Support Secure Service Credential Delivery for apps using file-based service bindings

Open tcdowney opened this issue 9 months ago • 0 comments

Proposed Change

Cloud Foundry supports a feature where service brokers can store service credentials in CredHub instead of within Cloud Controller's database. The broker will create credentials and grant access to apps based on their GUID. Cloud Controller receives a reference to the credential which is provided to the app via VCAP_SERVICES. The buildpack/docker app launchers then call CredHub (using the app's instance identity certs for auth(n/z)) to deference these values and interpolate them back into VCAP_SERVICES.

A new feature allows apps to opt in to having service binding credentials provided via files instead of in the VCAP_SERVICES environment variable. We should extend the buildpackapplifecycle's Secure Service Credential Delivery functionality to also support file-based bindings.

Acceptance criteria

Scenario: K8s Style Service Bindings Given I have enabled the service-binding-k8s feature flag on my app (https://v3-apidocs.cloudfoundry.org/version/3.194.0/index.html#supported-app-features) And I have pushed an app that reads and displays service binding credentials from $SERVICE_BINDING_ROOT When I bind the app to a Credhub-enabled service broker (use this one in CATS) And I inspect the app Then I see the CredHub credentials have been dereferenced

Scenario: File-based VCAP Services Given I have enabled the file-based-vcap-services feature flag on my app (https://v3-apidocs.cloudfoundry.org/version/3.194.0/index.html#supported-app-features) And I have pushed an app that reads and displays service binding credentials from $VCAP_SERVICES_FILE_PATH When I bind the app to a Credhub-enabled service broker (use this one in CATS) And I inspect the app Then I see the CredHub credentials have been dereferenced

Support Secure Service Credential Delivery for apps using file-based service bindings

Proposed Change

Acceptance criteria

Related links