Credentials

Objective

This guide provides instructions on how to generate various credentials related to F5® Distributed Cloud Services from the platform.

F5® Distributed Cloud Console provides two types of credentials:

  • My Credentials: Are generated and used for different authentication and authorization purposes while accessing F5® Distributed Cloud Services APIs or deploying apps using F5® Distributed Cloud Services vK8s.

  • Service Credentials: Are generated by administrators to create custom service roles that are associated with service users.

Note: The My Credentials inherit the roles of the users. In case of service credentials, you can assign specific roles to the service user.

Using the instructions provided in this guide, you can create various types of credentials and download them for using in API requests.


Prerequisites

The following prerequisites apply:

  • A single-node or multi-node F5® Distributed Cloud Services site in case of application deployment.

My Credentials

My Credentials options can be generated and downloaded from the Console:

  • API Tokens: The tokens are used in site deployment, and also for the authorization in the API requests.

  • API Certificates: These certificates are used in API requests.

Note: All certificates follow x.509 standard.

  • vK8s KubeConfig: These are the vK8s KubeConfigs for deploying your applications using F5® Distributed Cloud Services vK8s.

Note: You can use either API certificate or API token for authenticating. It is recommended to use API certificates as they offer more robust security via Mutual TLS (mTLS) authentication. The API tokens are used with one-way TLS authentication.

Generate API Certificate

Features can be viewed, and managed in multiple services.

This example shows Credentials setup in Administration.

Step 1: Open F5® Distributed Cloud Console > select Create Credentials.
  • Open F5® Distributed Cloud Console homepage, select Administration box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

NEW HOMEPAGE 22
Figure: Homepage

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Select Personal Management in left column menu > select Credentials.

  • Select + Add Credentials button.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

CREDS MAIN2 2B 42 22
Figure: Create Credentials
Step 2: Setup Credential.
  • Enter Name for your certificate.

  • Select API Certificate in Credential type.

  • Enter Password > Confirm Password.

  • Select Expiry date in calendar drop-down.

USERMANAGEMENT CREDENTIALS 4B 22
Figure: Add Credentials
Step 3: Generate and download certificate.
  • Select Download to generate certificate in .p12 file format.
CREDENTIALS APID2 2 4
Figure: Create API Certificate

Note: The maximum allowed expiry date for users is set by the tenant administrator. The system allows the administrator to set a maximum expiry of 365 days. The default expiry is 90 days.

  • Credential will appear in Credentials page if created.

Note: Reference date confirms correct Credential.

After generating, you can use the certificate in API request.

Sample API request to delete a namespace:

          
curl -k  -X POST --cert-type P12 --cert ~/Downloads/<api-creds>.p12:<password> https://tenant>.console.ves.volterra.io/api/web/namespaces/<namespace>/cascade_delete -v


        

Note: It is recommended to specify the full path to certificate.


Generate Kubeconfig

Step 1: Open F5® Distributed Cloud Console > select Create Credentials.
  • Open F5® Distributed Cloud Console homepage, select Administration box.
NEW HOMEPAGE 22
Figure: Homepage
  • Select Personal Management in left column menu > select Credentials > + Add Credentials.
CREDS MAIN2 2B 4B 2B
Figure: Create Credentials
Step 2: Setup Credential type.
  • Enter Name for your certificate.

  • Select vK8s KubeConfig in Credential type drop-down menu.

  • Select Site in drop-down menu.

  • Select Namespace option in drop-down menu.

  • Select vK8s cluster name option in drop-down menu.

  • Select Expiry date from calendar drop-down.

CREDS KUBECONFIG 3 4B
Figure: Create vK8s KubeConfig
Step 3: Generate and download vK8s KubeConfig Certificate.
  • Select Download button to generate and download vK8s KubeConfig certificate file.
CREDS KUBECONFIG 3 42B
Figure: Generate and download vK8s KubeConfig Certificate

Note: The maximum allowed expiry date for users is set by the tenant administrator. The system allows the administrator to set a maximum expiry of 365 days. The default expiry is 90 days.

  • Use in deployments after generating.

