Secrets reference guide¶
Secrets enable your blueprint to access these values as needed, during orchestration, without exposing the plain text values.
Manage secrets¶
In F5 VNFM, click pane.
To create new secrets, do one of the following, and then click + Create:
- Click + Create and complete the information.
- Click
to upload a secrets definition file.
Click
for each secret to edit the values and/or select/clear the Hidden check box to
hide/reveal the secret value, and then click Save.Click
to view the secret value (if you have the correct permissions).Click
in the secret row you want to delete.If you use multi-VIM architecture that deploys blueprints in multiple data centers using different VIMs (OpenStack and VMware), then you must group specific secrets defined in your inputs file.
Important
To avoid deployment issues, verify that you enter these secrets correctly (for example, remove any extra spaces in the keystone secrets).
Secret definitions¶
The following table provides definitions for managing system secrets required for the BIG-IP solution blueprints (for example, Gi LAN and Gi Firewall):
BIG-IP secrets¶
The following table provides definitions for managing system secrets required for the BIG-IP solution blueprints (for example, Gi LAN and Gi Firewall):
| BIG-IP | Blueprint | Notes |
|---|---|---|
| agent_key_private | All | The private, PEM-encoded, SSH key for connecting to BIG-IP instances. Browse to the local copy of the private key using the Get secret value from file option. |
| bigip_admin_password | All | Set to the desired password for the default BIG-IP admin account. Default value is admin. |
| bigip_root_password | All | Set to the desired password for the default BIG-IP root account. Default value is default. |
| bigip_root_user | All | Root user name of the BIG-IP. You must add this bigip_root_user secret to your manager. |
| bigip_username | All | Default value is admin. |
BIG-IQ secrets¶
The following table provides definitions for managing system secrets required for the BIG-IQ solution blueprint:
| BIG-IQ | Blueprint | Notes |
|---|---|---|
| bigiq_root_username | BIG-IQ | Set to the root user name of the BIG-IQ. You must add this bigiq_root_username secret to your manager. This secret is used for deploying the F5-VNF-BIG-IQ blueprint that auto-configures the BIG-IQ license manager. (removed per ESEVNFMNGR-1866) |
| bigiq_root_password | BIG-IQ | Enter the same password already set for the default BIG-IQ root account. Default value is default. This secret is used for deploying the F5-VNF-BIG-IQ blueprint that auto-configures the BIG-IQ license manager. BIG-IQ REQUIRES a policy-compliant password. See knowledge article K49507549 for complete details. Do NOT use this secret to change the root password on the BIG-IQ. |
VNF Manager secrets¶
| VNF Manager | Blueprint | Notes |
|---|---|---|
| manager_rest_host | All | Set to the internal IP address of hostname of the VNF Manager. Recommended setting, 127.0.0.1. |
| manager_rest_password | All | Set to the password for the VNF Manager. Default value is admin. |
| manager_rest_username | All | Set to the user name of the VNF Manager. Default value is admin. |
| manager_rest_tenant | All | The VNFM tenant/project name. Default value is default_tenant. |
Auto-generated secrets¶
| Auto-generated | Blueprint | Notes |
|---|---|---|
| internal_ca_cert | All | An auto-generated, unique, CA certificate created by F5 VNF Manager, when you first launch your VNFM. |
Keystone secrets¶
The following tables provide definitions for managing system secrets required by the hypervisor:
| Keystone | Blueprint | Notes |
|---|---|---|
| keystone_allow_insecure_default | All | Set to True to ignore self-signed certificates on the OpenStack API. Set to False, if a valid CA-signed certificate is configured for the OpenStack API. |
| keystone_ca_cert_default | All | If you used an internal CA to generate the certificates used to protect your OpenStack VIM, then add that CA certificate here. Otherwise, if you set the previous keystone_allow_insecure_default
secret to true, then set this to "". |
| keystone_password_default | All | Used for OpenStack VIM. Set to the password for the account with access to the OpenStack tenant where you will deploy blueprint resources. Before changing your VIM password, consult this troubleshooting tip. |
| keystone_tenant_name_default | All | Used for OpenStack VIM. Set to the OpenStack tenant/project name where you will deploy blueprint resources. |
| keystone_url_default | All | Used for OpenStack VIM. Set to the v2 authentication URL of the OpenStack environment where you will deploy blueprint resources; for example, Tip Avoid adding any extra spaces at the beginning and at the end of this value. In OpenStack, find this URL in the row. |
| keystone_username_default | All | Used for OpenStack VIM. Set to the user name of the account with access to the OpenStack tenant where you will deploy blueprint resources. |
Important
If you are allowing VNFM to create keystone resources on OpenStack, then you must configure the keystone account with the required OpenStack permissions.
