You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/operator-nexus/howto-credential-rotation.md
+21-2Lines changed: 21 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -63,18 +63,37 @@ In the `secretRotationStatus` object, the following fields provide context to th
63
63
-`secretArchiveReference`: A reference to the Key Vault that the credential is stored. It contains the ID of the key vault, the secret name of the stored credential, and the version of the secret that was previously rotated.
64
64
65
65
>[!CAUTION]
66
-
> If a credential is changed on a device outside of the automatic credential rotation service, the next rotation will likely fail due to the secret not being known by the software. This issue prevents further automated rotation and a [BareMetalMachine replace](./howto-baremetal-functions.md) is required to address manually changed credentials.
66
+
> If a credential is changed on a device outside of the automatic credential rotation service, the next rotation will likely fail due to the secret not being known by the software. This issue prevents further automated rotation.
67
67
68
68
Operator Nexus also provides a service for preemptive rotation of the above Platform credentials. This service is available to customers upon request through a support ticket. Credential rotation for Operator Nexus Fabric devices also requires a support ticket. Instructions for generating a support request are described in the next section.
69
69
70
70
## Manual changes to credentials
71
71
72
72
The Credential Manager generates a secure password from the current value updates all BMC nodes and the KeyVault associated with the cluster. The Credential Manager checks KeyVault accessibility and uses the last known rotated secret to access the BMC and then performs the rotation.
73
73
74
-
Manually rotated secrets aren't recognized by the platform, preventing the Credential Manager from accessing the BMC to update the new password. For iDRAC rotation, the Credential Manager passes a new credential to the BareMetalMachine controller and the attempts to access the iDRAC password for rotation. Manual changes to the credential require a `replace`[action](./howto-baremetal-functions.md) being performed doesn't allow the platform to recognize the new password.
74
+
Manually rotated secrets aren't recognized by the platform, preventing the Credential Manager from accessing the BMC to update the new password. For iDRAC rotation, the Credential Manager passes a new credential to the BareMetalMachine controller and the attempts to access the iDRAC password for rotation.
75
75
76
76
The unknown state of credentials to the platform impacts monitoring and the ability to perform future runtime version upgrades.
77
77
78
+
In order to restore the state of the credential, it must be reset to a value that the platform recognizes. There are two options for this:
79
+
80
+
1. Run a [BareMetalMachine replace](./howto-baremetal-functions.md) action providing the current active credentials. This will allow the machine to use these credentials to reset credential rotation.
81
+
1. Reset the BMC credential back to the value prior to the manual change. If a key vault is configured for receiving rotated credential, then the proper value may be obtained from there using information from the `secretRotationStatus` data for the Bare Metal Machine resource. The rotation status for the BMC Credential will indicate the secret key and version within the key vault for the appropriate value. Once the credential is reset back, credential rotation will proceed normally.
82
+
83
+
Example `secretRotationStatus` for BMC credential. Use the `secretName` and `secretVersion` to find the proper value in the cluster key vault.
Users raise credential rotation requests by [contacting support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade). These details are required in order to perform the credential rotation on the requested target instance:
0 commit comments