Secrets reference guide

Secrets enable your blueprint to access these values as needed, during orchestration, without exposing the plain text values.

  1. In F5 VNFM, click System Resources -> Secret Store Management.

  2. Click edit_secrets for each secret to edit the values.

  3. Click secretHidden_secrets to view the secret value (if you have the correct permissions).

  4. If you use multi-VIM architecture that deploys blueprints in multiple data centers using different VIMs (OpenStack and VMware), then you must group specific secrets defined in your inputs file.

    Important

    To avoid deployment issues, verify that you enter these secrets correctly (for example, remove any extra spaces in the keystone secrets).

Secret definitions

The following table provides definitions for managing system secrets:

BIG-IP Blueprint Notes
agent_key_private All The private, PEM-encoded, SSH key for connecting to BIG-IP instances. Browse to the local copy of the private key using the Get secret value from file option.
bigip_admin_password All Set to the desired password for the default BIG-IP admin account. Default value is admin.
bigip_root_password All Set to the desired password for the default BIG-IP root account. Default value is default.
bigip_username All Default value is admin.
bigip_root_user All Root user name of the BIG-IP. You must add this bigip_root_user secret to your manager.
BIG-IQ Blueprint Notes
bigiq_password All Set to the password for the BIG-IQ system used for licensing BIG-IP VEs in the deployment. Default value is admin. The blueprint solutions use this secret for accessing the BIG-IQ and retrieve licenses.
bigiq_username All Set to the user name for the BIG-IQ system used for licensing BIG-IP VEs in the deployment. Default value is admin. The blueprint solutions use this secret for accessing the BIG-IQ and retrieve licenses.
bigiq_root_password BIG-IQ

Enter the same password already set on the default BIG-IQ root account. Default value is default. This secret is used for deploying the F5-VNF-BIG-IQ blueprint that auto-configures the BIG-IQ license manager.

Note

Do NOT use this secret to change the root password on the BIG-IQ.

bigiq_root_username BIG-IQ

Enter the same root user name already set on the BIG-IQ. Default value is root. You must add this bigiq_root_username secret to your manager. This secret is used for deploying the F5-VNF-BIG-IQ blueprint that auto-configures the BIG-IQ license manager.

Note

Do NOT use this secret to change the root username on the BIG-IQ.

VNF Manager Blueprint Notes
manager_rest_host All Set to the internal IP address of hostname of the VNF Manager. Recommended setting, 127.0.0.1.
manager_rest_password All Set to the password for the VNF Manager. Default value is admin.
manager_rest_username All Set to the user name of the VNF Manager. Default value is admin.
manager_rest_tenant All The VNFM tenant/project name. Default value is default_tenant.
Auto-generated Blueprint Notes
internal_ca_cert All An auto-generated, unique, CA certificate created by F5 VNF Manager, when you first launch your VNFM.
Keystone Blueprint Notes
keystone_allow_insecure_default All Set to True to ignore self-signed certificates on the OpenStack API. Set to False, if a valid CA-signed certificate is configured for the OpenStack API.
keystone_ca_cert_default All If you used an internal CA to generate the certificates used to protect your OpenStack VIM, then add that CA certificate here. Otherwise, if you set the previous keystone_allow_insecure_default secret to true, then set this to "".
keystone_password_default All Used for OpenStack VIM. Set to the password for the account with access to the OpenStack tenant where you will deploy blueprint resources. Before changing your VIM password, consult this troubleshooting tip.
keystone_tenant_name_default All Used for OpenStack VIM. Set to the OpenStack tenant/project name where you will deploy blueprint resources.
keystone_url_default All

Used for OpenStack VIM. Set to the v2 authentication URL of the OpenStack environment where you will deploy blueprint resources; for example, http://192.168.1.1:5000/v2.0.

Tip

Avoid adding any extra spaces at the beginning and at the end of this value. In OpenStack, find this URL in the Compute -> Access & Security -> IP Access -> Identity row.

keystone_username_default All Used for OpenStack VIM. Set to the user name of the account with access to the OpenStack tenant where you will deploy blueprint resources.

Important

If you are allowing VNFM to create keystone resources on OpenStack, then you must configure the keystone account with the required OpenStack permissions.

Nagiorest Blueprint Notes
nagiosrest_pass All Set to the desired password for the Nagios monitoring instance. Default value is testpass.
nagiosrest_user All Set to the desired user name for the Nagios monitoring instance. Default value is testuser.
Region Blueprint Notes
region_default All Set to the OpenStack region where you will deploy blueprint resources. Default value is nova.
VMware vSphere Blueprint Notes
vsphere_agent_key_public All Used for vSphere VIM. The public key for the private one specified in agent_key_private secret.
vsphere_allow_insecure_default All Set to True to ignore self-signed certificates on the vSphere API. Set to False, if a valid CA-signed certificate is configured for the vSphere API.
vsphere_auto_placement_default All Enable this setting to specify whether to use vSphere’s auto-placement instead of the VNFM plugin. Set to true if you are using clusters.
vsphere_resource_pool_name_default All The name of the resource pool in your VMware vCenter Server.
vsphere_username_default All The username@domain.local used to log into the VMware vSphere Web client.
vsphere_template_library_name_default All Name of the content library where templates are stored in your VMware vCenter Server.
vsphere_port_default All Port number you assigned the VMware vCenter Server (default value 443)
vsphere_password_default All The password used to log into the VMware vSphere API. Before changing your VIM password, consult this troubleshooting tip.
vsphere_datacenter_name_default All Name of the VMware datacenter.
vsphere_host_default All The IP address of your VMware vCenter Server.

