Deployment, Administration, and User Guides
- About This Guide
- I Overview of SUSE Cloud Application Platform
- II Deploying SUSE Cloud Application Platform
- 3 Deployment and Administration Notes
- 4 Deploying SUSE Cloud Application Platform on SUSE CaaS Platform
- 5 Deploying SUSE Cloud Application Platform on Microsoft Azure Kubernetes Service (AKS)
- 6 Deploying SUSE Cloud Application Platform on Amazon Elastic Kubernetes Service (EKS)
- 7 Deploying SUSE Cloud Application Platform on Google Kubernetes Engine (GKE)
- 8 Installing the Stratos Web Console
- 9 Eirini
- 10 Deploying SUSE Cloud Application Platform Using Terraform
- 11 Setting Up a Registry for an Air Gapped Environment
- 12 SUSE Private Registry
- III SUSE Cloud Application Platform Administration
- 13 Upgrading SUSE Cloud Application Platform
- 14 Configuration Changes
- 15 Creating Admin Users
- 16 Managing Passwords
- 17 Accessing the UAA User Interface
- 18 Container Memory Limits and Requests
- 19 Cloud Controller Database Secret Rotation
- 20 Rotating Automatically Generated Secrets
- 21 Backup and Restore
- 22 Service Brokers
- 23 App-AutoScaler
- 24 Integrating CredHub with SUSE Cloud Application Platform
- 25 Buildpacks
- IV SUSE Cloud Application Platform User Guide
- V Troubleshooting
- A Appendix
- B GNU Licenses
20 Rotating Automatically Generated Secrets #
- File Name: cap_admin_secret_rotation.xml
- ID:
Cloud Application Platform uses a number of automatically generated secrets (passwords and certificates) for use internally provided by cf-operator. This removes the burden from human operators while allowing for secure communication. From time to time, operators may wish to change such secrets, either manually or on a schedule. This is called rotating a secret.
20.1 Finding Secrets #
- File Name: cap_admin_secret_rotation.xml
- ID: sec-cap-secrets-rotation-finding
Retrieve the list of all secrets maintained by KubeCF:
tux > kubectl get quarkssecret --namespace kubecfTo see information about a specific secret, for example the NATS password:
tux > kubectl get quarkssecret --namespace kubecf kubecf.var-nats-password --output yamlNote that each quarkssecret has a corresponding regular Kubernetes secret that it controls:
tux >kubectl get secret --namespace kubecftux >kubectl get secret --namespace kubecf kubecf.var-nats-password --output yaml
20.2 Rotating Specific Secrets #
- File Name: cap_admin_secret_rotation.xml
- ID: sec-cap-secrets-rotation-specific
To rotate a secret, for example kubecf.var-nats-password:
Create a YAML file for a ConfigMap of the form:
--- apiVersion: v1 kind: ConfigMap metadata: name: rotate-kubecf.var-nats-password labels: quarks.cloudfoundry.org/secret-rotation: "true" data: secrets: '["kubecf.var-nats-password"]'The name of the ConfigMap can be anything allowed by Kubernetes syntax but we recommend using a name derived from the name of the secret itself.
Also, the example above rotates only a single secret but the
data.secretskey accepts an array of secret names, allowing simultaneous rotation of many secrets.Apply the ConfigMap:
tux >kubectl apply --namespace kubecf -f /path/to/your/yaml/fileThe result can be seen in the cf-operator's log.
After the rotation is complete, that is after secrets have been changed and all affected pods have been restarted, delete the config map again:
tux >kubectl delete --namespace kubecf -f /path/to/your/yaml/file