| Region | Blueprint | Notes |
|---|---|---|
| region_default | All | Set to the OpenStack region where you will deploy blueprint resources. Default value is nova. |
vSphere secrets¶
| VMware vSphere | Blueprint | Notes |
|---|---|---|
| vsphere_agent_key_public | All | Used for vSphere VIM. The public key for the private one specified in agent_key_private secret. |
| vsphere_allow_insecure_default | All | Set to True to ignore self-signed certificates on the vSphere API. Set to False, if a valid CA-signed certificate is configured for the vSphere API. |
| vsphere_auto_placement_default | All | Enable this setting to specify whether to use vSphere’s auto-placement instead of the VNFM plugin. Set to true if you are using clusters. |
| vsphere_resource_pool_name_default | All | The name of the resource pool in your VMware vCenter Server. |
| vsphere_username_default | All | The username@domain.local used to log into the VMware vSphere Web client. |
| vsphere_template_library_name_default | All | Name of the content library where templates are stored in your VMware vCenter Server. |
| vsphere_port_default | All | Port number you assigned the VMware vCenter Server (default value 443) |
| vsphere_password_default | All | The password used to log into the VMware vSphere API. Before changing your VIM password, consult this troubleshooting tip. |
| vsphere_datacenter_name_default | All | Name of the VMware datacenter. |
| vsphere_host_default | All | The IP address of your VMware vCenter Server. |
Nagios secrets¶
The following table provides definitions for managing system secrets required for the Nagios server:
| Nagiorest | Blueprint | Notes |
|---|---|---|
| nagiosrest_pass | All | Set to the desired password for the Nagios monitoring instance. Default value is testpass. |
| nagiosrest_user | All | Set to the desired user name for the Nagios monitoring instance. Default value is testuser. |
External database secrets¶
Define the following secrets ONLY when you want to read/write to an external database from a deployed VNFM Gi-LAN blueprint.
| External Database | Blueprint | Notes |
|---|---|---|
| external_db_blueprint_id | Gi-LAN | Blueprint ID identifying the external database blueprint. Define this secret only if you want to deploy the external database, enabling the blueprint with global scope. |
| external_db_deployment_id | Gi-LAN | Deployment ID identifying the external database deployment. Define this secret only if you want to deploy the external database, enabling the blueprint with global scope. |
| manager_rest_trust_all | Gi-LAN | Trust policy used to communicate with the VNF manager. Same as in Cloudify REST client configuration. Default value is set to true. |
| manager_rest_protocol | Gi-LAN | Protocol used to communicate with the VNF manager. Valid values include, http or https. Same as in Cloudify REST client configuration. Default value is set to https. |
| manager_rest_port | Gi-LAN | Port used to communicate with the VNF manager. Same as in Cloudify REST client configuration. Default value is set to 443. |
Grouped secrets for multi-VIM implementation¶
In order to implement VNFM for multi-VIM configurations, you require the following connectivity:
- VNFM must connect to the VIM’s API
- VNFM must connect to the management networks defined for each VIM.
- VE must connect to the BIG-IQ
To prepare secrets for multi-VIM
Create the following additional sets of keystone/vSphere secrets for every new blueprint solution deployed for each data center.
