A pipeline that hackily rotates your CF deployment credentials.
List based on cf-deployment at commit 98c1a7 without any ops files.
| Name | Rotation Method | Downtime? |
|---|---|---|
| adapter_rlp_tls | Single Deploy | Probably No |
| adapter_tls | Single Deploy | Probably No |
| blobstore_admin_users_password | Single Deploy | Probably Yes |
| blobstore_secure_link_secret | Single Deploy | Probably Yes |
| blobstore_tls | Single Deploy | Probably No |
| cc_bridge_cc_uploader | Single Deploy | Probably No |
| cc_bridge_cc_uploader_server | Single Deploy | Probably No |
| cc_bridge_tps | Single Deploy | Probably No |
| cc_bulk_api_password | Single Deploy | Probably Yes |
| cc_database | New User | Probably No |
| cc_db_encryption_key | None Yet | N/A |
| cc_internal_api_password | Single Deploy | Probably Yes |
| cc_staging_upload_password | Single Deploy | Probably Yes |
| cc_tls | Single Deploy | Probably No |
| cf_admin_password | Single Deploy | Probably Yes |
| cf_mysql_mysql_admin_password | Single Deploy | Probably Yes |
| cf_mysql_mysql_cluster_health_password | Single Deploy | Probably Yes |
| cf_mysql_mysql_galera_healthcheck_endpoint_password | Single Deploy | Probably Yes |
| cf_mysql_mysql_galera_healthcheck_password | Single Deploy | Probably Yes |
| cf_mysql_proxy_api_password | Single Deploy | Probably Yes |
| consul_agent | Single Deploy | Probably No |
| consul_agent_ca | Three Stage | Probably No |
| consul_encrypt_key | Three Stage | Probably No |
| consul_server | Single Deploy | Probably No |
| diego_auctioneer_client | Single Deploy | Probably No |
| diego_auctioneer_server | Single Deploy | Probably No |
| diego_bbs_client | Single Deploy | Probably No |
| diego_bbs_encryption_keys_passphrase | Three Stage | Probably No |
| diego_bbs_server | Single Deploy | Probably No |
| diego_database | New User | Probably No |
| diego_locket_client | Single Deploy | Probably No |
| diego_locket_server | Single Deploy | Probably No |
| diego_rep_agent | Single Deploy | Probably No |
| diego_rep_client | Single Deploy | Probably No |
| diego_ssh_proxy_host_key | Single Deploy | Probably No |
| dropsonde_shared_secret | Single Deploy | Probably Yes |
| locket_database | New User | Probably No |
| loggregator_ca | Three Stage | Probably No |
| loggregator_tls_cc_tc | Single Deploy | Probably No |
| loggregator_tls_doppler | Single Deploy | Probably No |
| loggregator_tls_metron | Single Deploy | Probably No |
| loggregator_tls_rlp | Single Deploy | Probably No |
| loggregator_tls_statsdinjector | Single Deploy | Probably No |
| loggregator_tls_tc | Single Deploy | Probably No |
| nats_password | Single Deploy | Probably Yes |
| network_connectivity_database | New User | Probably No |
| network_policy_ca | Three Stage | Probably No |
| network_policy_client | Single Deploy | Probably No |
| network_policy_database | New User | Probably No |
| network_policy_server | Single Deploy | Probably No |
| router_ca | Three Stage | Probably No |
| router_route_services_secret | Single Deploy | Probably Yes |
| router_ssl | Single Deploy | Probably No |
| router_status_password | Single Deploy | Probably Yes |
| routing_api_database | New User | Probably No |
| scheduler_api_tls | Single Deploy | Probably No |
| scheduler_client_tls | Single Deploy | Probably No |
| service_cf_internal_ca | Three Stage | Probably No |
| silk_ca | Three Stage | Probably No |
| silk_controller | Single Deploy | Probably No |
| silk_daemon | Single Deploy | Probably No |
| uaa_admin_client_secret | Single Deploy | Probably Yes |
| uaa_ca | Three Stage | Probably No |
| uaa_clients_cc-routing_secret | Single Deploy | Probably Yes |
| uaa_clients_cc-service-dashboards_secret | Single Deploy | Probably Yes |
| uaa_clients_cc_service_key_client_secret | Single Deploy | Probably Yes |
| uaa_clients_cloud_controller_username_lookup_secret | Single Deploy | Probably Yes |
| uaa_clients_doppler_secret | Single Deploy | Probably Yes |
| uaa_clients_gorouter_secret | Single Deploy | Probably Yes |
| uaa_clients_network_policy_secret | Single Deploy | Probably Yes |
| uaa_clients_routing_api_client_secret | Single Deploy | Probably Yes |
| uaa_clients_ssh-proxy_secret | Single Deploy | Probably Yes |
| uaa_clients_tcp_emitter_secret | Single Deploy | Probably Yes |
| uaa_clients_tcp_router_secret | Single Deploy | Probably Yes |
| uaa_database | New User | Probably No |
| uaa_jwt_signing_key | Two Stage | Probably No |
| uaa_login_saml | Single Deploy | Probably No |
| uaa_ssl | Single Deploy | Probably No |
Just change the value and deploy it again. The source and its consumers will be updated. This will cause downtime for things like passwords, because there will be a time when the source will not match the consumers.
This method creates a new user with the appropriate access, then a second phase deletes the prior user. This allows rotation of password credentials without downtime.
This method provides a gradual rotation where step 1 adds a new value and step two removes the old value. This gradual process avoids a state where the source and consumers have mismatched values.
This method mostly applies to CA certificate rotation. Step 1 provides an additional trusted CA, step 2 provides new certificates based on that CA, step 3 removes the prior CA from trust.