You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: install-and-configure/advanced-configuration/key-rotation.md
+8-17Lines changed: 8 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,23 +1,14 @@
1
1
# Service Key Rotation
2
2
3
-
Cloud provider service keys can be used in various aspects of the Kubecost installation. This includes configuring [integrating your cloud provider billing data with Kubecost](/install-and-configure/install/cloud-integration/README.md), [setting up multi-cluster environments](/install-and-configure/install/multi-cluster/multi-cluster.md), and [backing up data](/install-and-configure/install/multi-cluster/federated-etl/federated-etl-backups-alerting.md). While automated IAM authentication via a Kubernetes service account like AWS IRSA is recommended, there are some scenarios where key-based authentication is preferred. When this method is used, rotating the keys at a pre-defined interval is a security best practice. Combinations of these features can be used, and therefore you may need to follow one or more of the below steps.
3
+
Cloud provider service keys can be used in various aspects of the Kubecost installation. This includes [integrating your cloud provider billing data with Kubecost](/install-and-configure/install/cloud-integration/README.md), [setting up multi-cluster environments](/install-and-configure/install/multi-cluster/multi-cluster.md), and [backing up data](/install-and-configure/install/multi-cluster/federated-etl/federated-etl-backups-alerting.md). While automated IAM authentication via a Kubernetes service account like AWS IRSA is recommended, there are some scenarios where key-based authentication is preferred. When this method is used, rotating the keys at a pre-defined interval is a security best practice. Combinations of these features can be used, and therefore you may need to follow one or more of the below steps.
4
4
5
-
## Adding cloud provider keys
5
+
## Cloud billing integration keys
6
6
7
-
There are multiple methods for adding cloud provider keys to Kubecost when configuring a cloud integration. This article will cover all three procedures. Be sure to use the same method that was used during the initial installation of Kubecost when rotating keys.
8
-
See the [Cloud Integrations](/install-and-configure/install/cloud-integration/README.md) doc for additional details.
7
+
1. Update the Kubernetes secret containing the `cloud-integration.json` with the newly rotated key. See [Cloud Integrations](/install-and-configure/install/cloud-integration/README.md) for more configuration details.
8
+
2. Restart the `cloud-cost` pod if it exists, otherwise restart the `cost-analyzer` pod.
9
+
3. Verify the new key is working correctly. Any authentication errors should be present early in the container logs. Additionally, you can check the status of the cloud integration in the Kubecost UI via _Settings_ > _View Full Diagnostics_.
9
10
10
-
1. The preferred and most common is via the multi-cloud _cloud-integration.json_ Kubernetes secret.
11
-
2. The second method is to define the appropriate secret in Kubecost's [_values.yaml_](https://github.com/kubecost/cost-analyzer-helm-chart/blob/develop/cost-analyzer/values.yaml).
12
-
3. The final method to configure keys is via the Kubecost Settings page.
13
-
14
-
The primary sequence for setting up your key is:
15
-
16
-
1. Modify the appropriate Kubernetes secret, Helm value, or update via the Settings page.
17
-
2. Restart the Kubecost `cost-analyzer` pod.
18
-
3. Verify the new key is working correctly. Any authentication errors should be present early in the `cost-model` container logs from the `cost-analyzer` pod. Additionally, you can check the status of the cloud integration in the Kubecost UI via _Settings_ > _View Full Diagnostics_.
19
-
20
-
## Adding multi-cluster keys
11
+
## Multi-cluster keys
21
12
22
13
There are two methods for enabling multi-clustering in Kubecost:
23
14
@@ -32,8 +23,8 @@ With Federated ETL objects, storage keys can be provided in two ways. The prefer
32
23
33
24
1. Update the appropriate Kubernetes secret with the new key on each cluster.
34
25
2. Restart the Kubecost `cost-analyzer` pod.
35
-
3.Restart the Kubecost `federator` pod.
36
-
4. Verify the new key is working correctly by checking the `cost-model`container logs from the `cost-analyzer` pod for any object storage authentication errors. Additionally, verify there are no object storage errors in the `federator` pod logs.
26
+
3.If it exists, restart the `aggregator` pod.
27
+
4. Verify the new key is working correctly by checking the container logs for any object storage authentication errors.
0 commit comments