This procedure updates the default credentials used by the Redfish Translation Service (RTS) for when new ServerTech PDUs or management network switches are discovered in a system.
The Redfish Translation Service provides a Redfish interface that the Hardware State Manager (HSM) and Power Control Service (PCS) or Cray Advanced Platform Monitoring and Control (CAPMC) services can use interact with ServerTech PDUs and management network switches which do not natively support Redfish.
There are two sets of default credentials that are required for RTS to function:
NOTE RTS management network switch Redfish interfaces only use the global default RTS password. The username comes from the SNMP credentials pushed by REDS. See Update Default Air-Cooled BMC and Leaf-BMC Switch SNMP Credentials to manage the SNMP credentials.
IMPORTANT After this procedure is completed going forward all future ServerTech PDUs added to the system will be assumed to be already configured with the new global default credential when getting added to the system.
NOTE This procedure will not change the credentials on existing ServerTech PDUs in a system. To change the credential on existing air-cooled hardware, follow the Change Credentials on ServerTech PDUs procedure. However, this procedure will update the global default credential that RTS uses for its Redfish interface to other CSM services.
Follow the Redeploying a Chart procedure with the following specifications:
Chart name: cray-hms-rts
Base manifest name: sysmgmt
(ncn-mw#) When reaching the step to update the customizations, perform the following steps:
Only follow these steps as part of the previously linked chart redeploy procedure.
Run git clone https://github.com/Cray-HPE/csm.git.
Acquire sealed secret keys.
mkdir -pv certs
kubectl -n kube-system get secret sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d > certs/sealed_secrets.crt
kubectl -n kube-system get secret sealed-secrets-key -o jsonpath='{.data.tls\.key}' | base64 -d > certs/sealed_secrets.key
Modify RTS sealed secret to use new global default credentials.
Inspect the original default ServerTech PDU credentials.
./utils/secrets-decrypt.sh cray_hms_rts_credentials ./certs/sealed_secrets.key ./customizations.yaml | jq .data.vault_pdu_defaults -r | base64 -d | jq
Expected output looks similar to the following:
{
"Username": "admn",
"Password": "foo"
}
Inspect the original default RTS Redfish interface credentials.
./utils/secrets-decrypt.sh cray_hms_rts_credentials ./certs/sealed_secrets.key ./customizations.yaml | jq .data.vault_rts_defaults -r | base64 -d | jq
Expected output looks similar to the following:
{
"Username": "root",
"Password": "secret"
}
Update the default credentials in customizations.yaml for RTS.
Specify the desired default ServerTech PDU credentials.
echo '{"Username":"admn", "Password":"foobar"}' | base64 > rts.pdu.creds.json.b64
Specify the desired default RTS Redfish interface credentials.
echo '{"Username":"root", "Password":"supersecret"}' | base64 > rts.redfish.creds.json.b64
Update and regenerate the cray_hms_rts_credentials sealed secret.
cat << EOF | yq w - 'data.vault_pdu_defaults' "$(<rts.pdu.creds.json.b64)" | yq w - 'data.vault_rts_defaults' "$(<rts.redfish.creds.json.b64)" | yq r -j - | ./utils/secrets-encrypt.sh | yq w -f - -i ./customizations.yaml 'spec.kubernetes.sealed_secrets.cray_hms_rts_credentials'
{
"kind": "Secret",
"apiVersion": "v1",
"metadata": {
"name": "cray-hms-rts-credentials",
"namespace": "services",
"creationTimestamp": null
},
"data": {}
}
EOF
Decrypt generated secret for review.
Review the default ServerTech PDU credentials.
./utils/secrets-decrypt.sh cray_hms_rts_credentials ./certs/sealed_secrets.key ./customizations.yaml | jq .data.vault_pdu_defaults -r | base64 -d | jq
Expected output looks similar to the following:
{
"Username": "admn",
"Password": "foobar"
}
Review the Default RTS Redfish interface credentials.
./utils/secrets-decrypt.sh cray_hms_rts_credentials ./certs/sealed_secrets.key ./customizations.yaml | jq .data.vault_rts_defaults -r | base64 -d | jq
Expected output looks similar to the following:
{
"Username": "root",
"Password": "supersecret"
}
(ncn-mw#) When reaching the step to validate the redeployed chart, perform the following steps:
Only follow these steps as part of the previously linked chart redeploy procedure.
Wait for the RTS job to run to completion:
kubectl -n services wait job cray-hms-rts-init --for=condition=complete --timeout=5m
Verify that the default ServerTech PDU credentials have updated in Vault.
VAULT_PASSWD=$(kubectl -n vault get secrets cray-vault-unseal-keys -o json | jq -r '.data["vault-root"]' | base64 -d)
kubectl -n vault exec -it cray-vault-0 -c vault -- env VAULT_TOKEN=$VAULT_PASSWD VAULT_ADDR=http://127.0.0.1:8200 vault kv get secret/pdu-creds/global/pdu
Expected output:
====== Data ======
Key Value
--- -----
Password foobar
Username admn
Verify that the default RTS Redfish interface credential has updated in Vault.
kubectl -n vault exec -it cray-vault-0 -c vault -- env VAULT_TOKEN=$VAULT_PASSWD VAULT_ADDR=http://127.0.0.1:8200 vault kv get secret/pdu-creds/global/rts
Expected output:
====== Data ======
Key Value
--- -----
Password supersecret
Username root
Make sure to perform the entire linked procedure, including the step to save the updated customizations.
(ncn-mw#) Scale the SNMP-backed RTS down.
kubectl scale deployment cray-hms-rts-snmp -n services --replicas=0
(ncn-mw#) Scale the SNMP-backed RTS up.
kubectl scale deployment cray-hms-rts-snmp -n services --replicas=1