Update Default ServerTech PDU Credentials used by the Redfish Translation Service (RTS)

This procedure updates the default credentials used by the Redfish Translation Service (RTS) for when new ServerTech PDUs are discovered in a system.

The Redfish Translation Service provides a Redfish interface that the Hardware State Manager (HSM) and Cray Advanced Platform Monitoring and Control (CAPMC) services can use interact with ServerTech PDUs which do not natively support Redfish.

There are two sets of default credentials that are required for RTS to function:

  • The default credentials to use when new ServerTech PDUs are discovered in the system.
  • The global default credential that RTS uses for its Redfish interface with other CSM services.

IMPORTANT After this procedure is completed going forward all future ServerTech PDUs added to the system will be assumed to be already configured with the new global default credential when getting added to the system.

NOTE This procedure will not change the credentials on existing ServerTech PDUs in a system. To change the credential on existing air-cooled hardware, follow the Change Credentials on ServerTech PDUs procedure. However, this procedure will update the global default credential that RTS uses for its Redfish interface to other CSM services.

Procedure

Follow the Redeploying a Chart procedure with the following specifications:

  • Chart name: cray-hms-rts

  • Base manifest name: sysmgmt

  • (ncn-mw#) When reaching the step to update the customizations, perform the following steps:

    Only follow these steps as part of the previously linked chart redeploy procedure.

    1. Run git clone https://github.com/Cray-HPE/csm.git.

    2. Acquire sealed secret keys.

      mkdir -pv certs
kubectl -n kube-system get secret sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d > certs/sealed_secrets.crt
kubectl -n kube-system get secret sealed-secrets-key -o jsonpath='{.data.tls\.key}' | base64 -d > certs/sealed_secrets.key

    3. Modify RTS sealed secret to use new global default credentials.

      1. Inspect the original default ServerTech PDU credentials.

        ./utils/secrets-decrypt.sh cray_hms_rts_credentials ./certs/sealed_secrets.key ./customizations.yaml | jq .data.vault_pdu_defaults -r | base64 -d | jq

        Expected output looks similar to the following:

        {
  "Username": "admn",
  "Password": "foo"
}

      2. Inspect the original default RTS Redfish interface credentials.

        ./utils/secrets-decrypt.sh cray_hms_rts_credentials ./certs/sealed_secrets.key ./customizations.yaml | jq .data.vault_rts_defaults -r | base64 -d | jq

        Expected output looks similar to the following:

        {
  "Username": "root",
  "Password": "secret"
}

      3. Update the default credentials in customizations.yaml for RTS.

        1. Specify the desired default ServerTech PDU credentials.

          echo '{"Username":"admn", "Password":"foobar"}' | base64 > rts.pdu.creds.json.b64

        2. Specify the desired default RTS Redfish interface credentials.

          echo '{"Username":"root", "Password":"supersecret"}' | base64 > rts.redfish.creds.json.b64

      4. Update and regenerate the cray_hms_rts_credentials sealed secret.

        cat << EOF | yq w - 'data.vault_pdu_defaults' "$(<rts.pdu.creds.json.b64)" | yq w - 'data.vault_rts_defaults' "$(<rts.redfish.creds.json.b64)" | yq r -j - | ./utils/secrets-encrypt.sh | yq w -f - -i ./customizations.yaml 'spec.kubernetes.sealed_secrets.cray_hms_rts_credentials'
{
    "kind": "Secret",
    "apiVersion": "v1",
    "metadata": {
        "name": "cray-hms-rts-credentials",
        "namespace": "services",
        "creationTimestamp": null
    },
    "data": {}
}
EOF

      5. Decrypt generated secret for review.

        1. Review the default ServerTech PDU credentials.

          ./utils/secrets-decrypt.sh cray_hms_rts_credentials ./certs/sealed_secrets.key ./customizations.yaml | jq .data.vault_pdu_defaults -r | base64 -d | jq

          Expected output looks similar to the following:

          {
  "Username": "admn",
  "Password": "foobar"
}

        2. Review the Default RTS Redfish interface credentials.

          ./utils/secrets-decrypt.sh cray_hms_rts_credentials ./certs/sealed_secrets.key ./customizations.yaml | jq .data.vault_rts_defaults -r | base64 -d | jq

          Expected output looks similar to the following:

          {
  "Username": "root",
  "Password": "supersecret"
}

  • (ncn-mw#) When reaching the step to validate the redeployed chart, perform the following steps:

    Only follow these steps as part of the previously linked chart redeploy procedure.

    1. Wait for the RTS job to run to completion:

      kubectl -n services wait job cray-hms-rts-init --for=condition=complete --timeout=5m

    2. Verify that the default ServerTech PDU credentials have updated in Vault.

      VAULT_PASSWD=$(kubectl -n vault get secrets cray-vault-unseal-keys -o json | jq -r '.data["vault-root"]' |  base64 -d)
kubectl -n vault exec -it cray-vault-0 -c vault -- env VAULT_TOKEN=$VAULT_PASSWD VAULT_ADDR=http://127.0.0.1:8200 vault kv get secret/pdu-creds/global/pdu

      Expected output:

      ====== Data ======
Key         Value
---         -----
Password    foobar
Username    admn

    3. Verify that the default RTS Redfish interface credential has updated in Vault.

      kubectl -n vault exec -it cray-vault-0 -c vault -- env VAULT_TOKEN=$VAULT_PASSWD VAULT_ADDR=http://127.0.0.1:8200 vault kv get secret/pdu-creds/global/rts

      Expected output:

      ====== Data ======
Key         Value
---         -----
Password    supersecret
Username    root

  • Make sure to perform the entire linked procedure, including the step to save the updated customizations.