2017 Highlights Series
As BOSH evolves, grows and improves, it allows you to focus on making your deployments more secure. Find out more about this process in this talk from Saman Alvi and Dale Wick of Pivotal.
Users face certain pain points with existing deployments, such as storing ssh key certificates and passwords in plaintext when creating a manifest for deployment. This can become a problem if shared in GitHub or a BOSH Slack channel, as it’s sensitive information.
People may also use a default password for jobs then use the same certificates across deployments for different jobs. As a result, weak passwords and reusing certificates are both sizable problems.
Another known problem is managing manifests across environments, which could become complicated and frustrating. Eventually, you have to manually rotate your credentials. This is a difficult and error-prone process that increases the chance of acquiring more bugs.
The fundamental issue here is lack of separation between credentials and deployments. But once you know the problem, you can solve it. That’s exactly what the Cloud Foundry team at Pivotal is doing.
The team has implemented a ‘config server API’ in BOSH that communicates with the config server, to solve the aforementioned problems and more. This new feature uses variables. It is available in the latest BOSH release, and needs the new BOSH CLI to work.
Once you define the variables in your deployment manifest, BOSH will talk to the config server and the config server will take care of the rest. It offers an API interface to the config server and users can use anything that implements that API. Alvi recommends CredHub, which is Pivotal’s recommended production implementation of the config server API, which does encryption through HSM. Soon, it will also be handling rotations of credentials. The team is also working on making the certificates a bit smarter to make it easy for operators.
Using variables with BOSH leads to more secure BOSH deployments. Learn more and watch a very comprehensive demo of the variables feature here: