Creating GCP discovery configurations - BlueCat Edge - Service Point v4.x.x

BlueCat Edge User Guide
ft:locale
en-US
Product name
BlueCat Edge
Version
Service Point v4.x.x
Before proceeding to configure the discovery configuration, you must create secrets in the secrets manager. This ensures that there are credentials that can be used by the discovery configuration to authenticate with the selected environment to discover DNS data. Discovery configurations used to retrieve data from GCP environments must have secrets configured for the following credentials:
  • GCP service account credentials

For more information, refer to Secrets manager.

Attention: If you are using HashiCorp Vault to store your secrets, you must add the Vault credentials to the secrets manager.
Attention: GCP discovery configurations can only be associated to discovery instances running software version 1.1.0 and deployed on DNS resolver service running software version 4.0.0.

Prerequisites

Cloud API access requirements

The service point that is configured to use the discovery configuration must be able to access the following cloud API endpoints:
  • https://dns.googleapis.com
  • https://compute.googleapis.com
Note: For more information on GCP API endpoints, refer to https://developers.google.com/apis-explorer.
Configuring GCP permission requirements
  1. Create a service account that the discovery configuration will use to authenticate with GCP. For more information on creating service accounts, refer to https://cloud.google.com/iam/docs/creating-managing-service-accounts.
  2. Assign the following roles to the service account:
    • roles/compute.viewer
    • roles/dns.reader

    For more information on granting roles to the service account, refer to https://cloud.google.com/iam/docs/granting-changing-revoking-access#grant-single-role.

  3. Create a service account key file for the service account. The discovery configuration uses this information to authenticate with the service account and access the resources within the GCP project. For more information on generating a service account key file, refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating.

Creating the GCP discovery configuration

To configure the GCP discovery configuration

  1. In the top navigation bar, click and select Discovery service > Configurations.
  2. To add a new discovery configuration, click New > GCP.
  3. Enter the name of the discovery configuration.
  4. Under Polling interval, enter the interval at which the source of the DNS data is polled. The minimum value is 60 seconds.
  5. Under Discovery timeout, enter the maximum length of time that the Discovery Instance attempts to discover DNS data for the configuration before it times out, in seconds. The default value is 1800 seconds (30 minutes).
  6. Under On discovery failure, select one of the following options to determine how the global discovery configuration handles failures to retrieve data:
    • Keep last data (safe)—the discovery configuration uses the last successfully retrieved set of DNS data.
    • Overwrite last data—the discovery configuration overwrites the DNS data from the last successful retrieval.
  7. Select Generate reverse zones to automatically generate reverse zones for cloud discovered network space.
  8. Under HCV authentication, enter the following information to use HashiCorp Vault (HCV) authentication.
    • Use HashiCorp Vault for retrieving credentials—select this checkbox to use secret credentials stored in HashiCorp Vault.
    • Host—the base URL of HashiCorp Vault server where the secrets are stored.
    • Port—the port used to retrieve credentials stored in the HashiCorp Vault server.
    • Namespace (required if using HashiCorp Vault namespaces)— If you are using a namespace, the value is the namespace where the user's secrets are stored in the vault. For more information, refer to https://developer.hashicorp.com/vault/docs/enterprise/namespaces.
    • Role ID—select the ID of the role that you would like to use to authenticate against HashiCorp Vault. For more information, refer to https://developer.hashicorp.com/vault/api-docs/auth/approle#read-approle-role-id.
    • Secret ID—select the secret ID generated from the role ID that is used to authenticate against HashiCorp Vault. For more information, refer to https://developer.hashicorp.com/vault/api-docs/auth/approle#generate-new-secret-id.
    • Secret Path—the path where you have stored the secrets within the HashiCorp Vault server. You can enter the path to locations where BlueCat Edge credentials and discovery secrets are stored.

      The discovery configuration uses the HashiCorp Vault API to look up secrets. You must prefix paths with /v1/. For example, if secrets are stored within the secret/data/edgeresolver path, the Secret Path value would be /v1/secret/data/edgeresolver.

  9. Under GCP authentication, specify the GCP authentication information:
    • Service account credentials—select the GCP service account credentials stored in secrets manager that will be used to authenticate against GCP to discover DNS data.
      Note: If you are using credentials from HashiCorp Vault, enter the key name for the GCP service account credentials stored in HashiCorp Vault.
  10. Under GCP Project configurations, specify one or more GCP Project configurations to discover DNS data from:
    • Project ID—enter the ID of the GCP Project.
    • On discovery failure: select one of the following options to determine how the discovery configuration handles failures to retrieve data from this GCP configuration:
      • Keep last data (safe): the discovery configuration uses the last successfully retrieved set of DNS data.
      • Overwrite last data: the discovery configuration overwrites the DNS data from the last successful retrieval.
      Note: The discovery failure options configured per GCP configuration override the discovery option failures configured at the global level. This field is optional.
    • Click to add the GCP configurations.
  11. Click Save.