docs: how to change Service Principal credentials?

[JoseAntonioRodriguez]

Is this a request for help?: YES

---

Is this an ISSUE or FEATURE REQUEST? (choose one): QUESTION

---

What version of acs-engine?: 0.16.2

---

Orchestrator and version (e.g. Kubernetes, DC/OS, Swarm): Kubernetes 1.9.7

---

• I've created a Service Principal and then deployed a K8S cluster providing --client-id and --client-secret to set the Service Principal credentials.
• Everything goes well, but now I need to change the Service Principal password. I used az ad sp credential reset ... to set a new password and I can login using the new password.
• Operations in the cluster that need to talk to the Azure API eventually start to fail (as I expected, because I've changed the SP password).
• The question is: How can I use acs-engine to set the new Service Principal password in a running cluster?

I've tried to use acs-engine deploy again with the new password in the --client-secret argument, but it fails with the error Changing property 'customData' is not allowed.

[CecileRobertMichon]

I think you might need to update the aadClientSecret in /etc/kubernetes/azure.json

[javierprovecho]

Hi @CecileRobertMichon,

Apart from modifying the credentials on each master, it would be also necessary to update apiModel.json in the output directory, in case of upgrading K8S through acs-engine cli.

There isn't an automated way to renew these credentials from acs-engine?

---

If so, clusters lifecycle would only last until the default expiration of the service principal password, and manual maintenance would be needed to keep the cluster working with Azure.

Kops for example, allows to manage credentials for the cluster and rotate them if necessary although some downtime may exist.

This kind of cluster rolling update could be a useful feature for acs engine, and also enable other types of features like switching instance type.

[andyzhangx]

paste my practice about how to update service principal secret in an existing k8s cluster:

# update service principle (aadClientSecret)
sudo vi /etc/kubernetes/azure.json

# on master node
docker restart $(docker ps  -q)

# on Linux agent node
sudo systemctl daemon-reload
sudo systemctl restart kubelet

# on Windows agent node
notepad c:\k\azure.json  #update aadClientSecret and save
start powershell
stop-service kubeproxy
stop-service kubelet
start-service kubeproxy
start-service kubelet

To automate this, you may use custom extension to run these scripts in VM, refer to https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-linux

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contribution. Note that acs-engine is deprecated--see https://github.com/Azure/aks-engine instead.

[welcome]

👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.