You can update existing cluster credentials in Google Distributed Cloud with the bmctl
command. When you update cluster credentials, the new information is passed to
admin or hybrid clusters, or automatically routed to affected user clusters
managed by an admin cluster.
Cluster credentials that can be updated
Google Distributed Cloud clusters require multiple credentials when they are created. You set the credentials in the cluster config when you create an admin, standalone, or hybrid cluster. User clusters, as noted above, are managed by an admin cluster (or a hybrid cluster acting as admin), and will reuse the same credentials from the admin cluster.
For more information about creating clusters and different cluster types, see Installation overview: choosing a deployment model.
You can update the following credentials, and their corresponding secrets,
in Google Distributed Cloud clusters with the bmctl
command:
SSH private key
-- used for node access.Container Registry key
-- service account key used to authenticate with Container Registry for image pulling.Connect agent service account key
-- service account key used by Connect agent pods.Connect registry service account key
-- service account key used to authenticate with Hub when registering or unregistering a cluster.Cloud operations service account key
-- service account key to authenticate with Cloud Operations (logging & monitoring) APIs.
Update credentials with bmctl
Prepare the new values for the credentials you want to update:
- You can generate new Google service account keys through the
gcloud
command or through the Google Cloud UI. - Generate new SSH private key credentials in the machines that make up the Google Distributed Cloud clusters.
- You can generate new Google service account keys through the
Update the secrets with the
bmctl
command, adding the appropriate flags described below.For example, here
bmctl
updates the credentials for a new SSH private key, where ADMIN_KUBECONFIG specifies the path to the kubeconfig of the admin, hybrid, or standalone cluster, and SSH_KEY_PATH specifies the path to the new SSH private key:bmctl update credentials --kubeconfig ADMIN_KUBECONFIG --ssh-private-key-path SSH_KEY_PATH
You can specify the following flags with bmtctl
to update credentials:
Flag | description |
---|---|
--kubeconfig |
required, path to the kubeconfig of the admin, hybrid, or standalone cluster |
--ssh-private-key-path |
path to the new SSH private key |
--gcr-key-path |
path to the new Container Registry service account key |
--gke-connect-agent-service-account-key-path |
path to the new Connect agent service account key |
--gke-connect-register-service-account-key-path |
path to the new Connect register service account key |
--cloud-operations-service-account-key-path |
path to the new Google Cloud Observability service account key |