I’ve noticed a number of people recently ask how to SSH into a Tanzu Community Edition node / host. Particularly what is the user account used and how to confirm what public key is in use. So I took an opportunity to delve into this a little.
The below applies specifically to TCE deployed in a vSphere environment. It should also be relevant to the commercial version of TKG on vSphere. Cloud deployments, like AWS, will be different.
During the deployment of an initial TCE management cluster you are required to enter in a public key. If using the UI for deployment you perform this on Step 1 when configuring the vCenter details. If using a YAML deployment file the key name is VSPHERE_SSH_AUTHORIZED_KEY.
Below is how the SSH public key should look when pasted into the UI. Notice it has ssh-rsa at the start.
Once your management cluster is deployed you should attempt to SSH to the nodes to confirm your public key was correctly applied. The default user will be ‘capv‘ when deployed on vSphere.
You can perform this by using the private key of your key pair and specifying the user ‘capv‘. For example.
ssh -i id_rsa [email protected]
If this fails to work and you can’t login, you’re either looking at an incorrect public/private key pair being used or an incorrectly applied public key during deployment. You can confirm the public key that was used during the management cluster deployment from inside Kubernetes of the management cluster.
In Kubernetes on the management cluster type the following
kubectl describe kubeadmconfigtemplate -A
Towards the bottom of the output displayed you should see Name and Ssh Authorized Keys.
Make sure the key matches the public key you used. Note the Name and if it is different from the default ‘capv’. Pay close attention to how the key looks. It should all be on one line. If it’s not on one line you may have pasted it incorrectly with multiple lines during deployment.
An example of an incorrectly defined public key during deployment below.
Notice that ssh-rsa is on a different line to the actual key. Also notice I have mark@docker which I pasted with the key but is not required. The key also appears very short. This is an example of a poorly pasted public key in the UI during deployment.
To resolve an incorrect public key it is possible to edit and update kubeadmconfigtemplate. I have had success doing this and then using tanzu cluster scale to deploy more nodes / hosts and then remove the old nodes with incorrectly applied keys.