Skip to content

Instantly share code, notes, and snippets.

@shinji62

shinji62/atc-uaa-credhub.yml

Last active July 27, 2018 03:14
Show Gist options
  • Save shinji62/57bc9b790fd41f07bea72e3e2979593d to your computer and use it in GitHub Desktop.
Save shinji62/57bc9b790fd41f07bea72e3e2979593d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
atc-uaa-credhub.yml
# add missing variables
- type: replace
path: /variables?/name=atc-db-password?
value:
name: atc-db-password
type: password
- type: replace
path: /variables?/name=credhub-encryption-password?
value:
name: credhub-encryption-password
type: password
options:
length: 40
- type: replace
path: /variables?/name=concourse-ca?
value:
name: concourse-ca
type: certificate
options:
is_ca: true
common_name: Concourse CA
- type: replace
path: /variables?/name=concourse-tls?
value:
name: concourse-tls
type: certificate
options:
ca: concourse-ca
common_name: ((concourse_host))
alternative_names:
- ((concourse_host))
- type: replace
path: /variables?/name=credhub-db-password?
value:
name: credhub-db-password
type: password
- type: replace
path: /variables?/name=uaa-jwt?
value:
name: uaa-jwt
type: rsa
options:
key_length: 4096
- type: replace
path: /variables?/name=uaa-users-admin?
value:
name: uaa-users-admin
type: password
- type: replace
path: /variables?/name=uaa-admin?
value:
name: uaa-admin
type: password
- type: replace
path: /variables?/name=uaa-login?
value:
name: uaa-login
type: password
- type: replace
path: /variables?/name=uaa-credhub-admin?
value:
name: uaa-credhub-admin
type: password
- type: replace
path: /variables?/name=uaa-db-admin?
value:
name: uaa-db-admin
type: password
- type: replace
path: /variables?/name=uaa-db-password?
value:
name: uaa-db-password
type: password
- type: replace
path: /variables?/name=concourse_to_credhub_secret?
value:
name: concourse_to_credhub_secret
type: password
- type: replace
path: /variables?/name=credhub_cli_password?
value:
name: credhub_cli_password
type: password
- type: replace
path: /variables?/name=concourse_client_secret?
value:
name: concourse_client_secret
type: password
- type: replace
path: /variables?/name=main-team-password?
value:
name: main-team-password
type: password
# add UAA and credhub releases
- type: replace
path: /releases/-
value:
name: uaa
version: latest
- type: replace
path: /releases/-
value:
name: credhub
version: latest
# update DB instance to include credhub and uaa databases
- type: replace
path: /instance_groups/name=db/jobs/name=postgres/properties/databases/databases/-
value:
name: credhub
- type: replace
path: /instance_groups/name=db/jobs/name=postgres/properties/databases/databases/-
value:
name: uaa
- type: replace
path: /instance_groups/name=db/jobs/name=postgres/properties/databases/roles/-
value:
name: credhub
password: ((credhub-db-password))
- type: replace
path: /instance_groups/name=db/jobs/name=postgres/properties/databases/roles/-
value:
name: uaa
password: ((uaa-db-password))
- type: replace
path: /variables/-
value:
name: uaa_encryption_key_1
type: password
# add credhub job to ATC instance group
- type: replace
path: /instance_groups/name=web/jobs/-
value:
name: credhub
release: credhub
properties:
credhub:
port: 8844
authentication:
uaa:
url: *uaa-url
verification_key: ((uaa-jwt.public_key))
ca_certs:
- ((concourse-tls.ca))
data_storage:
type: postgres
host: ((db_ip))
port: 5432
username: credhub
password: ((credhub-db-password))
database: credhub
require_tls: false
tls: ((concourse-tls))
log_level: info
encryption:
keys:
- provider_name: int
encryption_password: ((credhub-encryption-password))
active: true
providers:
- name: int
type: internal
# add UAA job to ATC instance group
- type: replace
path: /instance_groups/name=web/jobs/-
value:
name: uaa
release: uaa
properties:
encryption:
encryption_keys:
- label: uaa-encryption-key-1
passphrase: ((uaa_encryption_key_1))
active_key_label: uaa-encryption-key-1
uaa:
url: &uaa-url "https://((concourse_host)):8443"
port: -1
scim:
users:
- name: admin
password: ((uaa-users-admin))
groups:
- scim.write
- scim.read
- bosh.admin
- credhub.read
- credhub.write
clients:
credhub_cli:
override: true
authorized-grant-types: password,refresh_token
scope: credhub.read,credhub.write
authorities: uaa.resource
access-token-validity: 1200
refresh-token-validity: 3600
secret: ""
concourse_to_credhub:
override: true
authorized-grant-types: client_credentials
scope: ""
authorities: credhub.read,credhub.write
access-token-validity: 30
refresh-token-validity: 3600
secret: ((concourse_to_credhub_secret))
credhub_admin_client:
override: true
authorized-grant-types: client_credentials
scope: uaa.none
authorities: credhub.read,credhub.write
access-token-validity: 3600
secret: ((credhub_cli_password))
admin: {client_secret: ((uaa-admin))}
login: {client_secret: ((uaa-login))}
zones: {internal: {hostnames: []}}
sslCertificate: ((concourse-tls.certificate))
sslPrivateKey: ((concourse-tls.private_key))
jwt:
revocable: true
policy:
active_key_id: key-1
keys:
key-1:
signingKey: ((uaa-jwt.private_key))
uaadb:
address: ((db_ip))
port: 5432
db_scheme: postgresql
databases:
- tag: uaa
name: uaa
roles:
- tag: admin
name: uaa
password: ((uaa-db-password))
login:
saml:
serviceProviderCertificate: ((concourse-tls.certificate))
serviceProviderKey: ((concourse-tls.private_key))
serviceProviderKeyPassword: ""
# remove existing vault configuration
- type: remove
path: /instance_groups/name=web/jobs/name=atc/properties/vault?
# add credhub configuration
- type: replace
path: /instance_groups/name=web/jobs/name=atc/properties/credhub?
value:
url: https://((concourse_host)):8844
tls:
ca_cert: ((concourse-ca))
insecure_skip_verify: ((credhub_insecure_skip_verify))
client_id: concourse_to_credhub
client_secret: ((concourse_to_credhub_secret))
# modify update settings to give UAA enough time to start up
- type: replace
path: /update/canary_watch_time
value: 30000-1200000
- type: replace
path: /update/update_watch_time
value: 5000-1200000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment