CredHub

Overview

CredHub is a component designed for centralized credential management in Cloud Foundry (CF). It is a single component that can address several scenarios in the CF ecosystem. At the highest level, CredHub centralizes and secures credential generation, storage, lifecycle management, and access.

What Can CredHub Do?

CredHub performs a number of different functions to help generate and protect the credentials in your CF deployment, including:

  • Securing data for storage
  • Authentication
  • Authorization
  • Access and change logging
  • Data typing
  • Credential generation
  • Credential metadata
  • Credential versioning

Application Architecture

CredHub consists of a REST API and a CLI. The REST API conforms to the Config Server API spec. CredHub is an OAuth2 resource server that integrates with User Account Authentication (UAA) to provide core authentication and federation capabilities.

Basic Architecture

Deployment Architecture

The two primary architectures for CredHub are co-located on a consumer VM or an independently deployed and managed service.

Deploying CredHub with BOSH

The config server implementation of the BOSH Director uses the co-location architecture. This is appropriate for this application, given its single instance and unique bootstrap problem of deploying itself as the first VM in an environment.

Bosh Deployment

This architecture benefits from low latency and simplicity for a single consumer. This configuration is not appropriate where many consumers exist or high availability is required.

For more information, read Setting Up and Deploying CredHub with BOSH.

CredHub Credential Types

Credentials exist in multiple places in the CF ecosystem. CF components use credentials to authenticate connections between components. CF installations often have hundreds of active credentials. Leaked credentials are common causes of data and security breaches, so managing them securely is very important.

For more information, read CredHub Credential Types.

Backing Up and Restoring CredHub Instances

The CredHub application does not hold state, but you must ensure its dependent components are backed up. Redundant backups can help prevent data loss if an individual component fails. For more information, read Backing Up and Restoring CredHub Instances.