diff --git a/modules/cco-ccoctl-configuring.adoc b/modules/cco-ccoctl-configuring.adoc index c20c5955b6..fb4579eafe 100644 --- a/modules/cco-ccoctl-configuring.adoc +++ b/modules/cco-ccoctl-configuring.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -//Postinstall and update content +//Postinstall and update content // * post_installation_configuration/changing-cloud-credentials-configuration.adoc // * updating/preparing_for_updates/preparing-manual-creds-update.adoc // diff --git a/modules/rotating-bound-service-keys.adoc b/modules/rotating-bound-service-keys.adoc index 6008983aa7..763782e9ee 100644 --- a/modules/rotating-bound-service-keys.adoc +++ b/modules/rotating-bound-service-keys.adoc @@ -18,18 +18,18 @@ ifdef::rotate-aws[= Rotating {aws-short} OIDC bound service account signer keys] ifdef::rotate-gcp[= Rotating {gcp-short} OIDC bound service account signer keys] ifdef::rotate-azure[= Rotating {azure-short} OIDC bound service account signer keys] -If the Cloud Credential Operator (CCO) for your {product-title} cluster +If the Cloud Credential Operator (CCO) for your {product-title} cluster ifdef::rotate-aws[on {aws-first}] ifdef::rotate-gcp[on {gcp-first}] ifdef::rotate-azure[on {azure-first}] -is configured to operate in manual mode with +is configured to operate in manual mode with ifdef::rotate-aws[{sts-short},] ifdef::rotate-gcp[{gcp-wid-short},] ifdef::rotate-azure[{entra-first},] you can rotate the bound service account signer key. To rotate the key, you delete the existing key on your cluster, which causes the Kubernetes API server to create a new key. -To reduce authentication failures during this process, you must immediately add the new public key to the existing issuer file. +To reduce authentication failures during this process, you must immediately add the new public key to the existing issuer file. After the cluster is using the new key for authentication, you can remove any remaining keys. //Modified version of the disclaimer from enabling Azure WID on an existing cluster, since there are similar concerns: @@ -52,8 +52,10 @@ To mitigate this impact, you can temporarily halt these services and then redepl .Prerequisites * You have access to the {oc-first} as a user with the `cluster-admin` role. + //Permissions requirements (per platform, for install and key rotation) include::snippets/ccoctl-provider-permissions-requirements.adoc[] + * You have configured the `ccoctl` utility. * Your cluster is in a stable state. You can confirm that the cluster is stable by running the following command: @@ -312,7 +314,7 @@ $ az storage blob upload \ ---- endif::rotate-azure[] -. Wait for the Kubernetes API server to update and use the new key. +. Wait for the Kubernetes API server to update and use the new key. You can monitor the update progress by running the following command: + [source,terminal]