Skip to content

Commit

Permalink
update intro to bucc from docker-compose
Browse files Browse the repository at this point in the history
  • Loading branch information
drnic committed Apr 2, 2018
1 parent c2a0c2a commit 7de15cb
Showing 1 changed file with 18 additions and 23 deletions.
41 changes: 18 additions & 23 deletions docs/basics/secret-parameters.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,37 +8,32 @@ Concourse supports Cloud Foundry Credhub and Hashicorp Vault. They have a common

## Redeploy Concourse with Credhub

First, delete initial `tutorial` concourse:
We will now switch from our `docker-compose up` deployment of Concourse to [bucc](https://github.com/starkandwayne/bucc) to deploy a local single VM version of Concourse that has the Credhub credentials manager. As a bonus, `bucc` will allow you to deploy a production-version of Concourse to any public or private cloud. In this tutorial we will deploy `bucc` to your local machine.

```
cd ../../..
bosh delete-env manifests/concourse-lite.yml --state tmp/state.json
```

Now, switch to [bucc](https://github.com/starkandwayne/bucc) to deploy a local single VM version of Concourse that has the Credhub credentials manager.
First, you need to install [VirtualBox](https://www.virtualbox.org/wiki/Downloads) (for the local deployment of `bucc`).

In another terminal:
Next:

```
```plain
git clone https://github.com/starkandwayne/bucc ~/workspace/bucc
cd ~/workspace/bucc
```

Now run:
Now run the following to deploy `bucc` to your local machine using VirtualBox:

```
```plain
bucc up --lite
```

If this fails with `command not found: bucc`, then perhaps you do not have [`direnv`](https://direnv.net/) installed. Never fear. Run to update your `$PATH` to add the `bin/bucc` command.

```
```plain
source .envrc
```

Now run:

```
```plain
bucc up --lite
```

Expand All @@ -48,7 +43,7 @@ The `bucc up --lite` command is similar to `bosh create-env` but adds Credhub to

To target and login to your new Concourse:

```
```plain
bucc fly
```

Expand All @@ -58,15 +53,15 @@ The Concourse dashboard UI is now at https://192.168.50.6/

To target and login to Credhub, the credentials manager included in `bucc`:

```
```plain
bucc credhub
```

## Reauthentication

Credhub will enthusiastically and frequently drop your login session:

```
```plain
You are not currently authenticated. Please log in to continue.
```

Expand All @@ -78,22 +73,22 @@ Similarly, `fly -t bucc` sessions will timeout. To re-authenticate, return to `~

Back in your main `concourse-tutorial` terminal window, return to the `tutorials/basic/parameters` folder, and install the pipeline from the preceding section to our new `bucc` concourse environment. Do not provide any explicit values for the parameters as these will come from the Credhub credentials manager:

```
```plain
cd ../parameters
fly -t bucc sp -p parameters -c pipeline.yml
fly -t bucc up -p parameters
```

## Insert values into Credentials Manager

```
```plain
credhub set -n /concourse/main/parameters/cat-name --type value --value garfield
credhub set -n /concourse/main/parameters/dog-name --type value --value oddie
```

Run the pipeline job to confirm that it dynamically fetched the secrets from Credhub:

```
```plain
fly -t bucc trigger-job -j parameters/show-animal-names -w
```

Expand All @@ -106,7 +101,7 @@ When resolving a parameter such as `((cat-name))`, it will look in the following

So, if the `((cat-name))` credential is to be shared across all pipelines in the `main` team, then the `credhub set` commands would become:

```
```plain
credhub delete -n /concourse/main/parameters/cat-name
credhub delete -n /concourse/main/parameters/dog-name
credhub set -n /concourse/main/cat-name --type value --value garfield
Expand All @@ -115,15 +110,15 @@ credhub set -n /concourse/main/dog-name --type value --value oddie

Again, run the pipeline job to confirm that it dynamically fetched the team's shared secrets from Credhub:

```
```plain
fly -t bucc trigger-job -j parameters/show-animal-names -w
```

## Rotating Secrets

A great feature of Concourse Credentials Manager - regardless if backed by Cloud Foundry Credhub or Hashicorp Vault - is that you can now update secrets/parameters and the new values will automatically be used the next time a job is run.

```
```plain
credhub set -n /concourse/main/cat-name --type value --value milo
credhub set -n /concourse/main/dog-name --type value --value otis
Expand All @@ -132,7 +127,7 @@ fly -t bucc trigger-job -j parameters/show-animal-names -w

The output will include the two new parameter values:

```
```plain
CAT_NAME=milo
DOG_NAME=otis
```

0 comments on commit 7de15cb

Please sign in to comment.