This document shows how to configure prepared credentials for an admin cluster in Google Distributed Cloud.
With prepared credentials, you can store credentials for your admin cluster in a Secret in your admin cluster. This provides an element of security, because you don't have to keep passwords and service account keys on your admin workstation.
Overview of the procedure
Fill in a Secrets configuration file.
In your admin cluster configuration file, set enabled to true.
Run
gkectl prepare
Create the admin cluster.
Fill in your secrets configuration file
Generate a template for a Secrets configuration file:
gkectl create-config secrets
The preceding command generates a file named secrets.yaml
. You can change
the name and location of this file if you like.
Familiarize yourself with the configuration file by reading the Secrets configuration file document. You might want to keep this document open in a separate tab or window.
Here's an example of a Secrets configuration file. The one Secret group has values for vCenter credentials and four service account keys:
apiVersion: v1 kind: ClusterSecrets secretGroups: - secrets vCenter: username: "my-vcenter-account" password: "U$icUKEW#INE" componentAccessServiceAccount: serviceAccountKeyPath: "my-key-folder/component-access-key.json" registerServiceAccount: serviceAccountKeyPath: "my-key-folder/connect-register-key.json" stackdriverServiceAccount: serviceAccountKeyPath: "my-key-folder/log-mon-key.json" cloudAuditLoggingServiceAccount: serviceAccountKeyPath: "my-key-folder/audit-log-key.json"
Admin cluster configuration file
Create an admin cluster configuration file as described in Create an admin cluster.
In your admin cluster configuration file, set
preparedSecrets.enabled
to true
:
preparedsecrets: enabled: true
In your admin cluster configuration file, do not specify values for the following fields. These fields are not needed, because Google Distributed Cloud will get credentials and keys from your prepared Secrets.
vCenter.credentials.fileRef.path
componentAccessServiceAccountKeyPath
loadBalancer.f5BigIP.credentials.fileRef.path
gkeConnect.registerServiceAccountKeyPath
stackdriver.serviceAccountKeyPath
cloudAuditLogging.serviceAccountKeyPath
privateRegistry.credentials.fileRef.path
Initialize the environment
Import OS images to vSphere, and push container images to a private registry if one has been specified.:
gkectl prepare --config ADMIN_CLUSTER_CONFIG --secret-config SECRETS_CONFIG
Replace the following:
ADMIN_CLUSTER_CONFIG: the path of your admin cluster configuration file
SECRETS_CONFIG: the path of your Secrets configuration file
Create the admin cluster
Create the admin cluster:
gkectl create admin --config ADMIN_CLUSTER_CONFIG --secret-config SECRETS_CONFIG
Replace the following:
ADMIN_CLUSTER_CONFIG: the path of your admin cluster configuration file
SECRETS_CONFIG: the path of your Secrets configuration file
Rotate credentials
To rotate credentials, you need a Secrets configuration file. There are two approaches you can take:
Run
gkectl create-config secrets
to generate a new Secrets configuration file. Fill in the file with new service account keys.Generate a Secrets configuration file from the admin cluster. Then replace selected service account keys with new ones.
To generate a Secrets configuration file from the admin cluster:
gkectl get-config admin --export-secrets-config \ --bundle-path BUNDLE \ --kubeconfig ADMIN_CLUSTER_KUBECONFIG
Replace the following:
BUNDLE: the path of the Google Distributed Cloud bundle file
ADMIN_CLUSTER_KUBECONFIG: the path of the admin cluster kubeconfig file
Rotate the credentials:
gkectl update credentials CREDENTIAL_TYPE \ --config ADMIN_CLUSTER_CONFIG \ --kubeconfig ADMIN_CLUSTER_KUBECONFIG \ --secret-config SECRETS_CONFIG \ --admin-cluster
Replace the following:
CREDENTIAL_TYPE: One of the following: vsphere, f5bigip, privateregistry, componentaccess, register, stackdriver, cloudauditlogging.
ADMIN_CLUSTER_CONFIG: the path of the admin cluster configuration file
ADMIN_CLUSTER_KUBECONFIG: the path of the admin cluster kubeconfig file
SECRETS_CONFIG: the path of the Secrets configuration file
Update
To update an admin cluster that uses prepared credentials, you can, in many cases, follow the instructions in as written in Updating a cluster.
However, if you want to enable Cloud Logging and Cloud Monitoring or Cloud Audit Logs as part of the update, follow these steps:
Generate a Secrets configuration file.
In your Secrets configuration file, provide values for
stackdriverServiceAccount.serviceAccountKeyPath
andcloudAuditLoggingServiceAccount.serviceAccountKeyPath
or both.Update the cluster:
gkectl update admin --kubeconfig ADMIN_CLUSTER_KUBECONFIG \ --config ADMIN_CLUSTER_CONFIG \ --secret-config SECRETS_CONFIG
Related documents
- Secrets configuration file
- Admin cluster configuration file
- Create an admin cluster
- Create service accounts
- Prepared credentials for a user cluster