Secrets reference guide¶
Secrets enable your blueprint to access these values as needed, during orchestration, without exposing the plain text values.
In F5 VNFM, click .
Click
for each secret to edit the values.Click
to view the secret value (if you have the correct permissions).If you use multi-VIM architecture that deploys blueprints in multiple data centers using different VIMs (OpenStack and VMware), then you must group specific secrets defined in your inputs file.
Important
To avoid deployment issues, verify that you enter these secrets correctly (for example, remove any extra spaces in the keystone secrets).
Secret definitions¶
The following table provides definitions for managing system secrets required for the BIG-IP solution blueprints (for example, Gi LAN and Gi Firewall):
| BIG-IP | Blueprint | Notes |
|---|---|---|
| agent_key_private | All | The private, PEM-encoded, SSH key for connecting to BIG-IP instances. Browse to the local copy of the private key using the Get secret value from file option. |
| bigip_admin_password | All | Set to the desired password for the default BIG-IP admin account. Default value is admin. |
| bigip_root_password | All | Set to the desired password for the default BIG-IP root account. Default value is default. |
| bigip_username | All | Default value is admin. |
| bigip_root_user | All | Root user name of the BIG-IP. You must add this bigip_root_user secret to your manager. |
| bigiq_username | All | Set to the user name for the BIG-IQ system used for licensing BIG-IP VEs in the deployment. Default value is admin. The blueprint solutions use this secret for accessing the BIG-IQ and retrieve licenses. |
| bigiq_password | All | Set to the password for the BIG-IQ system used for licensing BIG-IP VEs in the deployment. Default value is admin. The blueprint solutions use this secret for accessing the BIG-IQ and retrieve licenses. |
The following table provides definitions for managing system secrets required for the BIG-IQ solution blueprint:
| BIG-IQ | Blueprint | Notes |
|---|---|---|
| bigiq_root_username | BIG-IQ | Enter the same root user name already set on the BIG-IQ. Default value is root. You must add this bigiq_root_username secret to your VNF manager.
This secret is used for deploying the F5-VNF-BIG-IQ blueprint that auto-configures the BIG-IQ license manager. |
| bigiq_root_password | BIG-IQ | This secret changes the root password for the BIG-IQ blueprint. Enter the new root password for BIG-IQ. This secret is used for deploying the F5-VNF-BIG-IQ blueprint that auto-configures the BIG-IQ license manager. |
| VNF Manager | Blueprint | Notes |
|---|---|---|
| manager_rest_host | All | Set to the internal IP address of hostname of the VNF Manager. Recommended setting, 127.0.0.1. |
| manager_rest_password | All | Set to the password for the VNF Manager. Default value is admin. |
| manager_rest_username | All | Set to the user name of the VNF Manager. Default value is admin. |
| manager_rest_tenant | All | The VNFM tenant/project name. Default value is default_tenant. |
| Auto-generated | Blueprint | Notes |
|---|---|---|
| internal_ca_cert | All | An auto-generated, unique, CA certificate created by F5 VNF Manager, when you first launch your VNFM. |
| Keystone | Blueprint | Notes |
|---|---|---|
| keystone_allow_insecure_default | All | Set to True to ignore self-signed certificates on the OpenStack API. Set to False, if a valid CA-signed certificate is configured for the OpenStack API. |
| keystone_ca_cert_default | All | If you used an internal CA to generate the certificates used to protect your OpenStack VIM, then add that CA certificate here. Otherwise, if you set the previous keystone_allow_insecure_default
secret to true, then set this to "". |
| keystone_password_default | All | Used for OpenStack VIM. Set to the password for the account with access to the OpenStack tenant where you will deploy blueprint resources. Before changing your VIM password, consult this troubleshooting tip. |
| keystone_tenant_name_default | All | Used for OpenStack VIM. Set to the OpenStack tenant/project name where you will deploy blueprint resources. |
| keystone_url_default | All | Used for OpenStack VIM. Set to the v2 authentication URL of the OpenStack environment where you will deploy blueprint resources; for example, Tip Avoid adding any extra spaces at the beginning and at the end of this value. In OpenStack, find this URL in the row. |
| keystone_username_default | All | Used for OpenStack VIM. Set to the user name of the account with access to the OpenStack tenant where you will deploy blueprint resources. |
Important
If you are allowing VNFM to create keystone resources on OpenStack, then you must configure the keystone account with the required OpenStack permissions.
