This page describes how to update the version of the Connect Agent, or rotate the Connect Agent Service Account key.
Connect Agent updates
Periodically, the Connect Agent is automatically updated in a non-disruptive manner.
However, you can also manually update the Connect Agent to the latest version
by Registering a cluster.
gcloud
fetches the latest available Connect Agent and re-installs it in the
cluster.
Rotate the Connect Agent Service Account key
It is a good idea to regularly rotate long-lived credentials like Service Account keys. To rotate the Service Account key that Connect Agent uses, perform the following steps:
Get ready:
PROJECT=[PROJECT_ID] NAMESPACE=$(kubectl get ns -o jsonpath={.items..metadata.name} -l hub.gke.io/project) SERVICE_ACCOUNT=$(kubectl get secrets -n $NAMESPACE creds-gcp \ -o jsonpath='{.data.creds-gcp\.json}' | base64 -d | grep client_email \ | awk '{print $2}' | tr -d '",') OLD_KEY_ID=$(kubectl get secrets -n $NAMESPACE creds-gcp \ -o jsonpath='{.data.creds-gcp\.json}' | base64 -d | grep private_key_id \ | awk '{print $2}' | tr -d '",')
where [PROJECT_ID] is your project's unique project ID. You can find this in Google Cloud console, or by running
gcloud config get-value project
.Create a new key:
gcloud iam service-accounts keys create --iam-account=$SERVICE_ACCOUNT creds-gcp.json
Overwrite the existing key on the agent:
This will cause the agent to restart with the new secret and re-establish the tunnel with new credentials.
kubectl create secret -n $NAMESPACE generic creds-gcp \ --from-file=./creds-gcp.json --dry-run -o yaml | kubectl replace -f -
Check your logs on the agent's pod to ensure its re-connected:
kubectl logs -n $NAMESPACE -l app=gke-connect-agent
Delete the old key:
gcloud iam service-accounts keys delete --iam-account=$SERVICE_ACCOUNT $OLD_KEY_ID
Delete the local copy of the new key:
We suggest you do not retain the key. If you lose the key and need to re-install the agent, we recommend rotating the key instead.
shred creds-gcp.json