Replace the _default in the secret name with the value defined for the
datacenterinput in each blueprint solution.Doing so enables you to use a single F5 VNF Manager for orchestrating the access of multiple VIMs (OpenStack and/or vSphere) used to deploy blueprints in multiple data centers.
The multi-VIM secrets for OpenStack include:
- keystone_password_default
- keystone_tenant_name_default
- keystone_url_default
- keystone_username_default
- keystone_allow_insecure_default
- keystone_ca_cert_default
The multi-VIM secrets for vSphere include:
- vsphere_host_default
- vsphere_datacenter_name_default
- vsphere_password_default
- vsphere_username_default
- vsphere_allow_insecure_default
- vsphere_auto_placement_default
- vsphere_resource_pool_name_default
- vsphere_template_library_name_default
- vsphere_port_default
For example, the following table provides a [datacenter_northwest-region] example for OpenStack and a [datacenter_southwest-region] example for vSphere.
You would use these same values to define the datacenter input in the corresponding deployed blueprint for that data center.
| Secret Group | Blueprint | VIM | Notes |
|---|---|---|---|
| keystone_password_[datacenter_northwest-region] | All | OpenStack | Used for accessing the datacenter that uses an OpenStack VIM. Set to the password for the account in a specific datacenter with access to the OpenStack tenant where you will deploy blueprint resources. Before changing your VIM password, consult this troubleshooting tip. |
| keystone_tenant_name_[datacenter_northwest-region] | All | OpenStack | Used for accessing the datacenter that uses an OpenStack VIM. Set to the OpenStack tenant/project name used in a specific datacenter where you will deploy blueprint resources. |
| keystone_url_[datacenter_northwest-region] | All | OpenStack | Used for accessing the datacenter that uses an OpenStack VIM. Set to the v2 authentication URL of the OpenStack environment in a specific datacenter where you will deploy blueprint
resources; for example, http://192.168.1.1:5000/v2.0. |
| keystone_username_[datacenter_northwest-region] | All | OpenStack | Used for accessing the datacenter that uses an OpenStack VIM. Set to the user name of the account with access to the OpenStack tenant in a specific datacenter where you will deploy blueprint resources. |
| keystone_allow_insecure_[datacenter_northwest-region] | All | OpenStack | Set to True to ignore self-signed certificates on the OpenStack API. Set to False, if a valid CA-signed certificate is configured for the OpenStack API. |
| keystone_ca_cert_[datacenter_northwest-region] | All | OpenStack | If you used an internal CA to generate the certificates used to protect your OpenStack VIM, then add that CA certificate here. Otherwise, if you set the previous keystone_allow_insecure_default
secret to true, then set this to "". |
| vsphere_host_[datacenter_southwest-region] | All | VMware | The IP address of your VMware vCenter Server used for a specific datacenter where you will deploy blueprint resources. |
| vsphere_datacenter_name_[datacenter_southwest-region] | All | VMware | Name of a specific VMware datacenter where you will deploy blueprint resources. |
| vsphere_password_[datacenter_southwest-region] | All | VMware | The password used to log into VMware vSphere API deployed at a specific datacenter. Before changing your VIM password, consult this troubleshooting tip. |
| vsphere_username_[datacenter_southwest-region] | All | VMware | The username@domain.local used to log into the VMware vSphere Web client for a specific datacenter. |
| vsphere_allow_insecure_[datacenter_southwest-region] | All | VMware | Set to True to ignore self-signed certificates on the vSphere API. Set to False, if a valid CA-signed certificate is configured for the vSphere API. |
| vsphere_auto_placement_[datacenter_southwest-region] | All | VMware | Enable this setting to specify whether to use vSphere’s auto-placement instead of the VNFM plugin. Set to true if you are using clusters. |
| vsphere_resource_pool_name_[datacenter_southwest-region] | All | VMware | The name of the resource pool in your VMware vCenter Server. |
| vsphere_template_library_name_[datacenter_southwest-region] | All | VMware | Name of the VMware datacenter. |
| vsphere_port_[datacenter_southwest-region] | All | VMware | The IP address of your VMware vCenter Server. |
What’s next?