| Nagiorest | Blueprint | Notes |
|---|---|---|
| nagiosrest_pass | All | Set to the desired password for the Nagios monitoring instance. Default value is testpass. |
| nagiosrest_user | All | Set to the desired user name for the Nagios monitoring instance. Default value is testuser. |
| Region | Blueprint | Notes |
|---|---|---|
| region_default | All | Set to the OpenStack region where you will deploy blueprint resources. Default value is nova. |
| VMware vSphere | Blueprint | Notes |
|---|---|---|
| vsphere_agent_key_public | All | Used for vSphere VIM. The public key for the private one specified in agent_key_private secret. |
| vsphere_allow_insecure_default | All | Set to True to ignore self-signed certificates on the vSphere API. Set to False, if a valid CA-signed certificate is configured for the vSphere API. |
| vsphere_auto_placement_default | All | Enable this setting to specify whether to use vSphere’s auto-placement instead of the VNFM plugin. Set to true if you are using clusters. |
| vsphere_resource_pool_name_default | All | The name of the resource pool in your VMware vCenter Server. |
| vsphere_username_default | All | The username@domain.local used to log into the VMware vSphere Web client. |
| vsphere_template_library_name_default | All | Name of the content library where templates are stored in your VMware vCenter Server. |
| vsphere_port_default | All | Port number you assigned the VMware vCenter Server (default value 443) |
| vsphere_password_default | All | The password used to log into the VMware vSphere API. Before changing your VIM password, consult this troubleshooting tip. |
| vsphere_datacenter_name_default | All | Name of the VMware datacenter. |
| vsphere_host_default | All | The IP address of your VMware vCenter Server. |
The following table provides definitions for managing system secrets required for the Nagios server:
| Nagiorest | Blueprint | Notes |
|---|---|---|
| nagiosrest_pass | All | Set to the desired password for the Nagios monitoring instance. Default value is testpass. |
| nagiosrest_user | All | Set to the desired user name for the Nagios monitoring instance. Default value is testuser. |
Grouped secrets for multi-VIM implementation¶
In order to implement VNFM for multi-VIM configurations, you require the following connectivity:
- VNFM must connect to the VIM’s API
- VNFM must connect to the management networks defined for each VIM.
- VE must connect to the BIG-IQ
To prepare secrets for multi-VIM
Create the following additional sets of keystone/vSphere secrets for every new blueprint solution deployed for each data center.
Replace the _default in the secret name with the value defined for the
datacenterinput in each blueprint solution.Doing so enables you to use a single F5 VNF Manager for orchestrating the access of multiple VIMs (OpenStack and/or vSphere) used to deploy blueprints in multiple data centers.
The multi-VIM secrets for OpenStack include:
- keystone_password_default
- keystone_tenant_name_default
- keystone_url_default
- keystone_username_default
- keystone_allow_insecure_default
- keystone_ca_cert_default
The multi-VIM secrets for vSphere include:
- vsphere_host_default
- vsphere_datacenter_name_default
- vsphere_password_default
- vsphere_username_default
- vsphere_allow_insecure_default
- vsphere_auto_placement_default
- vsphere_resource_pool_name_default
- vsphere_template_library_name_default
- vsphere_port_default
For example, the following table provides a [datacenter_northwest-region] example for OpenStack and a [datacenter_southwest-region] example for vSphere.
You would use these same values to define the datacenter input in the corresponding deployed blueprint for that data center.
| Secret Group | Blueprint | VIM | Notes |
|---|---|---|---|
| keystone_password_[datacenter_northwest-region] | All | OpenStack | Used for accessing the datacenter that uses an OpenStack VIM. Set to the password for the account in a specific datacenter with access to the OpenStack tenant where you will deploy blueprint resources. Before changing your VIM password, consult this troubleshooting tip. |
| keystone_tenant_name_[datacenter_northwest-region] | All | OpenStack | Used for accessing the datacenter that uses an OpenStack VIM. Set to the OpenStack tenant/project name used in a specific datacenter where you will deploy blueprint resources. |
| keystone_url_[datacenter_northwest-region] | All | OpenStack | Used for accessing the datacenter that uses an OpenStack VIM. Set to the v2 authentication URL of the OpenStack environment in a specific datacenter where you will deploy blueprint
resources; for example, http://192.168.1.1:5000/v2.0. |
| keystone_username_[datacenter_northwest-region] | All | OpenStack | Used for accessing the datacenter that uses an OpenStack VIM. Set to the user name of the account with access to the OpenStack tenant in a specific datacenter where you will deploy blueprint resources. |
| keystone_allow_insecure_[datacenter_northwest-region] | All | OpenStack | Set to True to ignore self-signed certificates on the OpenStack API. Set to False, if a valid CA-signed certificate is configured for the OpenStack API. |
| keystone_ca_cert_[datacenter_northwest-region] | All | OpenStack | If you used an internal CA to generate the certificates used to protect your OpenStack VIM, then add that CA certificate here. Otherwise, if you set the previous keystone_allow_insecure_default
secret to true, then set this to "". |
| vsphere_host_[datacenter_southwest-region] | All | VMware | The IP address of your VMware vCenter Server used for a specific datacenter where you will deploy blueprint resources. |
| vsphere_datacenter_name_[datacenter_southwest-region] | All | VMware | Name of a specific VMware datacenter where you will deploy blueprint resources. |
| vsphere_password_[datacenter_southwest-region] | All | VMware | The password used to log into VMware vSphere API deployed at a specific datacenter. Before changing your VIM password, consult this troubleshooting tip. |
| vsphere_username_[datacenter_southwest-region] | All | VMware | The username@domain.local used to log into the VMware vSphere Web client for a specific datacenter. |
| vsphere_allow_insecure_[datacenter_southwest-region] | All | VMware | Set to True to ignore self-signed certificates on the vSphere API. Set to False, if a valid CA-signed certificate is configured for the vSphere API. |
| vsphere_auto_placement_[datacenter_southwest-region] | All | VMware | Enable this setting to specify whether to use vSphere’s auto-placement instead of the VNFM plugin. Set to true if you are using clusters. |
| vsphere_resource_pool_name_[datacenter_southwest-region] | All | VMware | The name of the resource pool in your VMware vCenter Server. |
| vsphere_template_library_name_[datacenter_southwest-region] | All | VMware | Name of the VMware datacenter. |
| vsphere_port_[datacenter_southwest-region] | All | VMware | The IP address of your VMware vCenter Server. |
What’s next?