From 4d5f0925090c8a8ab221d93046a8794661f3dc27 Mon Sep 17 00:00:00 2001 From: Jeana Routh Date: Tue, 23 Aug 2022 17:13:21 -0400 Subject: [PATCH] Re-home 'Admin credentials root secret format' --- .../cco-mode-mint.adoc | 3 + .../cco-mode-passthrough.adoc | 6 + .../installing_aws/manually-creating-iam.adoc | 2 - .../manually-creating-iam-azure.adoc | 2 - ...manually-creating-iam-azure-stack-hub.adoc | 2 - .../manually-creating-iam-gcp.adoc | 2 - ...admin-credentials-root-secret-formats.adoc | 112 +++++++++++------- modules/manually-rotating-cloud-creds.adoc | 59 ++++++++- .../cluster-tasks.adoc | 14 +-- 9 files changed, 139 insertions(+), 63 deletions(-) diff --git a/authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc b/authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc index 4dff398016..fd756d2e74 100644 --- a/authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc +++ b/authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc @@ -49,6 +49,9 @@ The credential you provide for mint mode in GCP must have the following permissi * `resourcemanager.projects.getIamPolicy` * `resourcemanager.projects.setIamPolicy` +//Admin credentials root secret format +include::modules/admin-credentials-root-secret-formats.adoc[leveloffset=+1] + //Mint Mode with removal or rotation of the admin credential include::modules/mint-mode-with-removal-of-admin-credential.adoc[leveloffset=+1] diff --git a/authentication/managing_cloud_provider_credentials/cco-mode-passthrough.adoc b/authentication/managing_cloud_provider_credentials/cco-mode-passthrough.adoc index 6235dc6bfa..47968790fb 100644 --- a/authentication/managing_cloud_provider_credentials/cco-mode-passthrough.adoc +++ b/authentication/managing_cloud_provider_credentials/cco-mode-passthrough.adoc @@ -87,10 +87,16 @@ To install an {product-title} cluster on VMware vSphere, the CCO requires a cred |==== +//Admin credentials root secret format +include::modules/admin-credentials-root-secret-formats.adoc[leveloffset=+1] + [id="passthrough-mode-maintenance"] == Passthrough mode credential maintenance If `CredentialsRequest` CRs change over time as the cluster is upgraded, you must manually update the passthrough mode credential to meet the requirements. To avoid credentials issues during an upgrade, check the `CredentialsRequest` CRs in the release image for the new version of {product-title} before upgrading. To locate the `CredentialsRequest` CRs that are required for your cloud provider, see _Manually creating IAM_ for xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-creating-iam-aws[AWS], xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-creating-iam-azure[Azure], or xref:../../installing/installing_gcp/manually-creating-iam-gcp.adoc#manually-creating-iam-gcp[GCP]. +//Rotating cloud provider credentials manually +include::modules/manually-rotating-cloud-creds.adoc[leveloffset=+2] + [id="passthrough-mode-reduce-permissions"] == Reducing permissions after installation When using passthrough mode, each component has the same permissions used by all other components. If you do not reduce the permissions after installing, all components have the broad permissions that are required to run the installer. diff --git a/installing/installing_aws/manually-creating-iam.adoc b/installing/installing_aws/manually-creating-iam.adoc index c48556bcc1..7ed38fa70f 100644 --- a/installing/installing_aws/manually-creating-iam.adoc +++ b/installing/installing_aws/manually-creating-iam.adoc @@ -29,8 +29,6 @@ include::modules/manually-create-identity-access-management.adoc[leveloffset=+1] * xref:../../updating/updating-cluster-within-minor.adoc#manually-maintained-credentials-upgrade_updating-cluster-within-minor[Updating a cluster using the web console] * xref:../../updating/updating-cluster-cli.adoc#manually-maintained-credentials-upgrade_updating-cluster-cli[Updating a cluster using the CLI] -include::modules/admin-credentials-root-secret-formats.adoc[leveloffset=+1] - include::modules/mint-mode.adoc[leveloffset=+1] include::modules/mint-mode-with-removal-of-admin-credential.adoc[leveloffset=+1] diff --git a/installing/installing_azure/manually-creating-iam-azure.adoc b/installing/installing_azure/manually-creating-iam-azure.adoc index 19615464a5..7eaaeac743 100644 --- a/installing/installing_azure/manually-creating-iam-azure.adoc +++ b/installing/installing_azure/manually-creating-iam-azure.adoc @@ -20,8 +20,6 @@ include::modules/manually-create-identity-access-management.adoc[leveloffset=+1] * xref:../../updating/updating-cluster-within-minor.adoc#manually-maintained-credentials-upgrade_updating-cluster-within-minor[Updating a cluster using the web console] * xref:../../updating/updating-cluster-cli.adoc#manually-maintained-credentials-upgrade_updating-cluster-cli[Updating a cluster using the CLI] -include::modules/admin-credentials-root-secret-formats.adoc[leveloffset=+1] - [id="manually-creating-iam-azure-next-steps"] == Next steps diff --git a/installing/installing_azure_stack_hub/manually-creating-iam-azure-stack-hub.adoc b/installing/installing_azure_stack_hub/manually-creating-iam-azure-stack-hub.adoc index c3ab397bb8..b1682c3b73 100644 --- a/installing/installing_azure_stack_hub/manually-creating-iam-azure-stack-hub.adoc +++ b/installing/installing_azure_stack_hub/manually-creating-iam-azure-stack-hub.adoc @@ -22,8 +22,6 @@ include::modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc[level include::modules/manually-create-identity-access-management.adoc[leveloffset=+1] -include::modules/admin-credentials-root-secret-formats.adoc[leveloffset=+1] - include::modules/manually-maintained-credentials-upgrade.adoc[leveloffset=+1] [id="next-steps_manually-creating-iam-azure-stack-hub"] diff --git a/installing/installing_gcp/manually-creating-iam-gcp.adoc b/installing/installing_gcp/manually-creating-iam-gcp.adoc index 82bebcab64..833b462569 100644 --- a/installing/installing_gcp/manually-creating-iam-gcp.adoc +++ b/installing/installing_gcp/manually-creating-iam-gcp.adoc @@ -24,8 +24,6 @@ include::modules/manually-create-identity-access-management.adoc[leveloffset=+1] * xref:../../updating/updating-cluster-within-minor.adoc#manually-maintained-credentials-upgrade_updating-cluster-within-minor[Updating a cluster using the web console] * xref:../../updating/updating-cluster-cli.adoc#manually-maintained-credentials-upgrade_updating-cluster-cli[Updating a cluster using the CLI] -include::modules/admin-credentials-root-secret-formats.adoc[leveloffset=+1] - include::modules/mint-mode.adoc[leveloffset=+1] include::modules/mint-mode-with-removal-of-admin-credential.adoc[leveloffset=+1] diff --git a/modules/admin-credentials-root-secret-formats.adoc b/modules/admin-credentials-root-secret-formats.adoc index 2db07a2f04..03e5667900 100644 --- a/modules/admin-credentials-root-secret-formats.adoc +++ b/modules/admin-credentials-root-secret-formats.adoc @@ -1,15 +1,13 @@ // Module included in the following assemblies: // -// * installing/installing_aws/manually-creating-iam.adoc +// * authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc +// * authentication/managing_cloud_provider_credentials/cco-mode-passthrough.adoc -ifeval::["{context}" == "manually-creating-iam-aws"] -:aws: +ifeval::["{context}" == "cco-mode-mint"] +:mint: endif::[] -ifeval::["{context}" == "manually-creating-iam-azure"] -:azure: -endif::[] -ifeval::["{context}" == "manually-creating-iam-gcp"] -:google-cloud-platform: +ifeval::["{context}" == "cco-mode-passthrough"] +:passthrough: endif::[] :_content-type: REFERENCE @@ -19,18 +17,11 @@ endif::[] Each cloud provider uses a credentials root secret in the `kube-system` namespace by convention, which is then used to satisfy all credentials requests and create their respective secrets. -ifndef::azure[] This is done either by minting new credentials with _mint mode_, or by copying the credentials root secret with _passthrough mode_. -endif::azure[] -ifdef::azure[] -This is done by copying the credentials root secret with _passthrough mode_. -endif::azure[] The