Grouped secrets for multi-VIM implementation

In order to implement VNFM for multi-VIM configurations, you require the following connectivity:

  • VNFM must connect to the VIM’s API
  • VNFM must connect to the management networks defined for each VIM.
  • VE must connect to the BIG-IQ

To prepare secrets for multi-VIM

  1. Create the following additional sets of keystone/vSphere secrets for every new blueprint solution deployed for each data center.

  2. Replace the _default in the secret name with the value defined for the datacenter input in each blueprint solution.

    Doing so enables you to use a single F5 VNF Manager for orchestrating the access of multiple VIMs (OpenStack and/or vSphere) used to deploy blueprints in multiple data centers.

The multi-VIM secrets for OpenStack include:

  • keystone_password_default
  • keystone_tenant_name_default
  • keystone_url_default
  • keystone_username_default
  • keystone_allow_insecure_default
  • keystone_ca_cert_default

The multi-VIM secrets for vSphere include:

  • vsphere_host_default
  • vsphere_datacenter_name_default
  • vsphere_password_default
  • vsphere_username_default
  • vsphere_allow_insecure_default
  • vsphere_auto_placement_default
  • vsphere_resource_pool_name_default
  • vsphere_template_library_name_default
  • vsphere_port_default

For example, the following table provides a [datacenter_northwest-region] example for OpenStack and a [datacenter_southwest-region] example for vSphere. You would use these same values to define the datacenter input in the corresponding deployed blueprint for that data center.

Secret Group Blueprint VIM Notes
keystone_password_[datacenter_northwest-region] All OpenStack Used for accessing the datacenter that uses an OpenStack VIM. Set to the password for the account in a specific datacenter with access to the OpenStack tenant where you will deploy blueprint resources. Before changing your VIM password, consult this troubleshooting tip.
keystone_tenant_name_[datacenter_northwest-region] All OpenStack Used for accessing the datacenter that uses an OpenStack VIM. Set to the OpenStack tenant/project name used in a specific datacenter where you will deploy blueprint resources.
keystone_url_[datacenter_northwest-region] All OpenStack Used for accessing the datacenter that uses an OpenStack VIM. Set to the v2 authentication URL of the OpenStack environment in a specific datacenter where you will deploy blueprint resources; for example, http://192.168.1.1:5000/v2.0.
keystone_username_[datacenter_northwest-region] All OpenStack Used for accessing the datacenter that uses an OpenStack VIM. Set to the user name of the account with access to the OpenStack tenant in a specific datacenter where you will deploy blueprint resources.
keystone_allow_insecure_[datacenter_northwest-region] All OpenStack Set to True to ignore self-signed certificates on the OpenStack API. Set to False, if a valid CA-signed certificate is configured for the OpenStack API.
keystone_ca_cert_[datacenter_northwest-region] All OpenStack If you used an internal CA to generate the certificates used to protect your OpenStack VIM, then add that CA certificate here. Otherwise, if you set the previous keystone_allow_insecure_default secret to true, then set this to "".
vsphere_host_[datacenter_southwest-region] All VMware The IP address of your VMware vCenter Server used for a specific datacenter where you will deploy blueprint resources.
vsphere_datacenter_name_[datacenter_southwest-region] All VMware Name of a specific VMware datacenter where you will deploy blueprint resources.
vsphere_password_[datacenter_southwest-region] All VMware The password used to log into VMware vSphere API deployed at a specific datacenter. Before changing your VIM password, consult this troubleshooting tip.
vsphere_username_[datacenter_southwest-region] All VMware The username@domain.local used to log into the VMware vSphere Web client for a specific datacenter.
vsphere_allow_insecure_[datacenter_southwest-region] All VMware Set to True to ignore self-signed certificates on the vSphere API. Set to False, if a valid CA-signed certificate is configured for the vSphere API.
vsphere_auto_placement_[datacenter_southwest-region] All VMware Enable this setting to specify whether to use vSphere’s auto-placement instead of the VNFM plugin. Set to true if you are using clusters.
vsphere_resource_pool_name_[datacenter_southwest-region] All VMware The name of the resource pool in your VMware vCenter Server.
vsphere_template_library_name_[datacenter_southwest-region] All VMware Name of the VMware datacenter.
vsphere_port_[datacenter_southwest-region] All VMware The IP address of your VMware vCenter Server.

What’s next?

Blueprint inputs definition reference guide.