Hack

Cloud credentials in OpenShift-on-OpenStack are stored in a secret in the kube-system namespace. Rotating credentials entails: Create the new credentials in OpenStack Build a clouds.yaml with the new credentials Upload the new clouds.yaml to the Kubernetes secret Let the operators distribute the new secret. When using application credentials, this translates to: # Step 0: Get the current credentials for the cluster. Useful later to replace values # Step 1: Create the new credentials in OpenStack openstack application credentials create new-creds-1 # Step 2: Build a `clouds.yaml` with the new credentials. # Get the current credentials from OCP, and replace with the new values from Step 2. # Save as `c.yaml` for example. oc -n kube-system get secret openstack-credentials -o jsonpath='{.data.clouds\.yaml}' | base64 -d # Step 3: Upload the new `clouds.yaml` to the `openstack-credentials` secret oc set data -n kube-system secret/openstack-credentials clouds.yaml="$(<"c.yaml")" # Step 4: Enjoy. Automate clouds.yaml generation First, build a script that creates new application credentials and directly outputs a clouds.yaml based on a template. We asssume that the cloud in question is openstack, which is what you’ll find in the OpenShift secret. ...