credhub
credhub copied to clipboard
cloudfoundry
deletion of old credential versions not possible
What version of the credhub server you are using? 2.9.0
What version of the credhub cli you are using? 2.9.0
If you were attempting to accomplish a task, what was it you were attempting to do? I rotate/update (non-certificate) credentials regularly using the credhub cli by either using:
-
credhub set -
credhub generate -
credhub regenerate
What did you expect to happen? I would expect that this doesn't decrease the overall CredHub performance and that the CredHub CLI/API would allow me to delete old versions of the credential. For certificate credentials, there is such an API, but not for all other types of credentials.
What was the actual behaviour? All currently available method to update a credential will lead to an addition version of the same credential. There is currently no API available which allows to remove old and obsolete versions of one credential. If the number of versions grows (more than 5000), the performance of CredHub dramatically decreases and CredHub finally gets unhealthy (I observed a high CPU load on the Database)
Please confirm where necessary:
- [ ] I have included a log output
- [ ] My log includes an error message
- [ ] I have included steps for reproduction
If you are a PCF customer with an Operation Manager (PCF Ops Manager) please direct your questions to support (https://support.pivotal.io/)
We have created an issue in Pivotal Tracker to manage this:
https://www.pivotaltracker.com/story/show/178068836
The labels on this github issue will be updated when the story is started.
I guess deleting the credential and recreating it could be a workaround. If you want to cleanup all old versions of a credential, you can run credhub delete --name ... and then credhub generate or set again. All older versions will be gone.
But I agree that this is a pretty valid feature request.
