Secrets in the SDF
As of SIMPL VM 6.8.0, a major change was made to the way secrets are handled. Secrets are now stored in a secure database on the SIMPL VM known as QSG (Quicksilver Secrets Gateway), to avoid them having to be written in plaintext in the SDF.
Each secret has a secret ID
, which is just a human-readable name.
It can be any combination of lowercase letters a-z
, digits 0-9
, and hyphens -
.
Each secret must have a unique secret ID.
While in earlier SIMPL VM versions the SDF would contain the plaintext value of the secret,
the SDF now contains the secret ID in that field (and the field name is slightly modified).
See below for a list of secret fields in the SDF.
Secrets come in three types:
-
freeform (a simple string; used for passwords, encryption keys, and the like)
-
key (an SSH private key)
-
certificate (a three-part secret, consisting of a certificate, the key used to sign it, and the issuing CA’s certificate).
To handle secrets, perform the following steps before uploading configuration to CDS and/or deploying the VMs:
-
Create an SDF with secret IDs in the appropriate fields.
-
Upload any keys and certificates to a directory on the SIMPL VM.
-
Use the
csar secrets create-input-file
command to generate an input file for QSG. -
Edit the input file, filling in freeform secret values and specifying the full path to the key and certificate files.
-
Run
csar secrets add
to add the secrets to QSG.
Adding secrets to QSG
To add secrets to QSG, first create a YAML file describing the secrets and their plaintext values.
Next, pass the input file to the csar secrets add
command.
See the SIMPL VM documentation
for instructions on how to create a template file, fill it in, and use csar secrets add
.
When deploying a VM, SIMPL VM reads the values from QSG and passes them as bootstrap parameters.
Likewise, when you run rvtconfig upload-config
,
rvtconfig
will read secrets from QSG before encrypting them and storing them in CDS.
If you need to update the value of a secret (for example, if the password to the VM host is changed),
edit your input file and run csar secrets add
again.
Any secrets already existing in QSG will be overwritten with their new values from the file.
Note carefully the following:
|
List of secrets in the SDF
-
In a site’s
vim-options
, any password fields for connecting to the VNFI (VM host) are freeform-type secrets. See the example SDFs. -
The MDM credentials for each site are configured under a certificate-type field named
mdm-certificate-id
. See MDM service group for more information. -
In the
product-options
for each Rhino VM Automation VNFC, the fieldssecrets-private-key-id
,primary-user-password-id
, andcassandra-password-id
are freeform-type secrets. -
For each instance, the SSH key used by SIMPL VM to access the VM for validation tests is a key-type secret. See SSH options for more information.
-
In the
product-options
for each Rhino VM Automation VNFC, the fieldcassandra-encryption-signing-certificate-id
is a certificate-type secret. -
In the
product-options
for the TSN VNFC, the fieldcassandra-encryption-signing-key-password-id
is a freeform-type secret.