root password and SSH keys in VaultThis procedure sets the root user password and SSH keys on management nodes. The root password
and SSH keys are set and managed in Vault, and they are applied on management nodes by the
csm.password and csm.ssh_keys Ansible roles provided by the CSM product.
This procedure should be run during CSM installation and any later time when the root password or
SSH keys need to be changed per site requirements.
root password and SSH keys in VaultChoose one of the following options for setting the root password and SSH keys in Vault:
The automated default method uses the write_root_secrets_to_vault.py script to read in the current
root user password and SSH keys from the NCN where it is run, and write those to Vault. All of the NCNs are
booted from images which already had their root passwords and SSH keys customized during the
Deploy Management Nodes
procedure of the CSM install. In most cases, these are the same password and keys that should be
written to Vault, and this script provides an easy way to do that.
Specifically, the write_root_secrets_to_vault.py script reads the following from the NCN where it is run:
root user password hash from the /etc/shadow file./root/.ssh/id_rsa./root/.ssh/id_rsa.pub.This script can be run on any Kubernetes management NCN (master or worker). It only needs to be run once for the cluster, because the same Vault credentials are used for all management NCNs.
The
docs-csmRPM must be installed in order to use this script. See Check for Latest Documentation
(ncn-mw#) Run the script with the following command:
/usr/share/doc/csm/scripts/operations/configuration/write_root_secrets_to_vault.py
A successful execution will exit with return code 0 and will have output similar to the following:
Reading in SSH private key from '/root/.ssh/id_rsa' file
Reading in SSH public key from '/root/.ssh/id_rsa.pub' file
Reading in file '/etc/shadow'
Found root user line in /etc/shadow
Initializing Kubernetes client
Making GET request to http://10.22.183.206:8200/v1/secret/csm/users/root
Writing updated CSM root secret to Vault
Making POST request to http://10.22.183.206:8200/v1/secret/csm/users/root
Making GET request to http://10.22.183.206:8200/v1/secret/csm/users/root
Secrets read back from Vault match desired values
SUCCESS
Proceed to Apply configuration with CFS node personalization.
NOTE: Information on writing therootuser password and the SSH keys to Vault is documented in two separate procedures. However, if both the password and the SSH keys are to be stored in Vault (the standard case), then the two procedures must be combined. Specifically, only a singlewritecommand must be made to Vault, containing both the password and the SSH keys. If multiplewritecommands are performed, only the information from the final command will persist.
Set the root user password and SSH keys in Vault by combining the following two procedures:
Configure Root Password in Vault procedure in Update NCN User Passwords.Configure Root SSH Keys in Vault procedure in Update NCN User SSH Keys.Proceed to Apply configuration with CFS node personalization.
This step is only necessary if performing this procedure as an operational task. If performing this procedure as part of a CSM install, skip this step and return to Configure Administrative Access.
After the root password and SSH keys have been set in Vault, they will be applied to management
nodes during node personalization. CFS automatically re-configures the management nodes via the CFS
Batcher whenever the CFS configuration applied to the components changes, the nodes reboot, or the
component state is cleared in CFS.
See Automatic Configuration Management
for more information about the CFS Batcher. Since the changes here are made in Vault, the CFS
Batcher will not automatically apply the new root password and SSH Keys.
See the Re-run node personalization on management nodes procedure to re-run NCN node personalization on management nodes.