Re-home 'Admin credentials root secret format'

2026-02-05 12:46:18 +01:00 · 2022-08-23 17:13:21 -04:00
parent 643aaa9b79
commit 4d5f092509
9 changed files with 139 additions and 63 deletions
--- a/authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc
+++ b/authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc
@@ -49,6 +49,9 @@ The credential you provide for mint mode in GCP must have the following permissi
 * `resourcemanager.projects.getIamPolicy`
 * `resourcemanager.projects.setIamPolicy`

+//Admin credentials root secret format
+include::modules/admin-credentials-root-secret-formats.adoc[leveloffset=+1]
+
 //Mint Mode with removal or rotation of the admin credential
 include::modules/mint-mode-with-removal-of-admin-credential.adoc[leveloffset=+1]

--- a/authentication/managing_cloud_provider_credentials/cco-mode-passthrough.adoc
+++ b/authentication/managing_cloud_provider_credentials/cco-mode-passthrough.adoc
@@ -87,10 +87,16 @@ To install an {product-title} cluster on VMware vSphere, the CCO requires a cred

 |====

+//Admin credentials root secret format
+include::modules/admin-credentials-root-secret-formats.adoc[leveloffset=+1]
+
 [id="passthrough-mode-maintenance"]
 == Passthrough mode credential maintenance
 If `CredentialsRequest` CRs change over time as the cluster is upgraded, you must manually update the passthrough mode credential to meet the requirements. To avoid credentials issues during an upgrade, check the `CredentialsRequest` CRs in the release image for the new version of {product-title} before upgrading. To locate the `CredentialsRequest` CRs that are required for your cloud provider, see _Manually creating IAM_ for xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-creating-iam-aws[AWS], xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-creating-iam-azure[Azure], or xref:../../installing/installing_gcp/manually-creating-iam-gcp.adoc#manually-creating-iam-gcp[GCP].

+//Rotating cloud provider credentials manually
+include::modules/manually-rotating-cloud-creds.adoc[leveloffset=+2]
+
 [id="passthrough-mode-reduce-permissions"]
 == Reducing permissions after installation
 When using passthrough mode, each component has the same permissions used by all other components. If you do not reduce the permissions after installing, all components have the broad permissions that are required to run the installer.
--- a/installing/installing_aws/manually-creating-iam.adoc
+++ b/installing/installing_aws/manually-creating-iam.adoc
@@ -29,8 +29,6 @@ include::modules/manually-create-identity-access-management.adoc[leveloffset=+1]
 * xref:../../updating/updating-cluster-within-minor.adoc#manually-maintained-credentials-upgrade_updating-cluster-within-minor[Updating a cluster using the web console]
 * xref:../../updating/updating-cluster-cli.adoc#manually-maintained-credentials-upgrade_updating-cluster-cli[Updating a cluster using the CLI]

-include::modules/admin-credentials-root-secret-formats.adoc[leveloffset=+1]
-
 include::modules/mint-mode.adoc[leveloffset=+1]

 include::modules/mint-mode-with-removal-of-admin-credential.adoc[leveloffset=+1]
--- a/installing/installing_azure/manually-creating-iam-azure.adoc
+++ b/installing/installing_azure/manually-creating-iam-azure.adoc
@@ -20,8 +20,6 @@ include::modules/manually-create-identity-access-management.adoc[leveloffset=+1]
 * xref:../../updating/updating-cluster-within-minor.adoc#manually-maintained-credentials-upgrade_updating-cluster-within-minor[Updating a cluster using the web console]
 * xref:../../updating/updating-cluster-cli.adoc#manually-maintained-credentials-upgrade_updating-cluster-cli[Updating a cluster using the CLI]

-include::modules/admin-credentials-root-secret-formats.adoc[leveloffset=+1]
-
 [id="manually-creating-iam-azure-next-steps"]
 == Next steps

--- a/installing/installing_azure_stack_hub/manually-creating-iam-azure-stack-hub.adoc
+++ b/installing/installing_azure_stack_hub/manually-creating-iam-azure-stack-hub.adoc
@@ -22,8 +22,6 @@ include::modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc[level

 include::modules/manually-create-identity-access-management.adoc[leveloffset=+1]

