mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
103 lines
6.0 KiB
Plaintext
103 lines
6.0 KiB
Plaintext
:_mod-docs-content-type: ASSEMBLY
|
|
:context: changing-cloud-credentials-configuration
|
|
[id="changing-cloud-credentials-configuration"]
|
|
= Changing the cloud provider credentials configuration
|
|
include::_attributes/common-attributes.adoc[]
|
|
|
|
toc::[]
|
|
|
|
For supported configurations, you can change how {product-title} authenticates with your cloud provider.
|
|
|
|
To determine which cloud credentials strategy your cluster uses, see xref:../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc#cco-determine-mode_about-cloud-credential-operator[Determining the Cloud Credential Operator mode].
|
|
|
|
[id="ccoctl-rotate-cloud-creds_{context}"]
|
|
== Rotating cloud provider service keys with the Cloud Credential Operator utility
|
|
|
|
Some organizations require the rotation of the service keys that authenticate the cluster.
|
|
You can use the Cloud Credential Operator (CCO) utility (`ccoctl`) to update keys for clusters installed on the following cloud providers:
|
|
|
|
* xref:../post_installation_configuration/changing-cloud-credentials-configuration.adoc#rotating-bound-service-keys_key-rotation-aws[{aws-first} with {sts-first}]
|
|
* xref:../post_installation_configuration/changing-cloud-credentials-configuration.adoc#rotating-bound-service-keys_key-rotation-gcp[{gcp-first} with {gcp-wid-short}]
|
|
* xref:../post_installation_configuration/changing-cloud-credentials-configuration.adoc#rotating-bound-service-keys_key-rotation-azure[{azure-first} with {entra-short}]
|
|
* xref:../post_installation_configuration/changing-cloud-credentials-configuration.adoc#refreshing-service-ids-ibm-cloud_changing-cloud-credentials-configuration[{ibm-cloud-title}]
|
|
|
|
:context: key-rotation-aws
|
|
//Rotating OIDC bound service account signer keys
|
|
include::modules/rotating-bound-service-keys.adoc[leveloffset=+2]
|
|
|
|
:!context: key-rotation-aws
|
|
|
|
:context: key-rotation-gcp
|
|
//Rotating OIDC bound service account signer keys
|
|
include::modules/rotating-bound-service-keys.adoc[leveloffset=+2]
|
|
|
|
:!context: key-rotation-gcp
|
|
|
|
:context: key-rotation-azure
|
|
//Rotating OIDC bound service account signer keys
|
|
include::modules/rotating-bound-service-keys.adoc[leveloffset=+2]
|
|
|
|
:!context: key-rotation-azure
|
|
:context: changing-cloud-credentials-configuration
|
|
|
|
//Rotating {ibm-cloud-title} credentials
|
|
include::modules/refreshing-service-ids-ibm-cloud.adoc[leveloffset=+2]
|
|
|
|
[id="post-install-rotate-cloud-creds_{context}"]
|
|
== Rotating cloud provider credentials
|
|
|
|
Some organizations require the rotation of the cloud provider credentials.
|
|
To allow the cluster to use the new credentials, you must update the secrets that the xref:../operators/operator-reference.adoc#cloud-credential-operator_cluster-operators-ref[Cloud Credential Operator (CCO)] uses to manage cloud provider credentials.
|
|
|
|
//Rotating cloud provider credentials manually
|
|
include::modules/manually-rotating-cloud-creds.adoc[leveloffset=+2]
|
|
|
|
[role="_additional-resources"]
|
|
.Additional resources
|
|
* xref:../authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc#cco-mode-mint[The Cloud Credential Operator in mint mode]
|
|
* xref:../authentication/managing_cloud_provider_credentials/cco-mode-passthrough.html#cco-mode-passthrough[The Cloud Credential Operator in passthrough mode]
|
|
* xref:../storage/container_storage_interface/persistent-storage-csi-vsphere.adoc#persistent-storage-csi-vsphere[vSphere CSI Driver Operator]
|
|
|
|
[id="post-install-remove-cloud-creds_{context}"]
|
|
== Removing cloud provider credentials
|
|
//TODO: split out rotate, maintain, and remove and bumpe everything up one level
|
|
|
|
After installing {product-title}, some organizations require the removal of the cloud provider credentials that were used during the initial installation.
|
|
To allow the cluster to use the new credentials, you must update the secrets that the xref:../operators/operator-reference.adoc#cloud-credential-operator_cluster-operators-ref[Cloud Credential Operator (CCO)] uses to manage cloud provider credentials.
|
|
|
|
//Removing cloud provider credentials manually
|
|
include::modules/manually-removing-cloud-creds.adoc[leveloffset=+2]
|
|
|
|
[role="_additional-resources"]
|
|
.Additional resources
|
|
* xref:../authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc#cco-mode-mint[The Cloud Credential Operator in mint mode]
|
|
|
|
[id="post-install-enable-token-auth_{context}"]
|
|
== Enabling token-based authentication
|
|
//Today, just Entra. But this should be a section that anticipates the addition of AWS STS and GCP WID.
|
|
|
|
After installing an {product-title} cluster on {azure-first} or {aws-first}, you can enable {entra-first} or {sts-first} to use short-term credentials.
|
|
|
|
//Configuring the Cloud Credential Operator utility
|
|
include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2]
|
|
|
|
//Enabling {entra-first} on an existing cluster
|
|
include::modules/enabling-entra-workload-id-existing-cluster.adoc[leveloffset=+2]
|
|
|
|
//Enabling AWS {sts-first} on an existing cluster
|
|
include::modules/enabling-aws-sts-existing-cluster.adoc[leveloffset=+2]
|
|
|
|
[role="_additional-resources"]
|
|
.Additional resources
|
|
* xref:../authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc#cco-short-term-creds-azure_cco-short-term-creds[Microsoft Entra Workload ID]
|
|
* xref:../installing/installing_azure/ipi/installing-azure-customizations.adoc#installing-azure-with-short-term-creds_installing-azure-customizations[Configuring an Azure cluster to use short-term credentials]
|
|
* xref:../authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc#cco-short-term-creds-aws_cco-short-term-creds[AWS Security Token Service]
|
|
* xref:../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-with-short-term-creds_installing-aws-customizations[Configuring an AWS cluster to use short-term credentials]
|
|
|
|
//Verifying the credentials configuration
|
|
include::modules/cco-ccoctl-install-verifying.adoc[leveloffset=+2]
|
|
|
|
[role="_additional-resources"]
|
|
[id="additional-resources_{context}"]
|
|
== Additional resources
|
|
* xref:../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc#about-cloud-credential-operator[About the Cloud Credential Operator] |