Thursday, July 18, 2019

Rotate service credentials for Cloud Foundry apps on IBM Cloud

Keep your cloud environment secure
A popular PaaS (Platform as a service) technology is Cloud Foundry. On IBM Cloud, it is available both as public Cloud Foundry instances in multiple regions as well as Cloud Foundry Enterprise Environment (CFEE). Using Cloud Foundry for app development and production has many benefits. Personally, I like the ease of use and how services can be integrated with apps. When you search for my older Bluemix-related blog entries, you will notice that I had (and still have) fun using Cloud Foundry, including my attempts to catch a chocolate thief or testing the hybrid world early on. Similar to my recent blog on rotating credentials when working with IBM Cloud Functions, today, I want to discuss how to bind services and rotate their credentials in a Cloud Foundry environment.

Services for your Cloud Foundry app

Service management is built into Cloud Foundry. You can search for them and obtain details about plans and prices, then provision them and combine them with apps in different ways. A common scenario is to bind them to an app. During the bind process, the service broker obtains a set of credentials and shares them with the application environment. During runtime, apps can then discover those credentials and connect to that service instance.

Even if the service is from outside the Cloud Foundry environment (and the IBM Cloud), Cloud Foundry has a neat feature to integrate with it. I wrote about user-provided-services (and Db2) a long time ago.

Rotate the credentials

To update, i.e., to rotate passwords or API keys, simply unbind and then bind again the service to the app. Then, the app needs to be either restaged or restarted. This is needed so that the new environment variables are picked up. Typically, restaging an app would involve a short downtime. The good news is that there are zero downtime plugins for the Cloud Foundry CLI that keep the app available. Moreover, new zero downtime (ZDT) commands are available as early beta and as part of the IBM Cloud CLI for Cloud Foundry.

I tested rotation of credentials for one of my apps with the new v3-zdt-restart command. The process was:
  1. ibmcloud cf unbind-service MY_APP MY_SERVICE_INSTANCE
  2. ibmcloud cf bind-service MY_APP MY_SERVICE_INSTANCE
  3. ibmcloud cf v3-zdt-restart MY_APP
Easy, right? If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.