jobs/credhub/spec

---
name: credhub
templates:
  # Lifecycle scripts
  pre-start.erb: bin/pre-start
  post-start.erb: bin/post-start
  drain.erb: bin/drain

  # bbr scripts
  pre-backup-lock.sh: bin/bbr/pre-backup-lock
  post-backup-unlock.sh: bin/bbr/post-backup-unlock
  pre-restore-lock.sh: bin/bbr/pre-restore-lock
  post-bbr-start.erb: bin/bbr/post-bbr-start
  post-restore-unlock.sh: bin/bbr/post-restore-unlock
  wait-for-stop.sh.erb: bin/bbr/wait-for-stop
  identify-postgres-server-version.erb: bin/bbr/identify-postgres-server-version
  metadata.sh.erb: bin/bbr/metadata

  # Other scripts
  ctl.erb: bin/ctl
  init_key_stores.erb: bin/init_key_stores.sh
  configure_hsm.erb: bin/configure_hsm.sh
  #Consul scripts
  dns_health_check.erb: bin/dns_health_check
  wait_for_uaa.erb: bin/wait_for_uaa

  # Config
  validation_authorization.yml.erb: config/validation_authorization.yml
  validation_data_storage.yml.erb: config/validation_data_storage.yml
  validation_encryption.yml.erb: config/validation_encryption.yml
  validation_logging.yml.erb: config/validation_logging.yml
  validation_uaa.yml.erb: config/validation_uaa.yml
  log4j2.properties.erb: config/log4j2.properties
  encryption.conf.erb: config/encryption.conf

  application_auth_server.yml.erb: config/application/auth-server.yml
  application_encryption.yml.erb: config/application/encryption.yml
  application_logging.yml: config/application/logging.yml
  application_security.yml.erb: config/application/security.yml
  application_server.yml.erb: config/application/server.yml
  application_spring.yml.erb: config/application/spring.yml

  # CAs
  database_ca.pem.erb: config/database_ca.pem

  # BPM
  bpm.yml.erb: config/bpm.yml
  credhub.erb: bin/credhub

  # Utils
  utils.sh: bin/utils.sh


packages:
- openjdk_17.0
- luna-hsm-client-7.4
- credhub

provides:
- name: credhub
  type: credhub
  properties:
  - credhub.port
  - credhub.ca_certificate
  - credhub.internal_url
- name: credhub_db
  type: credhub_db
  properties:
  - credhub.data_storage.database
  - credhub.data_storage.host
  - credhub.data_storage.hostname_verification.enabled
  - credhub.data_storage.password
  - credhub.data_storage.port
  - credhub.data_storage.require_tls
  - credhub.data_storage.tls_ca
  - credhub.data_storage.type
  - credhub.data_storage.username

consumes:
- name: postgres
  type: database
  optional: true

properties:
  credhub.connection-timeout:
    description: "The maximum amount of time the server will wait for the client to make their request after connecting before the connection is closed"
    default: 5s
  credhub.port:
    description: "Listening port for the CredHub API"
    default: 8844
  credhub.health_endpoint_port:
    description: "Listening port for the CredHub Health Endpoint"
    default: 8845

# CA certificate used for credhub TLS
  credhub.ca_certificate:
    description: "Optional parameter to provide the CA certificate for TLS connection to CredHub API as a link"
    type: certificate
    default: ""
    example: |
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----

  # Internal URL
  credhub.internal_url:
    description: "Optional parameter to provide the CredHub internal URL as a link"
    default: ""
    example: "credhub.service.cf.internal"

  # Encryption properties
  credhub.encryption.keys:
    description: |
      A list of active and inactive encryption keys, specifying the provider name and the encryption key name or value. One key must be marked as active.
      See below for example keys for each supported provider type.
      The internal provider accepts an encryption_password (minimum length 20).
    example:
      - provider_name: internal-provider
        key_properties:
          encryption_password: example-encryption-password
      - provider_name: hsm-provider
        key_properties:
          encryption_key_name: active-hsm-key-name
        active: true
      - provider_name: hsm-provider
        key_properties:
          encryption_key_name: inactive-hsm-key-name
      - provider_name: kms-plugin
        key_properties:
          encryption_key_name: kms-plugin-key-name

  credhub.encryption.providers:
    description: |
      A list of all providers used for the current set of encryption keys.
      See below for example structures of all supported provider types.
      HSM port will default to 1792, if not provided.
    example:
      - name: internal-provider
        type: internal
      - name: kms-plugin-provider
        type: kms-plugin
        connection_properties:
          endpoint: unix:///tmp/socketfile.sock
          host: example.com
          ca: |
            -----BEGIN CERTIFICATE-----
            ...
            -----END CERTIFICATE-----
      - name: hsm-provider
        type: hsm
        connection_properties:
          partition: my-hsm-partition
          partition_password: example-hsm-password
          client_certificate: |
            -----BEGIN CERTIFICATE-----
            ...
            -----END CERTIFICATE-----
          client_key: |
            -----BEGIN RSA PRIVATE KEY-----
            ...
            -----END RSA PRIVATE KEY-----
          servers:
          - host: 10.0.1.1
            port: 1792
            partition_serial_number: 123123
            certificate: |
              -----BEGIN CERTIFICATE-----
              ...
              -----END CERTIFICATE-----
          - host: 10.0.1.2
            port: 1792
            partition_serial_number: 456456
            certificate: |
              -----BEGIN CERTIFICATE-----
              ...
              -----END CERTIFICATE-----

