Cloud Credentials
The RCTL utility provides the means to manage the lifecycle of credentials. The following operations can be performed on credentials managed by the controller in projects inside your organization.
| Resource | Create | Get | Update | Delete |
|---|---|---|---|---|
| Credentials | YES | YES | NO | YES |
Cloud Provider Credentials¶
Use the Controller to configure cloud credentials for a Project. Use the following links for information about cloud platform credentials.
Important
For Amazon EKS and Google GKE, an IAM role must be created in the cloud platform console. Use the following links for instructions.
For Amazon EKS, be sure to set the Account ID and External ID as a trusted entity which gives the controller permission to assume the role.
Create Credential¶
Create a new "managed" credential in the current Project using the Controller.
- See CLI Setup for setting the current Project.
- See YAML Examples for credential config files, based on the cloud platform.
Use this to create a credential which will be used to provision clusters.
./rctl apply -f <filename.yaml>
Update Credential¶
To update a credential, make the required changes in the existing credential config file and use the below command
./rctl apply -f <filename.yaml>
List Credentials¶
Use this to retrieve/list all "managed credentials". An illustrative example is shown below.
./rctl get credentials --v3
+-----------------------+-------+------------------------------+------------------------------+-----------+
| NAME | CLOUD | CREATED AT | MODIFIED AT | OWNERSHIP |
+-----------------------+-------+------------------------------+------------------------------+-----------+
| my-cred | AWS | Tue Jun 29 22:33:04 UTC 2021 | Tue Jun 29 22:33:04 UTC 2021 | self |
+-----------------------+-------+------------------------------+------------------------------+-----------+
| minio | MINIO | Tue Jun 20 22:16:07 UTC 2021 | Tue Apr 20 22:16:07 UTC 2021 | self |
+-----------------------+-------+------------------------------+------------------------------+-----------+
To retrieve a specific credential details, use the below command
./rctl get credentials my-cred --v3
+-----------------------+-------+------------------------------+------------------------------+-----------+
| NAME | CLOUD | CREATED AT | MODIFIED AT | OWNERSHIP |
+-----------------------+-------+------------------------------+------------------------------+-----------+
| my-cred | AWS | Tue Jun 29 22:33:04 UTC 2021 | Tue Jun 29 22:33:04 UTC 2021 | self |
+-----------------------+-------+------------------------------+------------------------------+-----------+
Delete Credentials¶
Use the below command to delete a credential.
./rctl delete credential <credential_name>
Note
Shared credentials cannot be deleted. Update the credential with sharing disabled, then delete the credential.
Deprecated Commands¶
Refer here for the deprecated RCTL Commands.
YAML Examples¶
The following YAML file examples are specific for each cloud provider. In each example, change the name and project to match your environment.
For spec.type, supported values are ClusterProvisioning, DataBackup, or CostManagement.
AWS EKS Access ID and Secret Key¶
apiVersion: infra.k8smgmt.io/v3
kind: Credentials
metadata:
name: test-credentials
project: defaultproject
spec:
sharing:
enabled: false
type: ClusterProvisioning
provider: aws
credentials:
type: AccessKey
accessId: <access_id>
secretKey: <secret_key>
AWS EKS Role ARN¶
apiVersion: infra.k8smgmt.io/v3
kind: Credentials
metadata:
name: test-credentials
project: defaultproject
spec:
sharing:
enabled: false
type: ClusterProvisioning
provider: aws
credentials:
type: Role
arn: <role_arn>
accountId: "<account_id>"
externalId: "<external_id>"
Microsoft Azure AKS¶
apiVersion: infra.k8smgmt.io/v3
kind: Credentials
metadata:
name: test-credentials
project: defaultproject
spec:
sharing:
enabled: false
type: ClusterProvisioning
provider: azure
credentials:
tenantId: <tenant_id>
subscriptionId: <subscription_id>
clientId: <clientId>
clientSecret: <clientSecret>
Google GCP GKE¶
Note
For the credentials file, covert your GCP Service Account Key to Base64, then use it with the example below.
