openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity

fix snippet render issue

Browse Source
This commit is contained in:
Jeana Routh
2025-11-06 10:16:07 -05:00
committed by openshift-cherrypick-robot
parent ce11d75e9f
commit fe2408f41d
2 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
modules/cco-ccoctl-configuring.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
//Postinstall and update content
//Postinstall and update content
// * post_installation_configuration/changing-cloud-credentials-configuration.adoc
// * updating/preparing_for_updates/preparing-manual-creds-update.adoc
//

10
modules/rotating-bound-service-keys.adoc
View File

@@ -18,18 +18,18 @@ ifdef::rotate-aws[= Rotating {aws-short} OIDC bound service account signer keys]
ifdef::rotate-gcp[= Rotating {gcp-short} OIDC bound service account signer keys]
ifdef::rotate-azure[= Rotating {azure-short} OIDC bound service account signer keys]
If the Cloud Credential Operator (CCO) for your {product-title} cluster
If the Cloud Credential Operator (CCO) for your {product-title} cluster
ifdef::rotate-aws[on {aws-first}]
ifdef::rotate-gcp[on {gcp-first}]
ifdef::rotate-azure[on {azure-first}]
is configured to operate in manual mode with
is configured to operate in manual mode with
ifdef::rotate-aws[{sts-short},]
ifdef::rotate-gcp[{gcp-wid-short},]
ifdef::rotate-azure[{entra-first},]
you can rotate the bound service account signer key.
To rotate the key, you delete the existing key on your cluster, which causes the Kubernetes API server to create a new key.
To reduce authentication failures during this process, you must immediately add the new public key to the existing issuer file.
To reduce authentication failures during this process, you must immediately add the new public key to the existing issuer file.
After the cluster is using the new key for authentication, you can remove any remaining keys.
//Modified version of the disclaimer from enabling Azure WID on an existing cluster, since there are similar concerns:
@@ -52,8 +52,10 @@ To mitigate this impact, you can temporarily halt these services and then redepl
.Prerequisites
* You have access to the {oc-first} as a user with the `cluster-admin` role.
//Permissions requirements (per platform, for install and key rotation)
include::snippets/ccoctl-provider-permissions-requirements.adoc[]
* You have configured the `ccoctl` utility.
* Your cluster is in a stable state.
You can confirm that the cluster is stable by running the following command:
@@ -312,7 +314,7 @@ $ az storage blob upload \
----
endif::rotate-azure[]
. Wait for the Kubernetes API server to update and use the new key.
. Wait for the Kubernetes API server to update and use the new key.
You can monitor the update progress by running the following command:
+
[source,terminal]