rkoster]

The complexity @ramonskie is referring to is related to secret paths. Consider the following:

Concourse deploy shield pipeline (import via concourse task)
- Secrets generated bij credhub trough bosh (variables:)
- Generated admin pw will be stored under /director_name/shield/admin_password
- We can't use this variable in the to be created concourse shield import task (since concourse will look for variables unders /concourse/main)

Concourse deploy shield pipeline (import via errand)
- Secrets generated bij credhub trough bosh (variables:)
- errand can use generated variables since they are in the same 

[jhunt]

Sounds like a deficiency in the Concourse / Credhub integration to me...

[jhunt]

@ramonskie can this be closed?

[ramonskie]

well it depends ons https://github.com/starkandwayne/shield-boshrelease/pull/118