diff --git a/kb/2024-05-17/modify_cloud_credential_ttl.md b/kb/2024-05-17/modify_cloud_credential_ttl.md index 2ce88f67..b576c268 100644 --- a/kb/2024-05-17/modify_cloud_credential_ttl.md +++ b/kb/2024-05-17/modify_cloud_credential_ttl.md @@ -1,5 +1,5 @@ --- -title: Renew Harvester cloud credentials +title: Renew Harvester Cloud Credentials description: How to renew expired Harvester cloud credentials when using Rancher 2.8.x. slug: renew_harvester_cloud_credentials authors: @@ -15,13 +15,13 @@ tags: [harvester, cloud credentials, rancher] hide_table_of_contents: false --- -## Expiration of kubeconfig tokens in Rancher 2.8.x +## Expiration of kubeconfig Tokens in Rancher 2.8.x In Rancher 2.8.x, the default value of the [kubeconfig-default-token-ttl-minutes](https://ranchermanager.docs.rancher.com/api/api-tokens#kubeconfig-default-token-ttl-minutes) setting is `30` days. A side effect of using this default value is the expiration of authentication tokens embedded in kubeconfigs that Rancher uses to provision guest Kubernetes clusters on Harvester. When such tokens expire, Rancher loses the ability to perform management operations for the corresponding Rancher-managed guest Kubernetes clusters. [Issue #44912](https://github.com/rancher/rancher/issues/44912) tracks the issue described in this article. -:::info important +:::note The issue affects only guest Kubernetes clusters running on Harvester that use cloud credentials created after installing or upgrading to Rancher v2.8.x. ::: @@ -31,32 +31,34 @@ You can patch the expired Harvester cloud credentials to use a new authenticatio 1. Identify the expired cloud credentials for the cluster. -![identify-credentials](./imgs/identify-cloud-credential.png) + ![identify-credentials](./imgs/identify-cloud-credential.png) 1. Generate a new Rancher authentication token with the value of **Scope** set to **No Scope**. You can customize the TTL for the token (for example, a value of `0` results in tokens that do not expire). -![api-token](./imgs/api-token.png) + ![api-token](./imgs/api-token.png) 1. Generate a kubeconfig to access the Rancher server using the [instructions](https://ranchermanager.docs.rancher.com/api/quickstart) in the Rancher documentation. 1. The cloud credential is stored as a secret in `cattle-global-data` namespace, and can be patched with new authentication token. Ensure that the environment variable `KUBECONFIG` points to the generated kubeconfig. -```shell -#!/bin/sh -CLOUD_CREDENTIAL_NAME=$1 -API_TOKEN=$2 + ```shell + #!/bin/sh + CLOUD_CREDENTIAL_NAME=$1 + API_TOKEN=$2 -kubeconfig=$(kubectl get secret $CLOUD_CREDENTIAL_NAME -n cattle-global-data -o yaml | yq '.data.harvestercredentialConfig-kubeconfigContent' | base64 -d | token=${API_TOKEN} yq -e '.users[0].user.token = env(token)' | base64 -w 0) + kubeconfig=$(kubectl get secret $CLOUD_CREDENTIAL_NAME -n cattle-global-data -o yaml | yq '.data.harvestercredentialConfig-kubeconfigContent' | base64 -d | token=${API_TOKEN} yq -e '.users[0].user.token = env(token)' | base64 -w 0) -patch_file=$(mktemp) + patch_file=$(mktemp) -cat > ${patch_file} < ${patch_file} <