|
| 1 | +:toc: |
| 2 | + |
| 3 | +# Automatic Service Key Renewal |
| 4 | + |
| 5 | +## Overview |
| 6 | + |
| 7 | +It's a common use case to want an automatic service key renewal (e.g. if you want to rotate generated service credentials or certificates). Service key renewal on MTA redeployment is supported by using changed key names. You can do this either by manually changing the service key name in the descriptor or by using a dynamic parameter as part of it - ${timestamp}. This parameter will always resolve to the current timestamp at the time of deployment. This means that the key will have a different name on each subsequent deployment. This ensures that it will be considered as new and created. Afterwards the old key will be deleted. This functionality applies to service keys modelled under a resource using the `service-keys:` parameter. Example descriptor for automated key renewal/rotation: |
| 8 | + |
| 9 | +```yaml |
| 10 | +... |
| 11 | +resources: |
| 12 | + - name: my-service |
| 13 | + type: org.cloudfoundry.managed-service |
| 14 | + parameters: |
| 15 | + service-plan: plan |
| 16 | + service: offering |
| 17 | + service-keys: |
| 18 | + - name: my-rotating-key-${timestamp} |
| 19 | +... |
| 20 | +``` |
| 21 | + |
| 22 | +## Detailed Service Key Renewal Process |
| 23 | + |
| 24 | +During deployment, any service keys that are modelled in the MTA descriptor but don't exist in the space we're deploying to are created. MTA service keys that exist but are not modelled in the current descriptor - are considered no longer in use and deleted afterwards. These keys are identified as part of the MTA by their metadata (applied to service keys during the MTA deployment process). |
| 25 | + |
| 26 | +This is an overview of the service key renewal process: |
| 27 | + |
| 28 | +image::service_keys_handling_diagram.png[] |
| 29 | + |
| 30 | +Step by step explanation: |
| 31 | + |
| 32 | +1. A user starts a deploy for a previously deployed MTA. The mtad.yaml descriptor contains resources with `service-keys` definitions |
| 33 | +2. Deploy Service detects the existing services and service keys part of the MTA that already exist in the target space and org via their names and metadata |
| 34 | +3. Deploy Service resolves all parameters in the descriptor (including the system parameter `${timestamp}`) and gathers the service key definintions for the current deployment. These are then compared to the existing ones detected in the previous step - any defined keys not present are marked for *creation*, any defined keys that are present but in a failed state (determined by last operation state from CF != "succeeded") or have different credentials are marked for *recreation*, any keys that are present but are not defined are marked for *deletion* |
| 35 | +4. Deploy Service updates the metadata of any present service keys if necessary (e.g. the key was created previously for a different MTA or without metadata) |
| 36 | +5. Deploy Service deletes the service keys marked for recreation in step 3 |
| 37 | +6. Deploy Service creates new service keys - the ones marked for creation and the ones deleted in the previous step |
| 38 | +7. Deploy Service deletes the service keys marked for deletion in step 3 |
| 39 | +
|
| 40 | +The service keys using the `${timestamp}` parameter in their names are in this case are simply considered as new service keys - meaning they are created at step *6* and then after that the old ones are deleted in step *7* (since they are no longer present in the descriptor with the updated names). This ensures the rotating keys are first created and bound before the old ones are deleted (as seen from above this isn't true for the keys that require recreation due to a failed state or credential change, as their names are the same and cannot be recreated before the old ones are deleted). |
| 41 | + |
| 42 | +## Automatically Renewed Service Key Consumption |
| 43 | +To consume a service key with a changing name in an application environment, make sure to use the parameter `env-var-name` when defining the service key `requires` section in the consuming module. This will ensure that the service key details are persisted under a static alias in the application environment. e.g. |
| 44 | + |
| 45 | +```yaml |
| 46 | +modules: |
| 47 | +- name: my-app |
| 48 | +... |
| 49 | + requires: |
| 50 | + - name: rotating-key |
| 51 | + parameters: |
| 52 | + env-var-name: *keycredentials* |
| 53 | +... |
| 54 | +resources: |
| 55 | + - name: my-service |
| 56 | + type: org.cloudfoundry.managed-service |
| 57 | + parameters: |
| 58 | + service-keys: |
| 59 | + - name: rotating-key-${timestamp} |
| 60 | + - name: rotating-key |
| 61 | + type: org.cloudfoundry.existing-service-key |
| 62 | + parameters: |
| 63 | + service-name: my-service |
| 64 | + service-key-name: rotating-key-${timestamp} |
| 65 | +``` |
| 66 | +link:https://help.sap.com/docs/btp/sap-business-technology-platform/service-keys#consumption-of-service-keys[More details about this parameter here.] |
| 67 | + |
| 68 | + |
| 69 | +## Try it out |
| 70 | + |
| 71 | +Deploy the provided mtar in cf to demo the automated service key rotation |
| 72 | +```bash |
| 73 | +cf deploy ./test-rotating-service-keys.mtar |
| 74 | +``` |
| 75 | + |
| 76 | +Verify the service key with a dynamic name was created, and added to the app environment |
| 77 | +```bash |
| 78 | +cf service-keys postgre-test-service |
| 79 | +... |
| 80 | +cf service-key postgre-test-service <rotating-key-1-timestamp-1> |
| 81 | +... |
| 82 | +cf env my-app |
| 83 | +... |
| 84 | +``` |
| 85 | + |
| 86 | +Do a redeploy of the same mta (observe the messages in the process log), e.g. |
| 87 | +```bash |
| 88 | +cf deploy ./test-rotating-service-keys.mtar |
| 89 | +... |
| 90 | +Creating service key "<rotating-key-1-timestamp-2>" for service instance "postgre-test-service"... |
| 91 | +... |
| 92 | +Deleting service key "<rotating-key-1-timestamp-1>" for service instance "postgre-test-service"... |
| 93 | +... |
| 94 | +``` |
| 95 | + |
| 96 | +Verify that the new service key was created and the old one deleted |
| 97 | +```bash |
| 98 | +cf service-keys postgre-test-service |
| 99 | +... |
| 100 | +cf service-key postgre-test-service <rotating-key-1-timestamp-2> |
| 101 | +... |
| 102 | +cf env my-app |
| 103 | +... |
| 104 | +``` |
| 105 | + |
| 106 | +## Official related documemtation in Help SAP Portal |
| 107 | + |
| 108 | +- link:https://help.sap.com/docs/btp/sap-business-technology-platform/service-keys[MTA Service Keys Official Documentation] |
0 commit comments