How to modify the RHV credentials in OCP 4
Environment
- Red Hat OpenShift Container Platform (RHOCP) 4
- Red Hat Virtualization (RHV)
Issue
- Is there any process to update the existing oVirt credentials post installation?
- How to update the existing oVirt credentials post installation in OpenShift?
Resolution
For OCP 4, the cloud provider config and the oVirt credentials are stored in secret ovirt-credentials in the kube-system namespace.
Modifying the RHV Credentials
The username and password are base64 encoded values of the keys `ovirt_username` in the secret and `ovirt-credentials` under namespace `kube-system`.
-
Back up the ovirt-credentials.yaml file to be on the safe side.
$ oc get secret ovirt-credentials -o yaml -n kube-system > creds_backup.yaml -
Edit and replace the credentials file.
$ cp creds_backup.yaml creds.yaml $ vi creds.yaml $ oc replace -f creds.yamlBelow is the sample ovirt-credentials file:
apiVersion: v1
kind: Secret
metadata:
namespace: kube-system
name: ovirt-credentials
data:
ovirt_url: Base64encodeURL
ovirt_username: Base64encodeUsername
ovirt_password: Base64encodePassword
ovirt_insecure: Base64encodeInsecure
ovirt_ca_bundle: Base64encodeCABundle
Note: While editing the secret, the fields are as mentioned above in the sample.
-
Never change the secret name.
-
Please: Edit only what is needed, in this case, username and password, and ensure that the value is base64 encoded.
## To get the base64 encoded value run the following command: $ echo -n username@profile|base64
-
After the update of the secret
ovirt-credentialsthe following secrets will also be updated, verify that they are updated by checking the username and password.$ oc get secret/ovirt-credentials -n openshift-cluster-csi-drivers -o yaml $ oc get secret/ovirt-credentials -n openshift-machine-api -o yaml
Please note that it will take some time to sync these namespaces after the change.
4. OpenShift 4.11 and earlier: Manually restart the RHV pods. To ensure that the pods are working with the latest credentials, the following pods need to be restarted (deleted):
$ oc -n openshift-machine-config-operator get pods|grep machine-config-controller
$ oc -n openshift-cluster-csi-drivers get pods
Root Cause
Cloud provider utilizes a credentials root secret in the kube-system namespace (by convention), which is then used to satisfy all CredentialsRequests and create their respective Secrets.
These credentials are managed by the cloud credential operator. The cloud credential operator is a controller that will sync on CredentialsRequest custom resources. CredentialsRequests allow OpenShift components to request fine-grained credentials for a particular cloud provider. (as opposed to using the admin credentials, or elevated permissions granted via instance roles)
Diagnostic Steps
Check the cloud-credential-operator pod logs for any explicit cloud credentials related errors:
$ oc get pods -n openshift-cloud-credential-operator # get the name of cloud credential operator pod
$ oc -n openshift-cloud-credential-operator logs <cloud-credential-operator-pod-name> -c cloud-credential-operator
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.