3.2.2. Admin credentials root secret format
Each cloud provider uses a credentials root secret in the
kube-system namespace by convention, which is then used to satisfy all credentials requests and create their respective secrets. This is done either by minting new credentials, Mint Mode, or by copying the credentials root secret, Passthrough Mode.
The format for the secret varies by cloud, and is also used for each
Microsoft Azure secret format
apiVersion: v1 kind: Secret metadata: namespace: kube-system name: azure-credentials stringData: azure_subscription_id: <SubscriptionID> azure_client_id: <ClientID> azure_client_secret: <ClientSecret> azure_tenant_id: <TenantID> azure_resource_prefix: <ResourcePrefix> azure_resourcegroup: <ResourceGroup> azure_region: <Region>
On Microsoft Azure, the credentials secret format includes two properties that must contain the cluster’s infrastructure ID, generated randomly for each cluster installation. This value can be found after running create manifests:
$ cat .openshift_install_state.json | jq '."*installconfig.ClusterID".InfraID' -r
This value would be used in the secret data as follows:
azure_resource_prefix: mycluster-2mpcn azure_resourcegroup: mycluster-2mpcn-rg
In a future release, improvements to the Cloud Credential Operator will prevent situations where a user might enter an upgrade that will fail because their manually maintained credentials have not been updated to match the
CredentialsRequest objects in the upcoming release image.