Hi,
I’ve setup Rancher-2.0 in HA mode with 3 nodes.
Openstack driver needs absolute path to SSH private key file.
Where exactly I need to put this file in.
Does it also mean that, user will have to share their Private Keys with Admins to put them on Rancher servers?
With the secret OK in your cattle-system namespace you have to update the rancher deployment. You can get the current yaml of your deployment with this command:
kubectl get deployment cattle -n cattle-system -o yaml
Now with the yaml you need to do some cleanup to remove the fields that k8s api create automatically and add two new sessions, first the mount of the key on some path and second the volume based on the created secret:
Volume mount:
Thanks @amioranza, unfortunately, i tried your approach and i got below errors, first, i got validation error saying “defaultMode” and “secretName” are unknown fields. error: error validating “rancher-deployment.yaml”: error validating data: [ValidationError(Deployment.spec.template.spec.volumes[0]): unknown field “defaultMode” in io.k8s.api.core.v1.Volume, ValidationError(Deployment.spec.template.spec.volumes[0]): unknown field “secretName” in io.k8s.api.core.v1.Volume]; if you choose to ignore these errors, turn validation off with --validate=false
after i removed those fields and re-apply again. i got The Deployment “cattle” is invalid: spec.template.spec.containers[0].volumeMounts[0].name: Not found: “my-private-key”
seems like cattle-system can not support volume mount well, any further instructions?
Thanks a lot!
Just ran into this issue myself when working with 2.2 as a test case.
I setup the environment via the HA Install, and tried to deploy a cluster via Openstack. I found a way around it via the GUI. You can get a shell in the cattle pod via the GUI and from there you can put in the file. I had to install the nano text editor to be able to create the file, but from there I was able to get it created and provision the cluster.
Outside of the GUI I tried many different ways to get into the thing but with no luck.
Actually, you don’t need to go all the way that far.
Easier way is to NOT specify privateKeyFile at all. In this case Rancher would generate its own security key, one per node, upload the public part of it into Openstack and use it to provision the VMs. Magic.
A hybrid model is NOT to specify privateKeyFile at all, like @anthony says, so that Rancher creates a dedicated key for sshUser for each server. But then nevertheless, adding a user-data file and create an account with ssh_authorized_keys, so that you can still access all nodes without downloading a dedicated key for each host.