The following sections contain information about Secrets in the Garden cluster that are either provided by users or
generated by Gardener for users.
Example: https://github.com/gardener/gardener/blob/master/example/70-secret-provider.yaml
Usage: Authenticate gardener and kubernetes components for infrastructure operations
Description: Gardener uses the cloudprovider secret to interact with the infrastructure when setting up shoot networks or security groups via the terraformer. It is also used by the cloud-controller-manager of your Shoot to communicate with the infrastructure for example to create Loadbalancer services, routes or retrieve information about Node objects. Depending on the cloudprovider the format of the secret differs. Please consult the example above and respective infrastructure extension documentation for the concrete layout.
To put it in use, a cloudprovider secret is bound to one more namespaces (and therefore projects) using a SecretBinding. For Shoots created in those projects the secret is synced to the shoot namespace in the seed cluster.
Rotation: Rotating the cloudprovider secret requires multiple steps:
- Update the data keys in the secret.
⚠️ Wait until all Shoots using the secret are reconciled before you disable the old secret in your infrastructure account! Otherwise the shoots will no longer function.- After all Shoots using the secret were reconciled you can go ahead and deactivate the old secret in your infrastructure account.
Name: <shoot-name>.kubeconfig
Description: Admin Kubeconfig provided by Gardener for the managed shoot cluster.
This Secret has multiple keys:
kubeconfig: the completed kubeconfigtoken: token forsystem:cluster-adminuserusername/password: basic auth credentials (if enabled viaShoot.spec.kubernetes.kubeAPIServer.enableBasicAuthentication)ca.crt: the CA bundle for establishing trust to the API server (same as in the Cluster CA bundle secret)
NOTE
This Kubeconfig contains the highest privileges in the cluster. We strongly discourage distributing or using this Kubeconfig. Instead, configure dedicated Service Accounts, OIDC or similar alternatives to grant role-based and revocable access for a broader audience.
Rotation: Kubeconfig can be rotated by annotating the shoot resource with gardener.cloud/operation: rotate-kubeconfig-credentials.
The substituted Kubeconfig are provided after the initialized reconciliation was performed. Please note, shoot clusters
which were created with Gardener version <= 0.28.0 used to have a Kubeconfig based on a client certificate instead of a static token.
These client certificates are not revocable and thus a full credential rotation is not supported.
You can check the .status.credentials.rotation.kubeconfig field in the Shoot to see when the rotation was last initiated or last completed.
Name: <shoot-name>.ca-cluster
Description: Certificate Authority (CA) bundle of the Cluster (Secret key: ca.crt).
This bundle contains one or multiple CAs which are used for signing serving certificates of the Shoot's API server. Hence, the certificates contained in this Secret can be used to verify the API server's identity when communicating with its public endpoint (e.g. as certificate-authority-data in a Kubeconfig).
This is the same certificate that is also contained in the Kubeconfig's certificate-authority-data field.
Rotation: Not supported yet, but work is in progress. See gardener/gardener#3292 and GEP-18 for more details.
Name: <shoot-name>.monitoring
Description: Username/password for accessing the user Grafana instance of a shoot cluster (Secret keys: username/password).
Rotation: Not supported yet.
Name: <shoot-name>.ssh-keypair
Description: SSH-Keypair that is propagated to the worker nodes of the shoot cluster.
The private key can be used to establish an SSH connection to the workers for troubleshooting purposes (Secret keys: id_rsa/id_rsa.pub).
Rotation: Keypair can be rotated by annotating the shoot resource with gardener.cloud/operation: rotate-ssh-keypair.
Propagating the new keypair to all worker nodes may take longer than the initiated reconciliation of the shoot.
The previous keypair can still be found in the <shoot-name>.ssh-keypair.old secret and is still valid until the next rotation.
You can check the .status.credentials.rotation.sshKeypair field in the Shoot to see when the rotation was last initiated or last completed.