Updating cluster credentials

This page shows how to update the vCenter and F5 BIG-IP credentials for an Google Distributed Cloud cluster.

Starting in Google Distributed Cloud version 1.3.1, you can update the vCenter credentials by using the gkectl update credentials vsphere command.

Starting in Google Distributed Cloud version 1.4.1, you can update the F5 BIG-IP credentials by using the gkectl update credentials f5bigip command.

Updating vSphere credentials

The vCenter credentials that you want to add to a cluster must already exist. Learn about vCenter roles and user privileges.

Each admin and user cluster is initially configured to use the vCenter username and password that you used to create those clusters. If you need to update your vCenter credentials or transfer administrative ownership to another vSphere user account, you can update the cluster's configuration file and then use the gkectl update credentials vsphere command to deploy those changes.

Example vCenter username and password configuration:

...
vcenter:
  credentials:
    ...
    username: "vCenter-username@vsphere.local"
    password: "vCenter-user-password"
...

Use the following steps to update the vCenter credentials on your clusters:

  1. Obtain the username and password of the existing vCenter credentials to which you want to configure your admin or user clusters.

  2. SSH into your admin workstation by running the following command:

    ssh -i ~/.ssh/vsphere_workstation ubuntu@[IP_ADDRESS]
    

    where [IP_ADDRESS] is the IP address of your admin workstation.

  3. Open your configuration file in an editor.

    Consider creating a copy that you can modify and use for this purpose only. For example: vcenter-creds-config.yaml

  4. Modify your configuration file:

    1. Depending on whether you are updating either your admin cluster or user cluster, you must modify your configuration file by removing one of the following sections:

      • To update the user cluster, remove the admincluster section.

        Leave the usercluster section in your configuration but remove all of the contents of the admincluster section. For example:

        admincluster:
          vcenter:
            network: ""
          bigip:
            ...
          podiprange: ""

      • To update the admin cluster, remove the usercluster section.

        Leave the admincluster section in your configuration but remove all of the contents of the usercluster section. For example:

        usercluster:
          vcenter:
            network: ""
          bigip:
            ...
          clustername: ""
          masternode:
            ...
          podiprange: ""

    2. Update the username and password attributes under vCenter.credentials to include the vCenter credentials that you want to set for the cluster. For example:

      gcp:
        whitelistedServiceAccountKeyPath: "my-key-folder/whitelisted-key.json"
      vCenter:
        credentials:
          address: "203.0.113.1"
          username: "vCenter-user-account@vsphere.local"
          password: "user-account-password"
        datacenter: "MY-DATACENTER"
        datastore: "MY-DATASTORE"
        cluster: "MY-CLUSTER"
        ...
  5. Run the gkectl update credentials vsphere command to deploy the changes to your cluster:

    gkectl update credentials vsphere \
    --config [VCENTER_CREDS_CONFIG.YAML] \
    --kubeconfig [CLUSTER_KUBECONFIG] \
    --admin-cluster

    where:

    • [VCENTER_CREDS_CONFIG.YAML]: Specifies the configuration file that includes the vCenter credentials that you want to deploy to your cluster. Example: vcenter-creds-config.yaml
    • [CLUSTER_KUBECONFIG]: Specifies the kubeconfig file of the admin cluster that you want to update. Example: kubeconfig

      For the admin cluster, you must also include the --admin-cluster flag.

    • --admin-cluster: Required flag if you are deploying changes to the admin cluster. Exclude this flag when deploying changes to the user cluster.

    Result: The changed vCenter credentials are immediately validated against the server and a confirmation is output to the terminal: "vsphere credentials updated successfully". If the new credentials fail to log in to the vCenter server, you can edit the username and password in the configuration file and redeploy your changes.

    Examples:

    • User cluster example: To deploy changes to the vCenter credentials on a user cluster, you run:

      gkectl update credentials vsphere \
      --config vcenter-creds-user-config.yaml --kubeconfig admin-cluster-kubeconfig

      Result:

      validating new credentials against vcenter
      restarted "deployment/clusterapi-controllers" in namespace "testcluster"
      restarted "deployment/kube-controller-manager" in namespace "testcluster"
      restarted "statefulsets/kube-apiserver" in namespace "testcluster"
      vsphere credentials updated successfully.
    • Admin cluster example: To deploy changes to the vCenter credentials on an admin cluster, you run:

      gkectl update credentials vsphere \
      --config vcenter-creds-admin-config.yaml --kubeconfig admin-cluster-kubeconfig \
      --admin-cluster

      Result:

      validating new credentials against vcenter
      restarted "deployment/clusterapi-controllers" in namespace "kube-system"
      vsphere credentials updated successfully.

Updating F5 BIG-IP credentials for a user cluster

Update the F5 BIG-IP credentials in the F5 web interface.

SSH into an admin workstation, version 1.4.1 or later.

On your admin workstation, use the following steps to update the F5 BIG-IP credentials for a user cluster.

  1. Make a copy of your user cluster configuration file. Name the copy user-f5-creds.yaml. For example:

    cp user-cluster.yaml user-f5-creds.yaml
    
  2. In user-f5-creds.yaml, update the F5 credentials. For example:

    apiVersion: v1
    kind: UserCluster
    ...
     f5BigIP:
       ...
       credentials:
         username: "new-user"
         password: "new-password"
    
  3. Update the F5 BIG-IP credentials for your user cluster::

    gkectl update credentials f5bigip --config user-f5-config.yaml \
       --kubeconfig ADMIN_CLUSTER_KUBECONFIG
    

Updating F5 BIG-IP credentials for the admin cluster

Update the F5 BIG-IP credentials in the F5 web interface.

SSH into an admin workstation, version 1.4.1 or later.

On your admin workstation, use the following steps to update the F5 BIG-IP credentials for the admin cluster.

  1. Make a copy of your admin cluster configuration file. Name the copy admin-f5-creds.yaml. For example:

    cp admin-cluster.yaml admin-f5-creds.yaml
    
  2. In admin-f5-creds.yaml, update the F5 credentials. For example:

    apiVersion: v1
    kind: AdminCluster
    ...
     f5BigIP:
       ...
       credentials:
         username: "new-user"
         password: "new-password"
    
  3. Update the F5 BIG-IP credentials for your admin cluster::

    gkectl update credentials f5bigip --config admin-f5-config.yaml \
       --kubeconfig ADMIN_CLUSTER_KUBECONFIG --admin-cluster
    

Update other credentials

To update credentials for the cloudauditlogging, usagemetering, or stackdriver components, see Rotate service account keys. For the Connect Agent Service Account key, see Rotate the Connect Agent Service Account key.