credhub.yml

- type: replace
  path: /releases/-
  value:
    name: credhub
    version: "2.0.2"
    url: "https://s3.amazonaws.com/bosh-compiled-release-tarballs/credhub-2.0.2-ubuntu-xenial-97.16-20180912-174457-075145067-20180912174506.tgz?versionId=XXig9OLrmykqimvtJUYYlhKhykxk0M6i"
    sha1: "afb03addb21543d3feafbebff8fdc242543ef0cb"

- type: replace
  path: /instance_groups/name=bosh/jobs/-
  value:
    name: credhub
    release: credhub
    properties:
      credhub:
        authorization:
          acls:
            enabled: false
        authentication:
          uaa:
            url: "https://((internal_ip)):8443"
            ca_certs:
            - ((uaa_ssl.ca))
            verification_key: ((uaa_jwt_signing_key.public_key))
        data_storage:
          type: postgres
          host: 127.0.0.1
          port: 5432
          username: postgres
          password: ((postgres_password))
          database: credhub
          require_tls: false
        tls: ((credhub_tls))
        encryption:
          providers:
          - name: internal
            type: internal
          keys:
          - provider_name: internal
            key_properties:
              encryption_password: ((credhub_encryption_password))
            active: true

- type: replace
  path: /instance_groups/name=bosh/properties/postgres/additional_databases?/-
  value: credhub

# Configure Director
- type: replace
  path: /instance_groups/name=bosh/properties/director/config_server?
  value:
    enabled: true
    url: "https://((internal_ip)):8844/api/"
    ca_cert: ((credhub_tls.ca))
    uaa:
      url: "https://((internal_ip)):8443"
      ca_cert: ((uaa_ssl.ca))
      client_id: director_to_credhub
      client_secret: ((uaa_clients_director_to_credhub))

# Configure UAA
- type: replace
  path: /instance_groups/name=bosh/jobs/name=uaa/properties/uaa/clients/director_to_credhub?
  value:
    override: true
    authorized-grant-types: client_credentials
    scope: ""
    authorities: credhub.read,credhub.write
    access-token-validity: 3600
    secret: ((uaa_clients_director_to_credhub))

- type: replace
  path: /instance_groups/name=bosh/jobs/name=uaa/properties/uaa/clients/credhub_cli?
  value:
    override: true
    authorized-grant-types: password,refresh_token
    scope: credhub.read,credhub.write
    authorities: ""
    access-token-validity: 60
    refresh-token-validity: 1800
    secret: ""

- type: replace
  path: /instance_groups/name=bosh/jobs/name=uaa/properties/uaa/clients/credhub-admin?
  value:
    override: true
    authorized-grant-types: client_credentials
    scope: ""
    authorities: credhub.read,credhub.write
    access-token-validity: 3600
    secret: ((credhub_admin_client_secret))

- type: replace
  path: /instance_groups/name=bosh/jobs/name=uaa/properties/uaa/jwt/revocable?
  value: true

# Variables
- type: replace
  path: /variables/-
  value:
    name: credhub_ca
    type: certificate
    options:
      is_ca: true
      common_name: "CredHub CA"

- type: replace
  path: /variables/-
  value:
    name: credhub_tls
    type: certificate
    options:
      ca: credhub_ca
      common_name: ((internal_ip))
      alternative_names: [((internal_ip))]

- type: replace
  path: /variables/-
  value:
    name: credhub_encryption_password
    type: password

- type: replace
  path: /variables/-
  value:
    name: uaa_clients_director_to_credhub
    type: password

- type: replace
  path: /variables/-
  value:
    name: credhub_admin_client_secret
    type: password