TKG clusters use secrets to store tokens, keys, and passwords for operating.
List of TKG Cluster Secrets
A Kubernetes secret is an object that stores a small amount of sensitive data such as a password, a token, or an SSH key. TKG cluster administrators might use several secrets while operating clusters. The table lists and describes key secrets cluster administrators might use.
Note: The list is not exhaustive. It includes only those secrets that might need to be manually rotated or used to access cluster nodes for troubleshooting purposes.
Note:
You need to be logged in to the target cluster to run these commands. See Connect to a TKG Service Cluster as a vCenter Single Sign-On User with Kubectl.
| Secret | Description |
|---|---|
TANZU-KUBERNETES-CLUSTER-NAME-ccm-token-RANDOM |
A service account token used by the paravirtual cloud provider's cloud controller manager to connect to the vSphere Namespace. To trigger rotation of this credential, delete the secret. |
TANZU-KUBERNETES-CLUSTER-NAME-pvcsi-token-RANDOM |
A service account token used by the paravirtual CSI plug-in to connect to the vSphere Namespace. To trigger rotation of this credential, delete the secret. |
TANZU-KUBERNETES-CLUSTER-NAME-kubeconfig |
A kubeconfig file that can be used to connect to the cluster control plane as the kubernetes-admin user. This secret can be used access a cluster and troubleshoot it when vCenter Single Sign-On authentication is not available. |
TANZU-KUBERNETES-CLUSTER-NAME-ssh |
An SSH private key that can be used to connect to any cluster node as the vmware-system-user. This secret can be used to SSH to any cluster node and troubleshoot it. |
TANZU-KUBERNETES-CLUSTER-NAME-ssh-password |
A password that can be used to connect to any cluster node as the vmware-system-user. |
TANZU-KUBERNETES-CLUSTER-NAME-ca |
The root CA certificate for the TKG cluster control plane that is used by kubectl to securely connect to the Kubernetes API server. |
