Script to update vsphere credential (aws#9189)

eks-distro-pr-bot · Feb 4, 2025 · c54a7c4 · c54a7c4
1 parent 77c5f23
commit c54a7c4
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 1 deletion.
diff --git a/docs/content/en/docs/clustermgmt/cluster-upgrades/vsphere-credential-update.md b/docs/content/en/docs/clustermgmt/cluster-upgrades/vsphere-credential-update.md
@@ -16,4 +16,10 @@ Currently EKS Anywhere does not support updating vSphere credential when upgradi
 2. Only update Secret `vsphere-credentials` under `eksa-system` namespace then trigger a full EKS-A CAPI cluster upgrade by modifying the cluster spec:
 - Update `EKSA_VSPHERE_PASSWORD` environment variable to the new password and get the base64 encoded string of the password using `echo -n "<YOUR_PASSWORD>" | base64`
 - Update secret `vsphere-credentials` under `eksa-system` namespace - Update `password`, `passwordCP`, `passwordCSI` field under data and in `kubectl.kubernetes.io/last-applied-configuration` if annotation exists.
-- Modify any field in the cluster config file and then run `eksctl anywhere upgrade cluster -f <cluster-config-file>` to trigger a full cluster upgrade. This will automatically apply the new credentials to all related secrets.
+- Modify any field in the cluster config file and then run `eksctl anywhere upgrade cluster -f <cluster-config-file>` to trigger a full cluster upgrade. This will automatically apply the new credentials to all related secrets.
+
+3. Update all vSphere credentials in related Secret objects using [vSphere credential update script](https://github.com/aws/eks-anywhere/blob/main/scripts/update_vsphere_credential.sh) in EKS Anywhere github repository, follow the steps below:
+- Set `KUBECONFIG` environment variable to the kubeconfig file generated by EKS Anywhere.
+- Update `EKSA_VSPHERE_USERNAME` and `EKSA_VSPHERE_PASSWORD` as environment variables with the new credentials.
+- Save the script and run it by passing EKS Anywhere cluster name and the vSphere server name, `./update_vsphere_credential.sh CLUSTER_NAME VSPHERE_SERVER_NAME`.
+- >**_NOTE:_** The script does not update `{CLUSTER_NAME}-csi-vsphere-config`, if vSphere CSI is configured for your cluster, you must manually update password in `{CLUSTER_NAME}-csi-vsphere-config` under `eksa-system` namespace.
diff --git a/scripts/update_vsphere_credential.sh b/scripts/update_vsphere_credential.sh
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+# Usage: ./update_vsphere_creds.sh <CLUSTER_NAME> <VSPHERE_SERVER_NAME>
+set -o errexit
+set -o nounset
+set -o pipefail
+
+if [ "$#" -ne 2 ]; then
+    echo "Usage: ./update_vsphere_creds.sh <CLUSTER_NAME> <VSPHERE_SERVER_NAME>"
+    exit 1
+fi
+
+cluster_name=$1
+vsphere_server_name=$2
+password=$EKSA_VSPHERE_PASSWORD
+username=$EKSA_VSPHERE_USERNAME
+encoded_password="$(echo -n $password | base64)"
+encoded_username="$(echo -n $username | base64)"
+
+# Patch {CLUSTER_NAME}-vsphere-credentials in eksa-system
+kubectl patch -n eksa-system secrets "$cluster_name-vsphere-credentials" --patch="{\"data\":{\"password\":\"$encoded_password\"}}"
+last_applied=$(kubectl get secrets -n eksa-system "$cluster_name-vsphere-credentials" -o jsonpath='{.metadata.annotations.kubectl\.kubernetes\.io/last-applied-configuration}')
+if [[ $last_applied ]]; then
+  new_annotation=$(echo $last_applied | jq -c --arg password $encoded_password '.data.password=$password')
+  kubectl annotate --overwrite -n eksa-system secrets "$cluster_name-vsphere-credentials" kubectl.kubernetes.io/last-applied-configuration=$new_annotation
+fi
+
+# Patch vsphere-credentials in eksa-system
+kubectl patch -n eksa-system secrets vsphere-credentials --patch="{\"data\":{\"password\":\"$encoded_password\",\"passwordCP\":\"$encoded_password\"}}"
+if [[ $(kubectl get secrets -n eksa-system vsphere-credentials -o jsonpath='{.data.passwordCSI}') ]]; then
+  kubectl patch -n eksa-system secrets vsphere-credentials --patch="{\"data\":{\"passwordCSI\":\"$encoded_password\"}}"
+fi
+last_applied=$(kubectl get secrets -n eksa-system vsphere-credentials -o jsonpath='{.metadata.annotations.kubectl\.kubernetes\.io/last-applied-configuration}')
+if [[ $last_applied ]]; then
+  new_annotation=$(echo $last_applied | jq -c --arg password $encoded_password '.data.password=$password | .data.passwordCP=$password | if (.data | has("passwordCSI")) then .data.passwordCSI=$password else. end')
+  kubectl annotate --overwrite -n eksa-system secrets vsphere-credentials kubectl.kubernetes.io/last-applied-configuration=$new_annotation
+fi
+
+# Patch {CLUSTER_NAME}-cloud-provider-vsphere-credentials in eksa-system
+cloud_provider_vsphere_credential=$(cat <<-END
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloud-provider-vsphere-credentials
+  namespace: kube-system
+data:
+  $vsphere_server_name.password: $encoded_password
+  $vsphere_server_name.username: $encoded_username
+type: Opaque
+END
+
+)
+
+encoded_cloud_provider_vsphere_credential=$(echo "$cloud_provider_vsphere_credential" | base64)
+
+kubectl patch -n eksa-system secrets "$cluster_name-cloud-provider-vsphere-credentials" --patch="{\"data\":{\"data\":\"$encoded_cloud_provider_vsphere_credential\"}}"
+last_applied=$(kubectl get secrets -n eksa-system "$cluster_name-cloud-provider-vsphere-credentials" -o jsonpath='{.metadata.annotations.kubectl\.kubernetes\.io/last-applied-configuration}')
+if [[ $last_applied ]]; then
+  new_annotation=$(echo $last_applied | jq -c --arg data $encoded_cloud_provider_vsphere_credential '.data.data=$data')
+  kubectl annotate --overwrite -n eksa-system secrets "$cluster_name-cloud-provider-vsphere-credentials" kubectl.kubernetes.io/last-applied-configuration=$new_annotation
+fi