-include::modules/admin-credentials-root-secret-formats.adoc[leveloffset=+1]
-
 include::modules/manually-maintained-credentials-upgrade.adoc[leveloffset=+1]

 [id="next-steps_manually-creating-iam-azure-stack-hub"]
--- a/installing/installing_gcp/manually-creating-iam-gcp.adoc
+++ b/installing/installing_gcp/manually-creating-iam-gcp.adoc
@@ -24,8 +24,6 @@ include::modules/manually-create-identity-access-management.adoc[leveloffset=+1]
 * xref:../../updating/updating-cluster-within-minor.adoc#manually-maintained-credentials-upgrade_updating-cluster-within-minor[Updating a cluster using the web console]
 * xref:../../updating/updating-cluster-cli.adoc#manually-maintained-credentials-upgrade_updating-cluster-cli[Updating a cluster using the CLI]

-include::modules/admin-credentials-root-secret-formats.adoc[leveloffset=+1]
-
 include::modules/mint-mode.adoc[leveloffset=+1]

 include::modules/mint-mode-with-removal-of-admin-credential.adoc[leveloffset=+1]
--- a/modules/admin-credentials-root-secret-formats.adoc
+++ b/modules/admin-credentials-root-secret-formats.adoc
@@ -1,15 +1,13 @@
 // Module included in the following assemblies:
 //
-// * installing/installing_aws/manually-creating-iam.adoc
+// * authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc
+// * authentication/managing_cloud_provider_credentials/cco-mode-passthrough.adoc

-ifeval::["{context}" == "manually-creating-iam-aws"]
-:aws:
+ifeval::["{context}" == "cco-mode-mint"]
+:mint:
 endif::[]
-ifeval::["{context}" == "manually-creating-iam-azure"]
-:azure:
-endif::[]
-ifeval::["{context}" == "manually-creating-iam-gcp"]
-:google-cloud-platform:
+ifeval::["{context}" == "cco-mode-passthrough"]
+:passthrough:
 endif::[]

 :_content-type: REFERENCE
@@ -19,18 +17,11 @@ endif::[]
 Each cloud provider uses a credentials root secret in the `kube-system`
 namespace by convention, which is then used to satisfy all credentials requests
 and create their respective secrets.
-ifndef::azure[]
 This is done either by minting new credentials with _mint mode_, or by copying the credentials root secret with _passthrough mode_.
-endif::azure[]
-ifdef::azure[]
-This is done by copying the credentials root secret with _passthrough mode_.
-endif::azure[]

 The format for the secret varies by cloud, and is also used for each
 `CredentialsRequest` secret.

-ifdef::aws[]
-
 .Amazon Web Services (AWS) secret format

 [source,yaml]
@@ -41,13 +32,11 @@ metadata:
  namespace: kube-system
  name: aws-creds
 stringData:
-  aws_access_key_id: <AccessKeyID>
-  aws_secret_access_key: <SecretAccessKey>
+  aws_access_key_id: <base64-encoded_access_key_id>
+  aws_secret_access_key: <base64-encoded_secret_access_key>
 ----

-endif::aws[]
-
-ifdef::azure[]
+ifdef::passthrough[]

 .Microsoft Azure secret format

@@ -59,13 +48,13 @@ metadata:
  namespace: kube-system
  name: azure-credentials
 stringData:
-  azure_subscription_id: <SubscriptionID>
-  azure_client_id: <ClientID>
-  azure_client_secret: <ClientSecret>
-  azure_tenant_id: <TenantID>
-  azure_resource_prefix: <ResourcePrefix>
-  azure_resourcegroup: <ResourceGroup>
-  azure_region: <Region>
+  azure_subscription_id: <base64-encoded_subscription_id>
+  azure_client_id: <base64-encoded_client_id>
+  azure_client_secret: <base64-encoded_client_secret>
+  azure_tenant_id: <base64-encoded_tenant_id>
+  azure_resource_prefix: <base64-encoded_resource_prefix>
+  azure_resourcegroup: <base64-encoded_resource_group>
+  azure_region: <base64-encoded_region>
 ----

