Openstack driver privatekeyFile location and safety

Hi,
I’ve setup Rancher-2.0 in HA mode with 3 nodes.
Openstack driver needs absolute path to SSH private key file.
Where exactly I need to put this file in.
Does it also mean that, user will have to share their Private Keys with Admins to put them on Rancher servers?

-Regards,
Divyang

Hi @divyangjp,

It needs to be inside the Rancher container, anywhere inside where you can specify the path.

Using Rancher in 3 node setup you have K8s cluster running, you can do it using secrets and mounting it as a file inside Rancher container.

Att,

Hi @amioranza
Thanks for replying.
But can you be more technically specific about the steps?

-Divyang

For sure,

First you need to create a new secret on cattle-system namespace with this command:

kubectl create secret generic my-private-key --from-file=ssh-privatekey=~/.ssh/id_rsa

With the secret OK in your cattle-system namespace you have to update the rancher deployment. You can get the current yaml of your deployment with this command:

kubectl get deployment cattle -n cattle-system -o yaml

Now with the yaml you need to do some cleanup to remove the fields that k8s api create automatically and add two new sessions, first the mount of the key on some path and second the volume based on the created secret:
Volume mount:

volumeMounts:
...
- mountPath: /tmp/ssh/id_rsa
  name: my-private-key
  readOnly: true

Volumes:

 volumes:
- name: my-private-key-volume
  secret:
  defaultMode: 420
  secretName: my-private-key

With all ready apply the deployment again:

kubectl apply -f rancher-deployment.yaml -n cattle-system

Now you need to test the deploy specifying the private key of you Openstack template as /tmp/ssh/id_rsa.

Att,

@amioranza Perfect. Thanks for taking time to give complete example. :slight_smile:

Thanks @amioranza, unfortunately, i tried your approach and i got below errors, first, i got validation error saying “defaultMode” and “secretName” are unknown fields.
error: error validating “rancher-deployment.yaml”: error validating data: [ValidationError(Deployment.spec.template.spec.volumes[0]): unknown field “defaultMode” in io.k8s.api.core.v1.Volume, ValidationError(Deployment.spec.template.spec.volumes[0]): unknown field “secretName” in io.k8s.api.core.v1.Volume]; if you choose to ignore these errors, turn validation off with --validate=false

after i removed those fields and re-apply again. i got
The Deployment “cattle” is invalid: spec.template.spec.containers[0].volumeMounts[0].name: Not found: “my-private-key”

seems like cattle-system can not support volume mount well, any further instructions?
Thanks a lot!

Rancher version v2.0.6

Just ran into this issue myself when working with 2.2 as a test case.

I setup the environment via the HA Install, and tried to deploy a cluster via Openstack. I found a way around it via the GUI. You can get a shell in the cattle pod via the GUI and from there you can put in the file. I had to install the nano text editor to be able to create the file, but from there I was able to get it created and provision the cluster.

Outside of the GUI I tried many different ways to get into the thing but with no luck.

Actually, you don’t need to go all the way that far.

Easier way is to NOT specify privateKeyFile at all. In this case Rancher would generate its own security key, one per node, upload the public part of it into Openstack and use it to provision the VMs. Magic.

1 Like

A hybrid model is NOT to specify privateKeyFile at all, like @anthony says, so that Rancher creates a dedicated key for sshUser for each server. But then nevertheless, adding a user-data file and create an account with ssh_authorized_keys, so that you can still access all nodes without downloading a dedicated key for each host.

@anthony good job, but create secret should be in the cattle-system.