The following sections contain information about Secrets in the Garden cluster that are either provided by users or
generated by Gardener for users.
Cloudprovider Secret
Example: https://github.com/gardener/gardener/blob/master/example/70-secret-provider.yaml
Usage: Authenticate gardener and kubernetes components for infrastructure operations
Description: Gardener uses the cloudprovider secret to interact with the infrastructure when setting up shoot networks or security groups via the terraformer. It is also used by the cloud-controller-manager of your Shoot to communicate with the infrastructure for example to create Loadbalancer services, routes or retrieve information about Node objects. Depending on the cloudprovider the format of the secret differs. Please consult the example above and respective infrastructure extension documentation for the concrete layout.
To put it in use, a cloudprovider secret is bound to one more namespaces (and therefore projects) using a SecretBinding. For Shoots created in those projects the secret is synced to the shoot namespace in the seed cluster.
Rotation: Rotating the cloudprovider secret requires multiple steps:
- Update the data keys in the secret.
⚠️ Wait until all Shoots using the secret are reconciled before you disable the old secret in your infrastructure account! Otherwise the shoots will no longer function.- After all Shoots using the secret were reconciled you can go ahead and deactivate the old secret in your infrastructure account.
Name: <shoot-name>.kubeconfig
Description: Admin Kubeconfig provided by Gardener for the managed shoot cluster.
NOTE
This Kubeconfig contains the highest privileges in the cluster. We strongly discourage distributing or using this Kubeconfig. Instead, configure dedicated Service Accounts, OIDC or similar alternatives to grant role-based and revocable access for a broader audience.
Rotation: Kubeconfig can be rotated by annotating the shoot resource with gardener.cloud/operation: rotate-kubeconfig-credentials.
The substituted Kubeconfig are provided after the initialized reconciliation was performed. Please note, shoot clusters
which were created with Gardener version <= 0.28.0 used to have a Kubeconfig based on a client certificate instead of a static token.
These client certificates are not revocable and thus a full credential rotation is not supported.
Name: <shoot-name>.monitoring
Description: Username/password for accessing the user Grafana instance of a shoot cluster.
Rotation: Not supported yet.
Name: <shoot-name>.ssh-keypair
Description: SSH-Keypair that is propagated to the worker nodes of the shoot cluster. The private key can be used to establish an SSH connection to the workers for troubleshooting purposes.
Rotation: Keypair can be rotated by annotating the shoot resource with gardener.cloud/operation: rotate-ssh-keypair.
Propagating the new keypair to all worker nodes may take longer than the initiated reconciliation of the shoot.
The previous keypair can still be found in the <shoot-name>.ssh-keypair.old secret.