Discussing CredHub for Centralized Credential Management in Cloud Foundry

by Roger StrukhoffFebruary 8, 2017
IBM's Dr. Max is also concerned that the vast world of potential Cloud Foundry extensions lack process. So, he's leading monthly meetings to address this.

The formal process is needed

Chief Architect of PaaS Innovation Michael Maximilian (aka Dr. Max) of IBM is leading a new effort called CF-Extensions, as we reported from the Cloud Foundry Community Advisory Board call in December.

Dr. Max

Dr. Max, IBM

This effort is meant to encourage developers to add such things as APIs, buildpacks, plugins, and other components to the open-source Cloud Foundry project. He led an initial meeting on January 30, and has set future meetings for the last Monday in each month at 11 am Pacific time.

During the initial meeting, Dr. Max focused on putting together some standardized processes.

“There are (currently) no official processes for how contributing companies and developers can submit proposals.” —Dr. Max, IBM

So, it is expected that someone will adress this in the future.


A credentials hub idea emerges

Attendees also discussed the recent CredHub proposal submitted by Pivotal. CredHub is a component for centralized credential management in Cloud Foundry. It could address several scenarios, including:

  • Removing credentials from BOSH manifests stored in source repositories.

  • Concealing service credentials from the Cloud Controller and the cf env command.

  • Allowing organizations to separate credential management from installation operations and management.

  • Providing a key building block for frequent credential rotation.

CredHub ArchitectureThe proposed CreditHub architecture (Source)

The hub’s initial form has a REST API and a command-line interface (CLI). “The REST API conforms to the Config Server API spec,” according to the proposal, which further elaborates that “CredHub is an OAuth2 resource server, so it’s natural for UAA to provide core authentication and federation capabilities. The REST API fronts a pluggable storage and encryption system. CredHub works with Hardware Security Modules (HSMs), and is intended to be day-2 operation friendly.”

credhub-cloud-foundry-BOSH-Manifest-ImplementationBOSH manifest implementation with CredHub (Source)

There are a few other proposals under consideration, as outlined in a report from the January meeting.


Next meeting is February 27

The next CF-extensions meeting is scheduled for Monday, February 27, and is open to anyone who is interested. Dr. Max is encouraging people to join the group’s #cf-extensions sub-channel within the Cloud Foundry Slack channel.


Related video