format for the secret varies by cloud, and is also used for each `CredentialsRequest` secret. -ifdef::aws[] - .Amazon Web Services (AWS) secret format [source,yaml] @@ -41,13 +32,11 @@ metadata: namespace: kube-system name: aws-creds stringData: - aws_access_key_id: - aws_secret_access_key: + aws_access_key_id: + aws_secret_access_key: ---- -endif::aws[] - -ifdef::azure[] +ifdef::passthrough[] .Microsoft Azure secret format @@ -59,13 +48,13 @@ metadata: namespace: kube-system name: azure-credentials stringData: - azure_subscription_id: - azure_client_id: - azure_client_secret: - azure_tenant_id: - azure_resource_prefix: - azure_resourcegroup: - azure_region: + azure_subscription_id: + azure_client_id: + azure_client_secret: + azure_tenant_id: + azure_resource_prefix: + azure_resourcegroup: + azure_region: ---- On Microsoft Azure, the credentials secret format includes two properties that must contain the cluster's infrastructure ID, generated randomly for each cluster installation. This value can be found after running create manifests: @@ -88,9 +77,7 @@ This value would be used in the secret data as follows: azure_resource_prefix: mycluster-2mpcn azure_resourcegroup: mycluster-2mpcn-rg ---- -endif::azure[] - -ifdef::google-cloud-platform[] +endif::passthrough[] .Google Cloud Platform (GCP) secret format @@ -102,16 +89,61 @@ metadata: namespace: kube-system name: gcp-credentials stringData: - service_account.json: + service_account.json: ---- -endif::google-cloud-platform[] -ifeval::["{context}" == "manually-creating-iam-aws"] -:!aws: -endif::[] -ifeval::["{context}" == "manually-creating-iam-azure"] -:!azure: -endif::[] -ifeval::["{context}" == "manually-creating-iam-gcp"] -:!google-cloud-platform: +ifdef::passthrough[] + +.{rh-openstack-first} secret format + +[source,yaml] +---- +apiVersion: v1 +kind: Secret +metadata: + namespace: kube-system + name: openstack-credentials +data: + clouds.yaml: + clouds.conf: +---- + +.{rh-virtualization-first} secret format + +[source,yaml] +---- +apiVersion: v1 +kind: Secret +metadata: + namespace: kube-system + name: ovirt-credentials +data: + ovirt_url: + ovirt_username: + ovirt_password: + ovirt_insecure: + ovirt_ca_bundle: +---- + +.VMware vSphere secret format + +[source,yaml] +---- +apiVersion: v1 +kind: Secret +metadata: + namespace: kube-system + name: vsphere-creds +data: + vsphere.openshift.example.com.username: + vsphere.openshift.example.com.password: +---- + +endif::passthrough[] + +ifeval::["{context}" == "cco-mode-mint"] +:!mint: endif::[] +ifeval::["{context}" == "cco-mode-passthrough"] +:!passthrough: +endif::[] \ No newline at end of file diff --git a/modules/manually-rotating-cloud-creds.adoc b/modules/manually-rotating-cloud-creds.adoc index 8b8def31a3..f525261078 100644 --- a/modules/manually-rotating-cloud-creds.adoc +++ b/modules/manually-rotating-cloud-creds.adoc @@ -2,6 +2,14 @@ // // * post_installation_configuration/cluster-tasks.adoc // * authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc +// * authentication/managing_cloud_provider_credentials/cco-mode-passthrough.adoc + +ifeval::["{context}" == "cco-mode-mint"] +:mint: +endif::[] +ifeval::["{context}" == "cco-mode-passthrough"] +:passthrough: +endif::[] :_content-type: PROCEDURE [id="manually-rotating-cloud-creds_{context}"] @@ -22,9 +30,13 @@ You can also use the command line interface to complete all parts of this proced * Your cluster is installed on a platform that supports rotating cloud credentials manually with the CCO mode that you are using: -** For mint mode, AWS and GCP are supported. +ifndef::passthrough[] +** For mint mode, Amazon Web Services (AWS) and Google Cloud Platform (GCP) are supported. +endif::passthrough[] -** For passthrough mode, AWS, Azure, GCP, {rh-openstack-first}, {rh-virtualization-first}, and VMware vSphere are supported. +ifndef::mint[] +** For passthrough mode, Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), {rh-openstack-first}, {rh-virtualization-first}, and VMware vSphere are