Discussing CredHub for Centralized Credential Management in Cloud Foundry
The formal process is needed
Chief Architect of PaaS Innovation Michael Maximilian (aka Dr. Max) of IBM is leading a new effort called CF-Extensions, as we reported from the Cloud Foundry Community Advisory Board call in December.
This effort is meant to encourage developers to add such things as APIs, buildpacks, plugins, and other components to the open-source Cloud Foundry project. He led an initial meeting on January 30, and has set future meetings for the last Monday in each month at 11 am Pacific time.
During the initial meeting, Dr. Max focused on putting together some standardized processes.
“There are (currently) no official processes for how contributing companies and developers can submit proposals.” —Dr. Max, IBM
So, it is expected that someone will adress this in the future.
A credentials hub idea emerges
Attendees also discussed the recent CredHub proposal submitted by Pivotal. CredHub is a component for centralized credential management in Cloud Foundry. It could address several scenarios, including:
Removing credentials from BOSH manifests stored in source repositories.
Concealing service credentials from the Cloud Controller and the cf env command.
Allowing organizations to separate credential management from installation operations and management.
- Providing a key building block for frequent credential rotation.
The hub’s initial form has a REST API and a command-line interface (CLI). “The REST API conforms to the Config Server API spec,” according to the proposal, which further elaborates that “CredHub is an OAuth2 resource server, so it’s natural for UAA to provide core authentication and federation capabilities. The REST API fronts a pluggable storage and encryption system. CredHub works with Hardware Security Modules (HSMs), and is intended to be day-2 operation friendly.”
There are a few other proposals under consideration, as outlined in a report from the January meeting.
Next meeting is February 27
The next CF-extensions meeting is scheduled for Monday, February 27, and is open to anyone who is interested. Dr. Max is encouraging people to join the group’s #cf-extensions sub-channel within the Cloud Foundry Slack channel.