This document provides instructions on how to create a secret policy in F5® Distributed Cloud Services. The secret policy is used to encrypt your application secrets using the F5® Distributed Cloud Console Blindfold and to decrypt it from your vK8s application. To know more about Blindfold and secrets management, see Blindfold.
Using the instructions provided in this guide, you can create a secret policy with policy rules to define permissions for your application to decrypt the secret.
The following prerequisites apply:
- A F5 Distributed Cloud Consolse Account is required.
Note: If you do not have an account, see Create an Account.
- An application running on vK8s.
Note: If you do not have an application running on vK8s, see Deploy Application.
- The vesctl tool.
Note: Download vesctl on your local machine as it is used to apply Blindfold to the TLS certificate.
- A minimum of
monitorrole in the
Sharednamespace is required.
Creating a secret policy optionally includes associating a secret policy rule with it. You can create and attach a policy rule as part of secret policy creation itself or you can attach an existing rule. This example shows creating a rule as part of the secret policy creation. The secret policy allows Wingman running as sidecar in your application access to the secret.
Secrets can be viewed and managed in multiple services:
Cloud and Edge Sites,
Load Balancers, and
This example shows
Secret setup in
Cloud and Edge Sites.
Step 1: Open F5 Distributed Cloud Console, open secret policy.
F5® Distributed Cloud Console> select
Cloud and Edge Sitesbox.
Note: Homepage is role based, and your homepage may look different due to your role customization. Select
All Servicesdrop-down menu to discover all options. Customize Settings:
Edit work domain & skillsbutton >
Advancedbox > check
Work Domainboxes >
Namespacefeature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.
Managein left-menu > select
Note: If options are not showing available, select
Advanced nav options visiblein bottom left corner. If needed, select
Hideto minimize options from Advanced nav options mode.
Add secret policybutton.
Note: The policy creation form gets loaded.
Step 2: Setup secret policy.
Perform the following steps:
Step 2.1: Name and setup secret policy.
Namefor your secret policy.
+ Add Itemin
Secret Policy Rulessection, to attach a secret policy rule.
Follow step 2.2 instructions to add
Secret Policy Rule.
Save and Exitbutton.
Step 2.2: Optionally, attach a secret policy rule.
You can select a created rule or create a new rule. This example shows creating a new policy. Select
Add secret policy rule in the
Secret Policy Rules section. Perform the configuration as per the following guidelines:
Enter a name for the service policy rule in
Set action in
Optionally, enter name of the client accessing the server in the
Set a label for the
Group of Clients by Label Selectorbox using the label selector expression for the client. Any label applied to the application can be used to write the expression.
Note: Example set
ves.io/interfacetype=ves-ioinsideas the label expression.
Client Name Matcherbox as per the following guidelines:
Exact Values: Exact DNS names of the clients to match. Select
+ Add itemand add the exact value. You can specify more than one entry.
Regex Values: Regex patterns for DNS names to match. Select
+ Add itemand add the regular expression to match DNS names. You can specify more than one entry.
Save and Exitbutton to create the rule and attach it to the secret policy.
Step 2.3: Complete creating the secret policy.
Allow Volterrabox to allow F5 services to decrypt this policy in the
Decrypt Cache Timeoutin box.
Save and Exitbutton to complete creating the secret policy.
Step 3: Delete and recover deleted secret policy.
Secret Policy Accidental Deletion Handling is a feature that allows you to mark a secret-policy for deletion, rather than deleting it from system.
Select box of policy.
Delete selectedbox will appear in upper-right corner.
Note: Policy is cleared form system after 30 days, automatically.
Deleting 1 Secret Policypop-up, select
Show Deletedoption in upper-right corner to show policies pending deleting if not already showing.
Pending deletewill appear next to policy showing that is marked to be deleted.
Actionsto Restore object from menu.
Object is Restoredpop-up will appear in lower-right corner confirming object has been restored from being deleted.
Pending Deletelabel will no longer show once object has been restored and reversed from being deleted.