You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/operator-nexus/howto-credential-rotation.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,7 +22,7 @@ This article describes the Operator Nexus credential rotation lifecycle includin
22
22
- For information on configuring the key vault to receive credential rotation updates, see [Setting up Key Vault for Managed Credential Rotation](how-to-credential-manager-key-vault.md).
23
23
24
24
> [!IMPORTANT]
25
-
> A key vault must be provided on the Cluster, otherwise credentials won't be retrievable. Microsoft Support doesn't have access to the credentials.
25
+
> A key vault must be provided on the Cluster, otherwise credentials aren't retrievable. Microsoft Support doesn't have access to the credentials.
26
26
27
27
## Rotating credentials
28
28
@@ -37,7 +37,7 @@ The Operator Nexus Platform offers a managed credential rotation process that au
37
37
When a new Cluster is created, the credentials are automatically rotated during deployment. The managed credential process then automatically rotates these credentials periodically based on the credential type. The updated credentials are written to the key vault associated with the Cluster resource.
38
38
39
39
> [!NOTE]
40
-
> The introduction of this capability enables auto-rotation for existing instances. If any of the supported credentials hasn't rotated within the expected rotation time period, they'll rotate during the management upgrade.
40
+
> The introduction of this capability enables auto-rotation for existing instances. If any of the supported credentials haven't rotated within the expected rotation time period, they'll rotate during the management upgrade.
41
41
42
42
With the 2024-07-01-GA API, the credential rotation status is available on the Bare Metal Machine or Storage Appliance resources in the `secretRotationStatus` data construct for each of the rotated credentials.
43
43
@@ -71,16 +71,16 @@ Operator Nexus also provides a service for preemptive rotation of the above Plat
71
71
72
72
The Credential Manager generates a secure password from the current value updates all BMC nodes and the KeyVault associated with the cluster. The Credential Manager checks KeyVault accessibility and uses the last known rotated secret to access the BMC and then performs the rotation.
73
73
74
-
Manually rotated secrets aren't recognized by the platform, preventing the Credential Manager from accessing the BMC to update the new password. For iDRAC rotation, the Credential Manager passes a new credential to the BareMetalMachine controller and the attempts to access the iDRAC password for rotation.
74
+
The Platform doesn't recognize manually rotated secrets, preventing the Credential Manager from accessing the BMC to update the new password. For iDRAC rotation, the Credential Manager passes a new credential to the BareMetalMachine controller and the attempts to access the iDRAC password for rotation.
75
75
76
76
The unknown state of credentials to the platform impacts monitoring and the ability to perform future runtime version upgrades.
77
77
78
-
In order to restore the state of the credential, it must be reset to a value that the platform recognizes. There are two options for this:
78
+
In order to restore the state of the credential, it must be reset to a value that the platform recognizes. There are two options for this situation:
79
79
80
-
1. Run a [BareMetalMachine replace](./howto-baremetal-functions.md) action providing the current active credentials. This will allow the machine to use these credentials to reset credential rotation.
81
-
1. Reset the BMC credential back to the value prior to the manual change. If a key vault is configured for receiving rotated credential, then the proper value may be obtained from there using information from the `secretRotationStatus` data for the Bare Metal Machine resource. The rotation status for the BMC Credential will indicate the secret key and version within the key vault for the appropriate value. Once the credential is reset back, credential rotation will proceed normally.
80
+
1. Run a [BareMetalMachine replace](./howto-baremetal-functions.md) action providing the current active credentials. The replace action allows the machine to use provided credentials to reset credential rotation. This is the recommended option if significant changes are made to the machine.
81
+
1. Reset the BMC credential back to the value prior to the manual change. If a key vault is configured for receiving rotated credential, then the proper value may be obtained using information from the `secretRotationStatus` data for the Bare Metal Machine resource. The rotation status for the BMC Credential indicates the secret key and version within the key vault for the appropriate value. Once the credential is reset back, credential rotation will proceed normally.
82
82
83
-
Example `secretRotationStatus` for BMC credential. Use the `secretName` and `secretVersion` to find the proper value in the cluster key vault.
83
+
Example `secretRotationStatus` for BMC credential. Use the `secretName` and `secretVersion` to find the proper value in the cluster key vault.
0 commit comments