The following is a sample kubectl request to view the configuration:

          
kubectl config --kubeconfig=<kubeconfig-file> view

        

Generate API Tokens

Step 1: Create Credentials in F5® Distributed Cloud Console.
  • Open F5® Distributed Cloud Console homepage, select Administration box.
NEW HOMEPAGE 22
Figure: Homepage
  • Select Personal Management in left column menu > select Credentials > + Add Credentials.
CREDS MAIN2 2B 42 2 4
Figure: Create Credentials
Step 2: Setup Credential type.
  • Enter Name.

  • Select API Token in Credential type drop-down menu.

  • Select Expiry date from calendar drop-down.

Step 3: Create API Token.
  • Select Generate button.
CRED APITOKEN2 B 4 4
Figure: Add Credentials

Note: The maximum allowed expiry date for users is set by the tenant administrator. The system allows the administrator to set a maximum expiry of 365 days. The default expiry is 90 days.

Step 4: Obtain API Token.
  • Select Copy button to copy API token.

  • Select Done button to exit pop-up window.

CRED APITOKEN5 B 4 4 2
Figure: Add Credentials

After generating, you can use it in API request with the authorization header.

The following is a sample API request:

          curl -k -X GET https://<tenant>.console.ves.volterra.io/api/web/namespaces -H 'Authorization: APIToken <token value>'

        

Note: All API access with the token will have the same RBAC assigned to the user who created the token.


Revoke API Credentials

You can force an API credentials object to be expired before it's configured or before the default expiry time.

Revoke API credentials instructions:

Step 1: Open Credentials in F5® Distributed Cloud Console.
  • Open F5® Distributed Cloud Console homepage, select Administration box.
NEW HOMEPAGE 22
Figure: Homepage
  • Select Personal Management in left column menu > select Credentials.
CREDS MAIN2 2B 42 2
Figure: Credentials
Step 2: Perform revoke operation for an existing credential object.
  • API Token: Select ... in Actions column, select Force Expiry to revoke API Token.

  • API Certificate: Select ... in Actions column, select Delete to revoke API Certificate.

Note: All certificates follow x.509 standard.

  • vK8s KubeConfig Credential: Select ... in Actions column, select Delete to revoke vK8s KubeConfig Credential.
CREDS FORCEEXPIRY CONF2 B 2
Figure: API Token Force Expiry Option
Step 3: Complete revoke operation.
  • In case of API Token, select Force Expiry in the confirmation window to cause API credential object expiry.
CREDS FORCEEXPIRY CONF2 B 2 4
Figure: API Token Force Expiry Confirmation

Note: You can renew or delete an expired credential. Select ... > Renew against expired credential from the list of credentials to renew it. Set an expiry date, and select Renew Credential in the confirmation box. Select ... > Delete against expired credential from the list of credentials to delete it. Select Delete in the confirmation box.

  • In case of API certificates or vK8s KubeConfigs, select Delete in the confirmation window. This forces the expiry for the object and also deletes it from the F5 system.

Service Credentials

Service credentials can be created by administrator users, and these credentials have roles assigned to provide API access to F5XC services. While creating service credentials, roles can be specified and these roles are assigned to the created user called as ServiceUser.

Generate API Certificate

Step 1: Open F5® Distributed Cloud Console > select Service Credentials.
  • Open F5® Distributed Cloud Console homepage, select Administration box.

  • Select IAM in left-menus > select Service Credentials > select + Add Service Credentials.

  • Select + Create service credentials button.
USERMANAGEMENT CREDENTIALS 13 4
Figure: Open Service Credentials
Step 2: Setup Credential type.
  • Enter Name in Credential Email box to generate unique email name, name@volterracredentials.io.

  • Select API Certificate in Credential type drop-down menu.

  • Enter Password > Confirm Password.

  • Select Expiry date from calendar drop-down.

  • Optionally: Select Assign roles and namespaces to open pop-up window.

    • Select Namespace drop-down option.

      • all application namespaces

      • shared

      • system

      • default

      • your custom namespace, Example: aatw

    • Select Make Admin checkbox to grant the admin role.

    • Select Role boxes to select a role from the displayed options.

    Note: You can add more roles using the + Add another role.

    • Select Add roles button.
CRED SERVICECRED API1 4
Figure: Open Service Credentials
Step 3: Generate and download certificate.

Select Download button to download the certificate in .p12 file format.

Note: The maximum allowed expiry date for users is set by the tenant administrator. The system allows the administrator to set a maximum expiry of 365 days. The default expiry is 90 days.


