Rotate OpenStack Credentials
The following document describes the necessary actions that must be taken LCM-wise after an OpenStack credential rotation.
Change the OpenStack credentials (how to do that is out of scope).
Trigger rotation of managed components
Immediately afterwards renew the OpenStack connection of the Kubernetes cluster. This will update the
kube-system/cloud-config
secret and restart the cloud-controller-manager, csi-cinder-controllerplugin and csi-cinder-nodeplugin in thekube-system
namespace.$ AFLAGS="--diff -t connect-k8s-to-openstack" bash managed-k8s/actions/apply-k8s-supplements.sh
Immediately afterwards renew the OpenStack connection of the Kubernetes cluster. This will update the
kube-system/cloud-config
secret and restart the cloud-controller-manager, csi-cinder-controllerplugin and csi-cinder-nodeplugin in thekube-system
namespace. It will also update thekube-system/ch-k8s-lbaas-controller-config
secret and restart the ch-k8s-lbaas-controller in thekube-system
namespace.$ AFLAGS="--diff -t connect-k8s-to-openstack,ch-k8s-lbaas" bash managed-k8s/actions/apply-k8s-supplements.sh
Verify that everything is able to come up after it has been restarted.
Check which Pods besides the above mentioned have mounted the
kube-system/cloud-config
secret:kubectl get pods --all-namespaces -o json | jq --raw-output '.items[] | select(.spec | has("volumes")) | select(.spec.volumes[].secret.secretName=="cloud-config") | "\(.metadata.namespace)/\(.metadata.name)"'
Check which Pods are referencing the
kube-system/cloud-config
secret in their env:kubectl get pods--all-namespaces -o json | jq --raw-output '.items[] | select(.spec.containers[].env[]?.valueFrom.secretKeyRef.name=="cloud-config") | "\(.metadata.namespace)/\(.metadata.name)\n"'
Figure out how these Pods are controlled and (rollout) restart them.