As of SIMPL VM 6.8.0, a major change was made to the way secrets are handled. Secrets are now stored in a secure database on the SIMPL VM known as QSG (Quicksilver Secrets Gateway), to avoid them having to be written in plaintext in the SDF.
Each secret has a
secret ID, which is just a human-readable name.
It can be any combination of lowercase letters
0-9, and hyphens
Each secret must have a unique secret ID.
While in earlier SIMPL VM versions the SDF would contain the plaintext value of the secret,
the SDF now contains the secret ID in that field (and the field name is slightly modified).
See below for a list of secret fields in the SDF.
Secrets come in three types:
freeform (a simple string; used for passwords, encryption keys, and the like)
key (an SSH private key)
certificate (a three-part secret, consisting of a certificate, the key used to sign it, and the issuing CA’s certificate).
To handle secrets, perform the following steps before uploading configuration to CDS and/or deploying the VMs:
Create an SDF with secret IDs in the appropriate fields.
Upload any keys and certificates to a directory on the SIMPL VM.
csar secrets create-input-filecommand to generate an input file for QSG.
Edit the input file, filling in freeform secret values and specifying the full path to the key and certificate files.
csar secrets addto add the secrets to QSG.
To add secrets to QSG, first create a YAML file describing the secrets and their plaintext values.
Next, pass the input file to the
csar secrets add command.
See the SIMPL VM documentation
for instructions on how to create a template file, fill it in, and use
csar secrets add.
When deploying a VM, SIMPL VM reads the values from QSG and passes them as bootstrap parameters.
Likewise, when you run
rvtconfig will read secrets from QSG before encrypting them and storing them in CDS.
If you need to update the value of a secret (for example, if the password to the VM host is changed),
edit your input file and run
csar secrets add again.
Any secrets already existing in QSG will be overwritten with their new values from the file.
Note carefully the following:
In a site’s
vim-options, any password fields for connecting to the VNFI (VM host) are freeform-type secrets. See the example SDFs.
The MDM credentials for each site are configured under a certificate-type field named
mdm-certificate-id. See MDM service group for more information.
product-optionsfor each Rhino VoLTE TAS VNFC, the fields
cassandra-password-idare freeform-type secrets.
For each instance, the SSH key used by SIMPL VM to access the VM for validation tests is a key-type secret. See SSH options for more information.
product-optionsfor each Rhino VoLTE TAS VNFC, the field
cassandra-encryption-signing-certificate-idis a certificate-type secret.
product-optionsfor the TSN VNFC, the field
cassandra-encryption-signing-key-password-idis a freeform-type secret.