 On Microsoft Azure, the credentials secret format includes two properties that must contain the cluster's infrastructure ID, generated randomly for each cluster installation. This value can be found after running create manifests:
@@ -88,9 +77,7 @@ This value would be used in the secret data as follows:
 azure_resource_prefix: mycluster-2mpcn
 azure_resourcegroup: mycluster-2mpcn-rg
 ----
-endif::azure[]
-
-ifdef::google-cloud-platform[]
+endif::passthrough[]

 .Google Cloud Platform (GCP) secret format

@@ -102,16 +89,61 @@ metadata:
  namespace: kube-system
  name: gcp-credentials
 stringData:
-  service_account.json: <ServiceAccount>
+  service_account.json: <base64-encoded_service_account>
 ----
-endif::google-cloud-platform[]

-ifeval::["{context}" == "manually-creating-iam-aws"]
-:!aws:
-endif::[]
-ifeval::["{context}" == "manually-creating-iam-azure"]
-:!azure:
-endif::[]
-ifeval::["{context}" == "manually-creating-iam-gcp"]
-:!google-cloud-platform:
+ifdef::passthrough[]
+
+.{rh-openstack-first} secret format
+
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: kube-system
+  name: openstack-credentials
+data:
+  clouds.yaml: <base64-encoded_cloud_creds>
+  clouds.conf: <base64-encoded_cloud_creds_init>
+----
+
+.{rh-virtualization-first} secret format
+
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: kube-system
+  name: ovirt-credentials
+data:
+  ovirt_url: <base64-encoded_url>
+  ovirt_username: <base64-encoded_username>
+  ovirt_password: <base64-encoded_password>
+  ovirt_insecure: <base64-encoded_insecure>
+  ovirt_ca_bundle: <base64-encoded_ca_bundle>
+----
+
+.VMware vSphere secret format
+
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: kube-system
+  name: vsphere-creds
+data:
+ vsphere.openshift.example.com.username: <base64-encoded_username>
+ vsphere.openshift.example.com.password: <base64-encoded_password>
+----
+
+endif::passthrough[]
+
+ifeval::["{context}" == "cco-mode-mint"]
+:!mint:
 endif::[]
+ifeval::["{context}" == "cco-mode-passthrough"]
+:!passthrough:
+endif::[]
--- a/modules/manually-rotating-cloud-creds.adoc
+++ b/modules/manually-rotating-cloud-creds.adoc
@@ -2,6 +2,14 @@
 //
 // * post_installation_configuration/cluster-tasks.adoc
 // * authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc
+// * authentication/managing_cloud_provider_credentials/cco-mode-passthrough.adoc
+
+ifeval::["{context}" == "cco-mode-mint"]
+:mint:
+endif::[]
+ifeval::["{context}" == "cco-mode-passthrough"]
+:passthrough:
+endif::[]

 :_content-type: PROCEDURE
 [id="manually-rotating-cloud-creds_{context}"]
@@ -22,9 +30,13 @@ You can also use the command line interface to complete all parts of this proced

 * Your cluster is installed on a platform that supports rotating cloud credentials manually with the CCO mode that you are using:

-** For mint mode, AWS and GCP are supported.
+ifndef::passthrough[]
+** For mint mode, Amazon Web Services (AWS) and Google Cloud Platform (GCP) are supported.
+endif::passthrough[]

-** For passthrough mode, AWS, Azure, GCP, {rh-openstack-first}, {rh-virtualization-first}, and VMware vSphere are supported.
+ifndef::mint[]
+** For passthrough mode, Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), {rh-openstack-first}, {rh-virtualization-first}, and VMware vSphere are supported.
+endif::mint[]

 * You have changed the credentials that are used to interface with your cloud provider.

