openshift-docs/modules/admin-credentials-root-secret-formats.adoc

// Module included in the following assemblies:
//
// * authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc
// * authentication/managing_cloud_provider_credentials/cco-mode-passthrough.adoc

ifeval::["{context}" == "cco-mode-mint"]
:mint:
endif::[]
ifeval::["{context}" == "cco-mode-passthrough"]
:passthrough:
endif::[]

:_content-type: REFERENCE
[id="admin-credentials-root-secret-formats_{context}"]
= Admin credentials root secret format

Each cloud provider uses a credentials root secret in the `kube-system`
namespace by convention, which is then used to satisfy all credentials requests
and create their respective secrets.
This is done either by minting new credentials with _mint mode_, or by copying the credentials root secret with _passthrough mode_.

The format for the secret varies by cloud, and is also used for each
`CredentialsRequest` secret.

.Amazon Web Services (AWS) secret format

[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
  namespace: kube-system
  name: aws-creds
stringData:
  aws_access_key_id: <base64-encoded_access_key_id>
  aws_secret_access_key: <base64-encoded_secret_access_key>
----

ifdef::passthrough[]

.Microsoft Azure secret format

[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
  namespace: kube-system
  name: azure-credentials
stringData:
  azure_subscription_id: <base64-encoded_subscription_id>
  azure_client_id: <base64-encoded_client_id>
  azure_client_secret: <base64-encoded_client_secret>
  azure_tenant_id: <base64-encoded_tenant_id>
  azure_resource_prefix: <base64-encoded_resource_prefix>
  azure_resourcegroup: <base64-encoded_resource_group>
  azure_region: <base64-encoded_region>
----

On Microsoft Azure, the credentials secret format includes two properties that must contain the cluster's infrastructure ID, generated randomly for each cluster installation. This value can be found after running create manifests:

[source,terminal]
----
$ cat .openshift_install_state.json | jq '."*installconfig.ClusterID".InfraID' -r
----

.Example output
[source,terminal]
----
mycluster-2mpcn
----

This value would be used in the secret data as follows:

[source,yaml]
----
azure_resource_prefix: mycluster-2mpcn
azure_resourcegroup: mycluster-2mpcn-rg
----
endif::passthrough[]

.Google Cloud Platform (GCP) secret format

[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
  namespace: kube-system
  name: gcp-credentials
stringData:
  service_account.json: <base64-encoded_service_account>
----

ifdef::passthrough[]

.{rh-openstack-first} secret format

[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
  namespace: kube-system
  name: openstack-credentials
data:
  clouds.yaml: <base64-encoded_cloud_creds>
  clouds.conf: <base64-encoded_cloud_creds_init>
----

.{rh-virtualization-first} secret format

[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
  namespace: kube-system
  name: ovirt-credentials
data:
  ovirt_url: <base64-encoded_url>
  ovirt_username: <base64-encoded_username>
  ovirt_password: <base64-encoded_password>
  ovirt_insecure: <base64-encoded_insecure>
  ovirt_ca_bundle: <base64-encoded_ca_bundle>
----

.VMware vSphere secret format

[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
  namespace: kube-system
  name: vsphere-creds
data:
 vsphere.openshift.example.com.username: <base64-encoded_username>
 vsphere.openshift.example.com.password: <base64-encoded_password>
----

endif::passthrough[]

ifeval::["{context}" == "cco-mode-mint"]
:!mint:
endif::[]
ifeval::["{context}" == "cco-mode-passthrough"]
:!passthrough:
endif::[]