Generate Kubeconfig

Step 1: Start creating credentials in F5® Distributed Cloud Console.
  • Open F5® Distributed Cloud Console homepage, select Administration box.
NEW HOMEPAGE 22
Figure: Homepage
  • Select IAM, select Service Credentials > select + Add Service Credentials.
USERMANAGEMENT CREDENTIALS 13 4
Figure: Credentials
Step 2: Setup Credential type.
  • Enter Name in Credential Email box to generate unique email name, name@volterracredentials.io.

  • Select vK8s KubeConfig in Credential type drop-down menu.

  • Select Site in drop-down menu.

  • Select Expiry date from calendar drop-down.

  • Optionally: Select Assign roles and namespaces to open pop-up window.

    • Select Namepace drop-down option.

      • all application namespaces

      • shared

      • system

      • default

      • your custom namespace, Example: aatw

    • Select Make Admin checkbox to grant the admin role.

    • Select Role boxes to select a role from the displayed options.

    Note: You can add more roles using the + Add another role.

    • Select Add roles button.
Step 3: Create and download vK8s KubeConfig.

Select Download button.

Note: The maximum allowed expiry date for users is set by the tenant administrator. The system allows the administrator to set a maximum expiry of 365 days. The default expiry is 90 days.


Generate API Token

Step 1: Start credential creation in F5® Distributed Cloud Console.
  • Open F5® Distributed Cloud Console homepage, select Administration box.
NEW HOMEPAGE 22
Figure: Homepage
  • Select IAM, select Service Credentials > select + Add Service Credentials.
USERMANAGEMENT CREDENTIALS 13 22B
Figure: Credentials
Step 2: Setup Credential type.
  • Enter Name in Credential Email box to generate unique email name, name@volterracredentials.io.

  • Select API Token in Credential type drop-down menu.

  • Select Expiry date from calendar drop-down.

  • Optionally: Select Assign roles and namespaces to open pop-up window.

    • Select Namespace drop-down option.

      • all application namespaces

      • shared

      • system

      • default

      • your custom namespace, Example: aatw

    • Select Make Admin checkbox to grant the admin role.

    • Select Role boxes to select a role from the displayed options.

    Note: You can add more roles using the + Assign Roles and Namespaces.

    • Select Assign roles button.
CRED SC APITOKEN22 4B
Figure: Create Service API Token
Step 3: Generate and copy Credentials.
  • Select Generate button to generate the service API token.
CRED SC APITOKEN22 4B
Figure: Create Service API Token
  • Select Copy button to copy token.

Note: Ensure that you save the copied token for later use.

  • Select Done button.
CRED SC APITOKEN22 2 4 4B
Figure: Copy Service API Token

Revoke Service Credentials

You can force credentials to be expired before the configured expiry time.

Step 1: Open Service Credentials in F5® Distributed Cloud Console.
  • Open F5® Distributed Cloud Console homepage, select Administration box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Visit [Homepage Customization] to adjust your homepage.

NEW HOMEPAGE 22
Figure: Homepage
  • Select IAM > select Service Credentials > select + Add Service Credentials.
USERMANAGEMENT CREDENTIALS 13 2
Figure: Credentials
Step 2: Perform revoke operation for an existing service credential object.
  • API Token: Select ... in Actions column, select Force Expiry to revoke API Token.

  • API Certificate: Select ... in Actions column, select Delete to revoke API Certificate.

  • vK8s KubeConfig Credential: Select ... in Actions column, select Delete to revoke vK8s KubeConfig Credential.

CRED SC REVOKEAPITOKEN1 2
Figure: API Token Force Expiry Option
Step 3: Complete revoke operation.
  • In case of API Token, select Force Expiry in the confirmation window to cause API credential object expiry.
CRED SC REVOKEAPITOKENDELETE2 2
Figure: API Token Force Expiry Confirmation

Note: You can renew or delete an expired credential. Select ... > Renew against expired credential from the list of credentials to renew it. Set an expiry date and select Renew Credential in the confirmation box. Select ... > Delete against expired credential from the list of credentials to delete it. Select Delete in the confirmation box.

  • In case of API certificates or vK8s KubeConfigs, select Delete in the confirmation window. This forces the expiry for the object and also deletes it from the F5® Distributed Cloud Console.

Concepts