Secrets Policy

Objective

This document provides instructions on how to create a secret policy in F5® Distributed Cloud Services. The secret policy is used to encrypt your application secrets using the F5® Distributed Cloud Console Blindfold and to decrypt it from your vK8s application. To know more about Blindfold and secrets management, see Blindfold.

Using the instructions provided in this guide, you can create a secret policy with policy rules to define permissions for your application to decrypt the secret.


Prerequisites

The following prerequisites apply:

Note: If you do not have an account, see Create an Account.

  • An application running on vK8s

Note: If you do not have an application running on vK8s, see Deploy Application.

  • The vesctl tool. Download vesctl on your local machine as it is used to apply Blindfold to the TLS certificate.

  • A minimum of monitor role in the Shared namespace is required.


Configuration

Creating a secret policy optionally includes associating a secret policy rule with it. You can create and attach a policy rule as part of secret policy creation itself or you can attach an existing rule. This example shows creating a rule as part of the secret policy creation. The secret policy allows Wingman running as sidecar in your application access to the secret.

Secrets can be viewed and managed in multiple services: Cloud and Edge Sites, Distributed Apps, Load Balancers, and Shared Configuration.

This example shows Secret setup in Cloud and Edge Sites.

Step 1: Navigate to your application namespace.
  • Open F5® Distributed Cloud Console > select Cloud and Edge Sites box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

NEW HOME PAGE C
Figure: Console Homepage

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Select Manage in left-menu > select Secrets > Secret Policies.

SECRETPOLICY7 2 2
Figure: Secrets Policy

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

  • Select Add secret policy button.

Note: The policy creation form gets loaded.

Step 2: Configure the secret policy.

Perform the following steps:

Step 2.1: Enter the basic configuration.
  • Enter a name for your secret policy in Name box.

  • Enter Labels and Description as needed.

  • Select + Add Item in Secret Policy Rules section, to attach a secret policy rule.

  • Follow step 2.2 instructions to add Secret Policy Rule.

SECRETPOLICY7 4 2
Figure: Create Secret Policy

  • Select Save and Exit button.
Step 2.2: Optionally, attach a secret policy rule.

You can select a created rule or create a new rule. This example shows creating a new policy. Select Add secret policy rule in the Secret Policy Rules section. Perform the configuration as per the following guidelines:

  • Enter a name for the service policy rule in Name box.

  • Set action in Action drop-down menu:

    • Allow

    • Deny

  • Optionally, enter name of the client accessing the server in the Client Name box.

  • Set a label for the Group of Clients by Label Selector field using the label selector expression for the client. Any label applied to the application can be used to write the expression. Example set yes.io/interfacetype=ves-ioinside as the label expression.

  • Optionally, set Client Name Matcher box as per the following guidelines:

    • Exact Values: Exact DNS names of the clients to match. Select + Add item and add the exact value. You can specify more than one entry.

    • Regex Values: Regex patterns for DNS names to match. Select + Add item and add the regular expression to match DNS names. You can specify more than one entry.

  • Select Save and Exit to create the rule and attach it to the secret policy.
Step 2.3: Complete creating the secret policy.
  • Check Allow Volterra box to allow F5 services to decrypt this policy in the Allow Volterra section.

  • Enter Decrypt Cache Timeout in box.

  • Select Save and Exit to complete creating the secret policy.
Step 3: Delete and recover deleted secret policy.

Secret Policy Accidental Deletion Handling is a feature that allows you to mark a secret-policy for deletion, rather then deleting it from system.

  • Select box of policy.

  • Delete selected box will appear in upper-right corner.

Note: Policy is cleared form system after 30 days, automatically.

SECRETPOLICY DELETEFX1 1 2
Figure: Delete Secret Policy

  • Confirm in Deleting 1 Secret Policy pop-up, select Delete button.

  • ... drop-down Delete option available.

  • Toggle Show Deleted option in upper-right corner to show policies pending deleting if not already showing.

  • Pending delete will appear next to policy showing that is marked to be deleted.

  • Select ... under Actions to Restore object from menu.

  • Object is Restored pop-up will appear in lower-right corner confirming object has been restored from being deleted.

Note: Pending Delete label will no longer show once object has been restored and reversed from being deleted.


Concepts


API References