@@ -44,12 +56,24 @@ You can also use the command line interface to complete all parts of this proced
 |AWS
 |`aws-creds`

+ifndef::mint[]
 |Azure
 |`azure-credentials`
+endif::mint[]

 |GCP
 |`gcp-credentials`

+ifndef::mint[]
+|{rh-openstack}
+|`openstack-credentials`
+
+|{rh-virtualization}
+|`ovirt-credentials`
+
+|vSphere
+|`vsphere-creds`
+endif::mint[]
 |===

 . Click the *Options* menu {kebab} in the same row as the secret and select *Edit Secret*.
@@ -66,10 +90,24 @@ You can also use the command line interface to complete all parts of this proced
 +
 [source,terminal]
 ----
-$ oc -n openshift-cloud-credential-operator get CredentialsRequest -o json | jq -r '.items[] | select (.spec.providerSpec.kind=="<provider_spec>") | .spec.secretRef'
+$ oc -n openshift-cloud-credential-operator get CredentialsRequest \
+  -o json | jq -r '.items[] | select (.spec.providerSpec.kind=="<provider_spec>") | .spec.secretRef'
 ----
 +
-Where `<provider_spec>` is the corresponding value for your cloud provider: `AWSProviderSpec` for AWS, `AzureProviderSpec` for Azure, or `GCPProviderSpec` for GCP.
+where `<provider_spec>` is the corresponding value for your cloud provider:
+
+--
+* AWS: `AWSProviderSpec`
+ifndef::mint[]
+* Azure: `AzureProviderSpec`
+endif::mint[]
+* GCP: `GCPProviderSpec`
+ifndef::mint[]
+* {rh-openstack}: `OpenStackProviderSpec`
+* {rh-virtualization}: `OvirtProviderSpec`
+* vSphere: `VSphereProviderSpec`
+endif::mint[]
+--
 +
 .Partial example output for AWS
 +
@@ -89,10 +127,12 @@ Where `<provider_spec>` is the corresponding value for your cloud provider: `AWS
 +
 [source,terminal]
 ----
-$ oc delete secret <secret_name> -n <secret_namespace>
+$ oc delete secret <secret_name> \ <1>
+  -n <secret_namespace> <2>
 ----
 +
-Where `<secret_name>` is the name of a secret and `<secret_namespace>` is the namespace that contains the secret.
+<1> Specify the name of a secret.
+<2> Specify the namespace that contains the secret.
 +
 .Example deletion of an AWS secret
 +
@@ -160,3 +200,10 @@ Where `<example-iam-username>` is the name of an IAM user on the cloud provider.

 .. For each IAM username, view the details for the user on the cloud provider. The credentials should show that they were created after being rotated on the cluster.
 ////
+
+ifeval::["{context}" == "cco-mode-mint"]
+:!mint:
+endif::[]
+ifeval::["{context}" == "cco-mode-passthrough"]
+:!passthrough:
+endif::[]
--- a/post_installation_configuration/cluster-tasks.adoc
+++ b/post_installation_configuration/cluster-tasks.adoc
@@ -625,6 +625,11 @@ include::modules/manually-rotating-cloud-creds.adoc[leveloffset=+2]

 include::modules/manually-removing-cloud-creds.adoc[leveloffset=+2]

+[role="_additional-resources"]
+.Additional resources
+
+* xref:../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc#about-cloud-credential-operator[About the Cloud Credential Operator]
+
 [id="post-install-must-gather-disconnected"]
 == Configuring image streams for a disconnected cluster

@@ -636,12 +641,3 @@ include::modules/installation-restricted-network-samples.adoc[leveloffset=+2]

 include::modules/installation-preparing-restricted-cluster-to-gather-support-data.adoc[leveloffset=+2]

-[role="_additional-resources"]
-[discrete]
-[id="manually-rotating-cloud-creds-addtl-resources"]
-== Additional resources
-
-* xref:../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc#about-cloud-credential-operator[About the Cloud Credential Operator]
-* xref:../installing/installing_aws/manually-creating-iam.adoc#admin-credentials-root-secret-formats_manually-creating-iam-aws[Amazon Web Services (AWS) secret format]
-* xref:../installing/installing_azure/manually-creating-iam-azure.adoc#admin-credentials-root-secret-formats_manually-creating-iam-azure[Microsoft Azure secret format]
-* xref:../installing/installing_gcp/manually-creating-iam-gcp.adoc#admin-credentials-root-secret-formats_manually-creating-iam-gcp[Google Cloud Platform (GCP) secret format]