Before proceeding to configure the discovery configuration, you must create secrets in
the secrets manager. This ensures that there are credentials that can be used by the
discovery configuration to authenticate with the selected environment to discover DNS
data. Discovery configurations used to retrieve data from Address Manager environments
must have secrets configured for the following credentials:
- Address Manager API username
- Address Manager API password
For more information, refer to Secrets manager.
Attention:
- If you are using HashiCorp Vault to store your secrets, you must add the Vault credentials to the secrets manager.
- HashiCorp Vault is only supported on discovery instances running software version 1.1.0.
To configure the Address Manager discovery configuration
- In the top navigation bar, click
and select . - To add a new discovery configuration, click .
- Enter the name of the discovery configuration.
- Under Polling interval, enter the interval at which the
source of the DNS data is polled. The minimum value is 60 seconds.Note: The default value is a lower bound for the actual interval. When the discovery process performs a discovery of all configurations, the process waits 15 seconds before checking if the polling interval for each configuration has been reached.
- Under Discovery timeout, enter the maximum length of time that the Discovery Instance attempts to discover DNS data for the configuration before it times out, in seconds. The default value is 1800 seconds (30 minutes).
- Under On discovery failure, select one of the following
options to determine how the global discovery configuration handles failures to
retrieve data:
- Keep last data (safe): the discovery configuration uses the last successfully retrieved set of DNS data.
- Overwrite last data: the discovery configuration overwrites the DNS data from the last successful retrieval.
- Under HCV authentication, enter the following information to
use HashiCorp Vault (HCV) authentication.Attention: Address Manager discovery configurations using HCV authentication can only be associated to discovery instances running software version 1.1.0.
- Use HashiCorp Vault for retrieving credentials—select this checkbox to use secret credentials stored in HashiCorp Vault.
- Host—the base URL of HashiCorp Vault server where the secrets are stored.
- Port—the port used to retrieve credentials stored in the HashiCorp Vault server.
- Namespace (required if using HashiCorp Vault namespaces)— If you are using a namespace, the value is the namespace where the user's secrets are stored in the vault. For more information, refer to https://developer.hashicorp.com/vault/docs/enterprise/namespaces.
- Role ID—select the ID of the secret in the secrets manager in which the HashiCorp Vault Role ID is defined. For more information, refer to https://developer.hashicorp.com/vault/api-docs/auth/approle#read-approle-role-id.
- Secret ID—select the secret ID generated from the role ID that is used to authenticate against HashiCorp Vault. For more information, refer to https://developer.hashicorp.com/vault/api-docs/auth/approle#generate-new-secret-id.
- Secret Path—the path where you have stored the
secrets within the HashiCorp Vault
server.
The discovery configuration uses the HashiCorp Vault API to look up secrets. You must prefix paths with
/v1/. For example, if secrets are stored within the secret/data/edgeresolver path, the Secret Path value would be /v1/secret/data/edgeresolver.
- Under BAM authentication, enter the following BlueCat Address
Manager (BAM) information:
- Scheme: select the scheme used to access the Address Manager server.
- FQDN: enter the FQDN of the Address Manager server.
- API username: select the value of the API user key
credential stored in Edge secrets manager.Note: If you are using credentials from HashiCorp Vault, enter the key name for the API username stored in HashiCorp Vault.
Once you have selected a value, click Apply to populate the field.
- API password: select the value of the API password
key credential stored in Edge secrets manager.Note: If you are using credentials from HashiCorp Vault, enter the key name for the API password stored in HashiCorp Vault.
Once you have selected a value, click Apply to populate the field.
- Signing certificate: upload the Address Manager
server certificate or signing certificate. This field is required if the
Scheme is
httpsand Address Manager uses a self-signed certificate. Otherwise, the field should be omitted.Note: The file must be in PEM format.
- Under BAM configurations, specify one or more Address Manager
configurations to discover DNS data from:
- Configuration: enter the name of the Address Manager configuration in which the DNS data can be found.
- View: enter the name of the Address Manager DNS view in which the DNS data can be found.
- On discovery failure: select one of the following
options to determine how the discovery configuration handles failures to
retrieve data from this Address Manager configuration:
- Keep last data (safe): the discovery configuration uses the last successfully retrieved set of DNS data.
- Overwrite last data: the discovery configuration overwrites the DNS data from the last successful retrieval.
Note: The discovery failure options configured per BAM configuration override the discovery option failures configured at the global level. This field is optional. - Click
to add the Address Manager
configurations.
- Click Save.