Skip to content

Cloud Provider Credentials Management in CAPI#

Cloud provider credentials in Cluster API (CAPI) environments are managed through objects in the management cluster. Credential, ClusterIdentity, and Secret (related to ClusterIdentity) objects handle credential storage and management, while a dedicated ConfigMap object is used as a template to render configuration into child clusters.

Configuration Patterns#

The configuration follows two patterns:

  1. ClusterIdentity Pattern
  2. Uses a ClusterIdentity resource that defines provider identity configuration
  3. References a Secret with credentials

  4. Used by Azure and vSphere in-tree providers

  5. Source Secret Pattern

  6. Uses only a Secret without ClusterIdentity
  7. Secret contains all cloud configuration data
  8. Used by OpenStack in-tree provider

In both cases ConfigMap with template code is used to render configuration into child clusters.

Credential Resource#

The Credential resource provides an abstraction layer by either: - Referencing a ClusterIdentity through identityRef - Directly referencing a Secret, depending on the pattern used

Template ConfigMap#

  • Marked with projectsveltos.io/template: "true" annotation
  • Contains Go template code for generating child cluster resources via the Sveltos templating system
  • Template processing accesses cluster objects through:
  • Built-in Sveltos variables (Cluster, InfrastructureProvider)
  • getResource function for additionally exposed objects (InfrastructureProviderIdentity, InfrastructureProviderIdentitySecret)
  • The object name needs to follow a predictable naming pattern, such as the ClusterIdentity object (referenced via identityRef in the Credential resource) name + -resource-template suffix. It must also be placed in same Namespace as the ClusterIdentity object it references

Templating System#

The templating system leverages: - Golang templating - Sprig functions - Sveltos resource manipulation functions

Examples#

Provider-specific examples are available in *.credentials.yaml files here.

Let's take Azure provider as an example azure-credentials.yaml

Note

These examples assume the ConfigMap is included in a template. To use these examples directly via kubectl, please replace $$ (double dollar signs) with $ (single dollar sign)

Provider Registration#

Providers are registered through YAML configuration files mounted into a predefined path in the manager container at startup using ConfigMap.

Examples#

Provider configuration examples can be found here

Let's take Azure provider as an example azure.yml, as seen, the definition is straightforward.