Contents
1398
0 Comments

Discussing CredHub for Centralized Credential Management in Cloud Foundry

by Roger StrukhoffFebruary 8, 2017
IBM's Dr. Max is also concerned that the vast world of potential Cloud Foundry extensions lack process. So, he's leading monthly meetings to address this.

The formal process is needed

Chief Architect of PaaS Innovation Michael Maximilian (aka Dr. Max) of IBM is leading a new effort called CF-Extensions, as we reported from the Cloud Foundry Community Advisory Board call in December.

Dr. Max

Dr. Max, IBM

This effort is meant to encourage developers to add such things as APIs, buildpacks, plugins, and other components to the open-source Cloud Foundry project. He led an initial meeting on January 30, and has set future meetings for the last Monday in each month at 11 am Pacific time.

During the initial meeting, Dr. Max focused on putting together some standardized processes.

“There are (currently) no official processes for how contributing companies and developers can submit proposals.” —Dr. Max, IBM

So, it is expected that someone will adress this in the future.

 

A credentials hub idea emerges

Attendees also discussed the recent CredHub proposal submitted by Pivotal. CredHub is a component for centralized credential management in Cloud Foundry. It could address several scenarios, including:

  • Removing credentials from BOSH manifests stored in source repositories.

  • Concealing service credentials from the Cloud Controller and the cf env command.

  • Allowing organizations to separate credential management from installation operations and management.

  • Providing a key building block for frequent credential rotation.

CredHub ArchitectureThe proposed CreditHub architecture (Source)

The hub’s initial form has a REST API and a command-line interface (CLI). “The REST API conforms to the Config Server API spec,” according to the proposal, which further elaborates that “CredHub is an OAuth2 resource server, so it’s natural for UAA to provide core authentication and federation capabilities. The REST API fronts a pluggable storage and encryption system. CredHub works with Hardware Security Modules (HSMs), and is intended to be day-2 operation friendly.”

credhub-cloud-foundry-BOSH-Manifest-ImplementationBOSH manifest implementation with CredHub (Source)

There are a few other proposals under consideration, as outlined in a report from the January meeting.

 

Next meeting is February 27

The next CF-extensions meeting is scheduled for Monday, February 27, and is open to anyone who is interested. Dr. Max is encouraging people to join the group’s #cf-extensions sub-channel within the Cloud Foundry Slack channel.

 

Related video

   
Posted In
News/Opinion
Tags
CF Foundation, Cloud-Native, OSS Cloud Foundry
, ,
Posted by:

Roger Strukhoff is Director of Research at Altoros. He also serves as Executive Director of the Tau Institute for Global ICT Research, Conference Chair of Cloud Expo and Things Expo, Co-Chair of the Big Data World Forum, and Open-Source Chair for the global DCD Converged conference series. He received his BA from Knox College, and conducted MBA studies at California State University/East Bay. Previously in his career, he was VP of New Products at International Data Group and Director of Global Publications at TIBCO Software.