apiVersion: infra.k8smgmt.io/v3
kind: Credentials
metadata:
name: test-credentials
project: defaultproject
spec:
sharing:
enabled: false
type: ClusterProvisioning
provider: gcp
credentials:
file: dvacICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAiY2FwaS1nY3AtdGVzdDEiLAogICJwcml2YXRlX2tleV9pZCI6ICI1OWM2YzIyN2MyNWY5MWQyYTJmYmM1OWNiMmQ0NDllZThjMGYyNDY0IiwKICAicHJpdmF0ZV9rZXkiOiAiLS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tXG5NSUlFdkFJQkFEQU5CZ2txaGtpRzl3MEJBUUVGQUFTQ0JLWXdnZ1NpQWdFQUFvSUJBUURacVBuWkZ4bG95MFNpXG44WWNRUzlITUp1ZENZZzA0N05oMUdwSUw1cU1pV2RHTjdNWkNkUVo1ck8ydTB0Z0ExVG1kaDR2MUV1MEx0U1ZEXG5rcHJIcHp0bnZOam9JaXZyWExUYmxrdHNObmdtWTZvdlZaaWttcU9rOTJrT044SDhzNVJjNWYwOC9VSnQ2ajAvXG5oRUFoRXZlOFk0aG1FOFQ3ZGZuMDBrajcvUVBBMnFVWE1iekdHRUsyZ3VlbDNoTlE4RzNZVGJCRTZuSjVTMzlrXG5RRTFZK002ZU9NMDk3aFFxaERJZGNaOFBpeHpMWjFodTVmN2tEVnNpMlBRNk1SZzlVWUlXY00wZkI5dDRXWGN6XG55MjkwN1AyZXppcDNnSm9FanNkd0VzUlhLRktyRmdkQ1FvL2x4QzNVL1htbVFNQ05iZkQ4eVpuNSt3aXJJZHcxXG5jMzBCWkF5SEFnTUJBQUVDZ2dFQUcrVnZ6RGFOTDZTcHNkYVIwSEZmUExLWnZpVFIvQU5EQk5NNGQ2VUNNSU5oXG5lN2FtZkZzQ1R2THViWk1oVXc0QStlTW0rV3lKREJDVjY1Q3RITHlldlA5enIyQzl6MGNNK1AzTXdkeERUdXhFXG5JaGZ1M2QzaDdtRTFTamkwT0o2TmU5Q1FRZEpWd3IrY1JQayt2TjV3K09pcTBTWmtmelFTS3FJTzc1andjN1YxXG5kNkF0ZFZqTGljMkxuUEh2aG92aEg1ZU5iUFhPUmk1V0IwSDNHVElDNkIvdmZyOHRzUy9xSCH0b1BMQ2UwMWNIXG5sQTBNU2FmV2FjT0tIaExFVDd5dENEdFowOUpGSFEzRm5Vak1oTlg5QTMxbndIeVROUGV2NFBUc1dNUTk5eVlHXG5iRTRlVUtFZ1BtR0VjSkF3b3Q5aHNMbEMybXZCdnNNdGJQZnFOR2dPM1FLQmdRRCtwMVVZSUdMbkNWNkJISHF3XG5kTFlOUHoxbTg1OVhaMk9ZWnhiZ21UTys2aGhxeWpDeUNxQXpRTjZ2d3JUNTN2cjI0bUgxZGowNlhhSkh3dENXXG5udWF0QkE0OTlreENiZUdKUDdtMmJmeGloOENiOVVEVlVNZ1BDWThkODFBNTVkKzQ5TmFVWis2RFFmbkFIVHV2XG5EcjFxaVh2ajVZZ2NsY0ZKL2RzQjhtUzlLd0tCZ1FEYXo1TGFkSm5EaHZOaEZOYS9Eb2p0NFN0UjRha2ZqUFViXG5ycm9UNm9NSEV2NTlTRTJuSFpuN3phVUF6SmJnL0U2THFzTG5FdlJKdnJVOHV3TGR2UXhQMHlXT1FUZ0tuMTlNXG5VNnFIdlhVSmp1a0JsTy80bHZwUEhCdTE4WGtEZURXeHNrV3l4MWx4RzVnQmRmdDZGKzZ5eXUzbXU0TEFIazlFXG41NytFaXUyWUZRS0JnQ3h5cXBDbWZuelREdEs4Vk5IZDNUVGN0K3Z6VS9tZWl5eTd1YXVFTWhyOW96dG9oUzFlXG5XMjMyd2FldDlZYXptOXhoMFRWVjZRUDUrZXhLbmJ2Y2ltamlqMVhUV3FZeHBhOGVGMTAzUDFrM1ZyQWlFNm5vXG5Dck5OT05UQ2RsdFV1MEwrUVVId0RocU05bm5JNEhVQ3ZwOE0