# TLS configuration for the server
  credhub.tls:
    description: "Certificate and private key for TLS connection to CredHub API"
    type: certificate
    example: |
      certificate: |
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
      private_key: |
        -----BEGIN RSA PRIVATE KEY-----
        ...
        -----END RSA PRIVATE KEY-----

  # Data storage
  credhub.data_storage.type:
    description: "Database type. Accepted values are in-memory, mysql, or postgres"
  credhub.data_storage.username:
    description: "Username for authenticating with targeted database server"
  credhub.data_storage.password:
    description: "Password for authenticating with targeted database server"
  credhub.data_storage.host:
    description: "Host address of targeted database server"
  credhub.data_storage.port:
    description: "Listening port of targeted database server"
  credhub.data_storage.database:
    description: "Name of database in which to store data on targeted database server (must exist prior to deployment)"
    default: "credhub"
  credhub.data_storage.require_tls:
    description: "Requires only TLS connections to targeted database server"
    default: true
  credhub.data_storage.hostname_verification.enabled:
    description: "Enables hostname verification for TLS connections to targeted database server. This property is only respected when targeting a MariaDB database. Hostname verification cannot be disabled for TLS connections to postgres databases."
    default: true
  credhub.data_storage.tls_ca:
    description: "CA trusted for making TLS connections to targeted database server"

  # UAA Authentication
  credhub.authentication.uaa.enabled:
    description: "Enables authentication via OAuth using UAA"
    default: true
  credhub.authentication.uaa.url:
    description: "URL of UAA server which issues trusted tokens for authentication"
    example: "https://uaa.example.com:8443"
  credhub.authentication.uaa.internal_url:
    description: "Optional URL for reaching UAA server over internal networking"
    example: "https://uaa.example.internal:8443"
  credhub.authentication.uaa.ca_certs:
    description: "List of CAs trusted when making TLS connections to UAA server"
  credhub.authentication.uaa.wait_for_start:
    description: "Waits for UAA to be available before starting CredHub"
    default: true
  credhub.authentication.uaa.wait_for_start_max_timeout:
    description: "Max timeout in seconds for curl to UAA during wait-for-start script"
    default: 300
  credhub.authentication.uaa.wait_for_start_connect_timeout:
    description: "Connect timeout in seconds for curl to UAA during wait-for-start script"
    default: 120

  # Mutual TLS Authentication
  credhub.authentication.mutual_tls.trusted_cas:
    description: "List of CAs trusted to sign client certificates for mutual TLS authentication"
    default: []

  # Authorization
  credhub.authorization.acls.enabled:
    description: "Enables authorization via credential access control lists"
    default: true
  credhub.authorization.permissions:
    description: "Giving permission for a path to an actor"
    default: []
    example: |
      - path: /your/credential
        actors:
        - uaa-user:me
        - uaa-user:me2
        operations:
        - read
        - write
        - delete
        - read_acl
        - write_acl

  # Logging
  credhub.log_level:
    description: "Application log level. Accepted values are none, error, warn, info or debug"
    default: info

  # JVM configuration
  credhub.max_heap_size:
    description: "Maximum memory heap size in MB for CredHub JVM"
    default: 1024

  # CredHubDeprecatedStartingAfter(2.1.2)
  credhub.java7_tls_ciphers_enabled:
    description: "Enables CBC TLS cipher suites to enable TLS communication with Java 7 clients. Deprecated, as of CredHub 2.x.y. Java 7 was decommissioned by Oracle in 2015."
    default: false

  # Certificates
  credhub.certificates.concatenate_cas:
    description: "Enables the concatenation of CAs when there is a transitional CA for a certificate."
    default: true
  credhub.certificates.ca_minimum_duration_in_days:
    description: "CA certificates will be generated/regenerated with this value when
                 the user provided duration is shorter, ensuring that every certificate
                 is created with at least this value."
    default: 0
  credhub.certificates.leaf_minimum_duration_in_days:
    description: "Leaf certificates will be generated/regenerated with this value when
                 the user provided duration is shorter, ensuring that
                 every certificate is created with at least this
                 value."
    default: 0

  # Swappable Backend
  credhub.backend.enable_swappable_backend:
    description: "Enable the use of swappable backends for CredHub to use in place of the default CredHub backend"
    default: false
  credhub.backend.socket_file:
    description: "Path of socket file for swappable backend to use"
    default: ""
    example: "/tmp/socket/test.sock"
  credhub.backend.host:
    description: "Common name of the backend's certificate"
    default: ""
    example: "example.com"
  credhub.backend.ca_cert:
    description: "CA cert used to sign the backend's certificate"
    default: ""
    example: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----

  # BPM
  bpm.enabled:
    description: "Enable Bosh Process Manager. Deprecated; CredHub 3.x.x and later with require BPM to be enabled."
    default: false