Utilizing credhub for ipsec certificates
search cancel

Utilizing credhub for ipsec certificates

book

Article ID: 298136

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

How can I utilize Credhub for the IPSec bosh addon's certificates?

Environment

Product Version: 3.0

Resolution

Pick a variable name. This can be whatever they want it to be as long as it's acceptable in regards to credhub naming patterns. ( see credhub docs, or keep it simple.. )e.g. I will use /ipsec/instance_private_key

Using the above name, we can confirm it doesn't exist:

credhub get -n /ipsec/instance_private_key

 

This should return the following error:

The request could not be completed because the credential does not exist or you do not have sufficient authorization.

 If it returns something, please choose a different name. 

Next we will write the private key to credhub:

assuming you have a file named private.key.pem which contains the private key that ipsec is supposed to use:e.g.: 
cat private.key.pem 

-----BEGIN PRIVATE KEY-----
 .... 
-----END PRIVATE KEY-----
We will now use that file to set the credhub value: 
credhub set -n /ipsec/instance_private_key --type value --value "$(cat private.key.pem)"
id: 518827da-fbf5-4446-9341-317548bb67d4
name: /ipsec/instance_private_key
type: value
value: <redacted>
version_created_at: "2024-03-13T15:45:55Z"

Next we verify the private key variable was properly written to credhub: 
credhub get -n /ipsec/instance_private_key
id: 518827da-fbf5-4446-9341-317548bb67d4
name: /ipsec/instance_private_key
type: value
value: |-
  -----BEGIN PRIVATE KEY-----
  .....
  -----END PRIVATE KEY-----
version_created_at: "2024-03-13T15:45:55Z"

Once the variable is set properly in Credhub, we need to update our IPSec manifest to utilize this variable. The ipsec-addon.yml should currently look like this: 
addons:
- include:
    stemcell:
    - os: ubuntu-trusty
    - os: ubuntu-xenial
    - os: ubuntu-jammy
  jobs:
  - name: ipsec
    properties:
      ipsec:
        ca_certificates:
        - |
          -----BEGIN CERTIFICATE-----
          ...
          -----END CERTIFICATE-----
        instance_certificate: |
          -----BEGIN CERTIFICATE-----
          ...
          -----END CERTIFICATE-----
        instance_private_key: |
          -----BEGIN RSA PRIVATE KEY-----
          ...
          -----END RSA PRIVATE KEY-----
        ipsec_subnets:
        - 10.0.0.0/8
        log_level: 3
        no_ipsec_subnets:
        - 10.0.0.5/32
        - 10.0.0.2/32
        - 10.0.12.0/24
        optional: false
    release: ipsec
  name: ipsec
releases:
- name: ipsec
  version: 1.9.56
We need to modify the "instance_private_key" section to utilize the credhub variable 
...
        instance_private_key: "((/ipsec/instance_private_key))"
...

Now using this manifest you can update IPSec to use credhub instead of having the private key in the config. 


Powered by Wolken Software