Configure prepared credentials for an admin cluster

This document shows how to configure prepared credentials for an admin cluster in Google Distributed Cloud.

With prepared credentials, you can store credentials for your admin cluster in a Secret in your admin cluster. This provides an element of security, because you don't have to keep passwords and service account keys on your admin workstation.

Overview of the procedure

  1. Fill in a Secrets configuration file.

  2. In your admin cluster configuration file, set enabled to true.

  3. Run gkectl prepare

  4. Create the admin cluster.

Fill in your secrets configuration file

Generate a template for a Secrets configuration file:

gkectl create-config secrets

The preceding command generates a file named secrets.yaml. You can change the name and location of this file if you like.

Familiarize yourself with the configuration file by reading the Secrets configuration file document. You might want to keep this document open in a separate tab or window.

Here's an example of a Secrets configuration file. The one Secret group has values for vCenter credentials and four service account keys:

apiVersion: v1
kind: ClusterSecrets
secretGroups:
- secrets
  vCenter:
    username: "my-vcenter-account"
      password: "U$icUKEW#INE"
    componentAccessServiceAccount:
      serviceAccountKeyPath: "my-key-folder/component-access-key.json"
    registerServiceAccount:
      serviceAccountKeyPath: "my-key-folder/connect-register-key.json"
    stackdriverServiceAccount:
      serviceAccountKeyPath: "my-key-folder/log-mon-key.json"
    cloudAuditLoggingServiceAccount:
      serviceAccountKeyPath: "my-key-folder/audit-log-key.json"

Admin cluster configuration file

Create an admin cluster configuration file as described in Create an admin cluster.

In your admin cluster configuration file, set preparedSecrets.enabled to true:

preparedsecrets:
  enabled: true

In your admin cluster configuration file, do not specify values for the following fields. These fields are not needed, because Google Distributed Cloud will get credentials and keys from your prepared Secrets.

  • vCenter.credentials.fileRef.path
  • componentAccessServiceAccountKeyPath
  • loadBalancer.f5BigIP.credentials.fileRef.path
  • gkeConnect.registerServiceAccountKeyPath
  • stackdriver.serviceAccountKeyPath
  • cloudAuditLogging.serviceAccountKeyPath
  • privateRegistry.credentials.fileRef.path

Initialize the environment

Import OS images to vSphere, and push container images to a private registry if one has been specified.:

gkectl prepare --config ADMIN_CLUSTER_CONFIG --secret-config SECRETS_CONFIG

Replace the following:

  • ADMIN_CLUSTER_CONFIG: the path of your admin cluster configuration file

  • SECRETS_CONFIG: the path of your Secrets configuration file

Create the admin cluster

Create the admin cluster:

gkectl create admin --config ADMIN_CLUSTER_CONFIG --secret-config SECRETS_CONFIG

Replace the following:

  • ADMIN_CLUSTER_CONFIG: the path of your admin cluster configuration file

  • SECRETS_CONFIG: the path of your Secrets configuration file

Rotate credentials

To rotate credentials, you need a Secrets configuration file. There are two approaches you can take:

  • Run gkectl create-config secrets to generate a new Secrets configuration file. Fill in the file with new service account keys.

  • Generate a Secrets configuration file from the admin cluster. Then replace selected service account keys with new ones.

    To generate a Secrets configuration file from the admin cluster:

    gkectl get-config admin --export-secrets-config \
      --bundle-path BUNDLE \
      --kubeconfig ADMIN_CLUSTER_KUBECONFIG
    

    Replace the following:

    • BUNDLE: the path of the Google Distributed Cloud bundle file

    • ADMIN_CLUSTER_KUBECONFIG: the path of the admin cluster kubeconfig file

Rotate the credentials:

gkectl update credentials CREDENTIAL_TYPE \
    --config ADMIN_CLUSTER_CONFIG \
    --kubeconfig ADMIN_CLUSTER_KUBECONFIG \
    --secret-config SECRETS_CONFIG \
    --admin-cluster

Replace the following:

  • CREDENTIAL_TYPE: One of the following: vsphere, f5bigip, privateregistry, componentaccess, register, stackdriver, cloudauditlogging.

  • ADMIN_CLUSTER_CONFIG: the path of the admin cluster configuration file

  • ADMIN_CLUSTER_KUBECONFIG: the path of the admin cluster kubeconfig file

  • SECRETS_CONFIG: the path of the Secrets configuration file

Update

To update an admin cluster that uses prepared credentials, you can, in many cases, follow the instructions in as written in Updating a cluster.

However, if you want to enable Cloud Logging and Cloud Monitoring or Cloud Audit Logs as part of the update, follow these steps:

  1. Generate a Secrets configuration file.

  2. In your Secrets configuration file, provide values for stackdriverServiceAccount.serviceAccountKeyPath and cloudAuditLoggingServiceAccount.serviceAccountKeyPath or both.

  3. Update the cluster:

    gkectl update admin --kubeconfig ADMIN_CLUSTER_KUBECONFIG \
      --config ADMIN_CLUSTER_CONFIG \
      --secret-config SECRETS_CONFIG