xam9HQTBieUFLWFlrRlI3cVllM0FvR0FNbVE5XG5pTXZ6b1lFUnlkalh2L1pqK0l5endrNjYrVVlvS0xEcnI2eUJjbjZnVjAvd2VqMHAra0NZOEg4dGZERC9FZEZJXG53NWlzNDlMa3dGQzlUejI3ZVNMQ2NtbDRzNUdTaSt4MHlJQU1WU0F4YnlqU3Z5aGVDeHdKRWJURHp0Vy9YK1lUXG5nU0hCNm5lVllUaS9xcFdhWmxpdncwU0p6eDdyMkkyYW9MYXlFeVVDZ1lCcUNUdkNvcW1QdjBnRE52eDhBcU1NXG53MFBXT2lqV3VNYnVRb1NUSC8rcDFCU1VsOEI1bmV0Y21WQm1YL3F0WjByNFlwSG1BcXJLWExEZkZpRklOTVY1XG5IWmNaUDZUZEQwbm1ZZitLVm5KZFFic0NwTTBLeHdIK1lQejJIem01bjY3elhGNTM2VXR0azh4Ykp1blBZL3lyXG5SNnA2dzNSdDhZUUp2NDVpaCtKRkpnPT1cbi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS1cbiIsCiAgImNsaWVudF9lbWFpbCI6ICJna2UtYWRtaW4tYWNjZXNzQGNhcGktZ2NwLXRlc3QxLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwKICAiY2xpZW50X2lkIjogIjExNTM3OTg5OTY0NTk3OTAwNTgzMSIsCiAgImF1dGhfdXJpIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi9hdXRoIiwKICAidG9rZW5fdXJpIjogImh0dHBzOi8vb2F1dGgyLmdvb2dsZWFwaXMuY29tL3Rva2VuIiwKICAiYXV0aF9wcm92aWRlcl94NTA5X2NlcnRfdXJsIjogImh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL29hdXRoMi92MS9jZXJ0cyIsCiAgImNsaWVudF94NTA5X2NlcnRfdXJsIjogImh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL3JvYm90L3YxL21ldGFkYXRhL3g1MDkvZ2tlLWFkbWluLWFjY2VzcyU0MGNhcGktZ2NwLXRlc3QxLmlhbS5nc2VydmljZWFjY291bnQuY29tIgp7Bh==
MKS Cloud Credential¶
apiVersion: infra.k8smgmt.io/v3
kind: Credentials
metadata:
name: mks-ssh-credentials
project: defaultproject
spec:
type: ClusterProvisioning
provider: mks
credentials:
agents:
- name: mks-gitops-agent
username: ubuntu
port: '22'
privateKey: "sample-ssh-key"
Important
Ensure to update the GitOps agent to version r2.8.0 or later.
VMware vSphere¶
apiVersion: infra.k8smgmt.io/v3
kind: Credentials
metadata:
name: test-credentials
project: defaultproject
spec:
sharing:
enabled: false
type: ClusterProvisioning
provider: vsphere
credentials:
gatewayId: <gateway_id>
vsphereServer: <vsphere_server>
username: <user_name>
password: <password>
MinIO¶
Note
MinIO does DataBackup only.
apiVersion: infra.k8smgmt.io/v3
kind: Credentials
metadata:
name: test-credentials
project: defaultproject
spec:
sharing:
enabled: false
type: DataBackup
provider: minio
credentials:
accessId: <access_id>
secretKey: <secret_key>