supported. +endif::mint[] * You have changed the credentials that are used to interface with your cloud provider. @@ -44,12 +56,24 @@ You can also use the command line interface to complete all parts of this proced |AWS |`aws-creds` +ifndef::mint[] |Azure |`azure-credentials` +endif::mint[] |GCP |`gcp-credentials` +ifndef::mint[] +|{rh-openstack} +|`openstack-credentials` + +|{rh-virtualization} +|`ovirt-credentials` + +|vSphere +|`vsphere-creds` +endif::mint[] |=== . Click the *Options* menu {kebab} in the same row as the secret and select *Edit Secret*. @@ -66,10 +90,24 @@ You can also use the command line interface to complete all parts of this proced + [source,terminal] ---- -$ oc -n openshift-cloud-credential-operator get CredentialsRequest -o json | jq -r '.items[] | select (.spec.providerSpec.kind=="") | .spec.secretRef' +$ oc -n openshift-cloud-credential-operator get CredentialsRequest \ + -o json | jq -r '.items[] | select (.spec.providerSpec.kind=="") | .spec.secretRef' ---- + -Where `` is the corresponding value for your cloud provider: `AWSProviderSpec` for AWS, `AzureProviderSpec` for Azure, or `GCPProviderSpec` for GCP. +where `` is the corresponding value for your cloud provider: ++ +-- +* AWS: `AWSProviderSpec` +ifndef::mint[] +* Azure: `AzureProviderSpec` +endif::mint[] +* GCP: `GCPProviderSpec` +ifndef::mint[] +* {rh-openstack}: `OpenStackProviderSpec` +* {rh-virtualization}: `OvirtProviderSpec` +* vSphere: `VSphereProviderSpec` +endif::mint[] +-- + .Partial example output for AWS + @@ -89,10 +127,12 @@ Where `` is the corresponding value for your cloud provider: `AWS + [source,terminal] ---- -$ oc delete secret -n +$ oc delete secret \ <1> + -n <2> ---- + -Where `` is the name of a secret and `` is the namespace that contains the secret. +<1> Specify the name of a secret. +<2> Specify the namespace that contains the secret. + .Example deletion of an AWS secret + @@ -160,3 +200,10 @@ Where `` is the name of an IAM user on the cloud provider. .. For each IAM username, view the details for the user on the cloud provider. The credentials should show that they were created after being rotated on the cluster. //// + +ifeval::["{context}" == "cco-mode-mint"] +:!mint: +endif::[] +ifeval::["{context}" == "cco-mode-passthrough"] +:!passthrough: +endif::[] \ No newline at end of file diff --git a/post_installation_configuration/cluster-tasks.adoc b/post_installation_configuration/cluster-tasks.adoc index 3deb9691ab..e7fc9fb5de 100644 --- a/post_installation_configuration/cluster-tasks.adoc +++ b/post_installation_configuration/cluster-tasks.adoc @@ -625,6 +625,11 @@ include::modules/manually-rotating-cloud-creds.adoc[leveloffset=+2] include::modules/manually-removing-cloud-creds.adoc[leveloffset=+2] +[role="_additional-resources"] +.Additional resources + +* xref:../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc#about-cloud-credential-operator[About the Cloud Credential Operator] + [id="post-install-must-gather-disconnected"] == Configuring image streams for a disconnected cluster @@ -636,12 +641,3 @@ include::modules/installation-restricted-network-samples.adoc[leveloffset=+2] include::modules/installation-preparing-restricted-cluster-to-gather-support-data.adoc[leveloffset=+2] -[role="_additional-resources"] -[discrete] -[id="manually-rotating-cloud-creds-addtl-resources"] -== Additional resources - -* xref:../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc#about-cloud-credential-operator[About the Cloud Credential Operator] -* xref:../installing/installing_aws/manually-creating-iam.adoc#admin-credentials-root-secret-formats_manually-creating-iam-aws[Amazon Web Services (AWS) secret format] -* xref:../installing/installing_azure/manually-creating-iam-azure.adoc#admin-credentials-root-secret-formats_manually-creating-iam-azure[Microsoft Azure secret format] -* xref:../installing/installing_gcp/manually-creating-iam-gcp.adoc#admin-credentials-root-secret-formats_manually-creating-iam-gcp[Google Cloud Platform (GCP) secret format]