IK.AM

この記事の延長編。次はCredHubも導入する。

BOSH VMは次のような構成になる。

目次

• BOSH Liteのインストール
  • BOSH VM作成
  • Stemcellのアップロード
  • Cloud Configの設定
• CredHubを使う
  • CredHub CLIインストール
  • CredHubログイン
  • Concourseをデプロイ
  • CredHubの確認
  • CredentialsのRotate

BOSH Liteのインストール

BOSH VM作成

credhub.ymlも追加する。

bosh2 create-env bosh.yml \
  --state ./state.json \
  -o virtualbox/cpi.yml \
  -o virtualbox/outbound-network.yml \
  -o bosh-lite.yml \
  -o bosh-lite-runc.yml \
  -o uaa.yml \
  -o credhub.yml \
  -o jumpbox-user.yml \
  --vars-store ./creds.yml \
  -v director_name="bosh-lite" \
  -v internal_ip=192.168.50.6 \
  -v internal_gw=192.168.50.1 \
  -v internal_cidr=192.168.50.0/24 \
  -v outbound_network_name=NatNetwork

Stemcellのアップロード

bosh2 upload-stemcell https://bosh.io/d/stemcells/bosh-warden-boshlite-ubuntu-trusty-go_agent

Cloud Configの設定

bosh2 -n update-cloud-config ./warden/cloud-config.yml

CredHubを使う

CredHub CLIインストール

brew install cloudfoundry/tap/credhub-cli

CredHubログイン

bosh2 int ./creds.yml --path /uaa_ssl/ca > ~/uaa_ca
bosh2 int ./creds.yml --path /credhub_ca/ca > ~/credhub_ca
credhub login -s 192.168.50.6:8844 -u credhub-cli -p `bosh2 int ./creds.yml --path /credhub_cli_password` --ca-cert ~/uaa_ca --ca-cert ~/credhub_ca

軽くAPIを試す

$ credhub generate -n demo-pass -t password
id: 5a5ae163-6f4a-4582-b2cd-560dbb98007a
name: /demo-pass
type: password
value: NvxyWg1vX41G0IQxO3eZJvocVTBQQ6
version_created_at: 2017-07-02T07:18:54Z

$ credhub get -n demo-pass
id: 5a5ae163-6f4a-4582-b2cd-560dbb98007a
name: /demo-pass
type: password
value: NvxyWg1vX41G0IQxO3eZJvocVTBQQ6
version_created_at: 2017-07-02T07:18:54Z

$ credhub delete -n demo-pass
Credential successfully deleted

Concourseをデプロイ

以下のmanifestファイルをデプロイする

---
name: concourse

releases:
- name: concourse
  version: 3.3.0
  url: https://bosh.io/d/github.com/concourse/concourse?v=3.3.0
  sha1: f0b5ab73ba26e9cc72c8989d20ae2e8d994f18c4
- name: garden-runc
  version: 1.6.0
  url: https://bosh.io/d/github.com/cloudfoundry/garden-runc-release?v=1.6.0
  sha1: 58fbc64aff303e6d76899441241dd5dacef50cb7

stemcells:
- alias: trusty
  os: ubuntu-trusty
  version: latest

instance_groups:
- name: web
  instances: 1
  vm_type: default
  stemcell: trusty
  azs: [z1]
  networks:
  - name: default
    static_ips: [((internal_ip))]
  jobs:
  - name: atc
    release: concourse
    properties:
      external_url: &external_url https://((internal_ip))
      basic_auth_username: admin
      basic_auth_password: ((ui_password))
      tls_cert: ((atc_ssl.certificate))
      tls_key: ((atc_ssl.private_key))
      bind_port: 80
      tls_bind_port: 443
      postgresql_database: &atc_db atc
  - name: tsa
    release: concourse
    properties: {}
- name: db
  instances: 1
  vm_type: default
  persistent_disk_type: default
  stemcell: trusty
  azs: [z1]
  networks:
  - name: default
  jobs:
  - name: postgresql
    release: concourse
    properties:
      databases:
      - name: *atc_db
        role: atc
        password: ((postgres_password))
- name: worker
  instances: 1
  vm_type: default
  stemcell: trusty
  azs: [z1]
  networks:
  - name: default
  jobs:
  - name: groundcrew
    release: concourse
    properties: {}
  - name: baggageclaim
    release: concourse
    properties: {}
  - name: garden
    release: garden-runc
    properties:
      garden:
        listen_network: tcp
        listen_address: 0.0.0.0:7777

update:
  canaries: 1
  max_in_flight: 1
  serial: false
  canary_watch_time: 1000-60000
  update_watch_time: 1000-60000

variables:
- name: default_ca
  type: certificate
  options:
    is_ca: true
    common_name: ca
- name: atc_ssl
  type: certificate
  options:
    ca: default_ca
    common_name: ((internal_ip))
    alternative_names: [((internal_ip))]
- name: postgres_password
  type: password
- name: ui_password
  type: password

デプロイ

bosh2 deploy -d concourse -v internal_ip=10.244.0.34 concourse.yml

できた。

CredHubの確認

manifestファイル中のvariablesに設定されているCredentialsがCredHubに生成される。(CredHubを使わない場合はbosh deployで--vars-storeに指定したファイルにCredentialsが保存される。)

$ credhub find concourse
credentials:
- name: /bosh-lite/concourse/ui_password
  version_created_at: 2017-07-02T07:46:26Z
- name: /bosh-lite/concourse/postgres_password
  version_created_at: 2017-07-02T07:46:26Z
- name: /bosh-lite/concourse/atc_ssl
  version_created_at: 2017-07-02T07:46:26Z
- name: /bosh-lite/concourse/default_ca
  version_created_at: 2017-07-02T07:46:26Z

ログインパスワードは次のように取得可能。

$ credhub get -n "/bosh-lite/concourse/ui_password"
id: 3beffe4b-32ed-4294-8622-26d106d9279b
name: /bosh-lite/concourse/ui_password
type: password
value: BYreZKTynCG5fQr21rOdwnKyYWvII0
version_created_at: 2017-07-02T07:46:26Z

CredentialsのRotate

Concourseのログインパスワードを再生成する

$ credhub regenerate -n "/bosh-lite/concourse/ui_password"
id: 3c988b52-4278-4494-968c-d639fcdf3d49
name: /bosh-lite/concourse/ui_password
type: password
value: CJ4HQLek91MSRt13QHfYRFewFmtKIQ
version_created_at: 2017-07-02T08:23:08Z

もう一度デプロイ

bosh2 deploy -d concourse -v internal_ip=10.244.0.34 concourse.yml

簡単にパスワードを変更できた。