Configuration¶

All connection details live under saltext.vcf in pillar, one block per component.

saltext.vcf:
  vcenter:
    host: mgmt-vc.example.com
    username: administrator@vsphere.local
    password: VMware123!VMware123!
    verify_ssl: false
  sddc_manager:
    host: sddc-manager.example.com
    username: administrator@vsphere.local
    password: VMware123!VMware123!
    verify_ssl: false
  nsx:
    host: mgmt-nsx.example.com
    username: admin
    password: VMware123!VMware123!
    verify_ssl: false
  vcf_ops:
    host: ops.example.com
    username: admin
    password: VMware123!VMware123!
    auth_source: LOCAL          # optional, default LOCAL
    verify_ssl: false
  esxi:
    host: esxi01.example.com    # standalone hosts only
    username: root
    password: VMware123!
    verify_ssl: false

Per-component¶

Block	Auth	Used by
`vcenter`	`POST /api/session` → session token	`vcf_vcenter_`, `vcf_vsan_`, `vcf_vim_*`
`sddc_manager`	`POST /v1/tokens` → bearer JWT	`vcf_sddc_*`, `vcf_vcf_services`
`nsx`	HTTP Basic	`vcf_nsx_*` (Policy + Management APIs)
`vcf_ops`	`POST /suite-api/api/auth/token/acquire` → `Authorization: vRealizeOpsToken <token>`	`vcf_vcfops_*`
`esxi`	`POST /api/session` (same shape as vCenter)	`vcf_esxi_*`

Session tokens cache per (host, username) for the Python process lifetime. Call <util>.invalidate_session(opts) to force re-auth.

The esxi block applies only to direct-mode hosts. vCenter-managed ESXi has its direct REST locked; use vcf_cluster_config (Cluster Configuration Profile API) instead.

For vcf_ops, override auth_source when authenticating against a non-local IdP source.

Profiles¶

profile=<name> selects a named override under saltext.vcf.profiles.<name>:

saltext.vcf:
  vcenter:
    host: mgmt-vc-prod.example.com
    username: administrator@vsphere.local
    password: prod-pass
  profiles:
    staging:
      vcenter:
        host: mgmt-vc-staging.example.com
        username: administrator@vsphere.local
        password: staging-pass

salt-call vcf_vcenter_cluster.list_
salt-call vcf_vcenter_cluster.list_ profile=staging

Multi-instance fleets¶

For minions managing more than one of any component, use the Resources framework instead:

resources:
  vcenter:
    instances:
      mgmt-vc:
        host: mgmt-vc.example.com
        username: administrator@vsphere.local
        password: secret
      prod-vc:
        host: prod-vc.example.com
        username: administrator@vsphere.local
        password: other-secret

See Resources Framework.

Security¶

Source pillar from a secret store (gpg/Vault/SOPS). Salt does not encrypt pillar at rest.
profile= resolves from pillar at call time; no env-var or external secret-store fallback.
Tokens cache in-process. Restart the minion or call invalidate_session(opts) on the relevant util to clear.