Cloud Foundry Day NA 2024

Secrets management for BOSH deployments means more than just creating secrets. They need to be properly secured and rotated on a regular basis, especially X.509 certificates for SSL/mTLS. When we started deploying with BOSH, we used Vault to handle secrets, but this exposed the secrets during deploy and in retrieved manifests. CredHub came along, and hid all the details behind the curtain, but it hid them a little too well, to the point that you can't even tell that secrets were or were not changed when you deploy. A hybrid approach balances visibility and confidentiality, making secret management more accessible and less daunting. Vault is the "One True Source" for secrets, handling tasks like adding, rotating, and verifying secrets during deployments. CredHub holds the secrets used for deployment, referencing a signature-based path containing a 'fingerprint' of secrets, making changes noticeable without compromising security. This improvement ensures the integrity and confidentiality of deployments, enhancing transparency. Using some open-source tooling to glue this together makes life cycle management of secrets a breeze, rather than a dreaded event lurking over the horizon.