Configuring password authentication for cluster nodes
Use passwords in place of SSH keys to allow for secure connections between hosts in an IBM® Cloud Private cluster.
Before you install an IBM Cloud Private cluster, you must configure authentication between nodes.
Note: You can configure password authentication for a user in each node by using either the /<installation_directory>/cluster/config.yaml
or the /<installation_directory>/cluster/hosts
file.
Do not configure password authentication by using both files.
You must provide passwords for the root user or for user names that have root access.
To configure authentication without providing the password for each node, generate an SSH key pair on your boot node and share that key with the other cluster nodes. See Sharing SSH keys among cluster nodes.
Configuring password authentication by using the config.yaml file
The config.yaml
file can be used to set password authentication for nodes that have the same password only. If each node has a different password, set the password authentication by using the hosts
file.
Add the configuration parameters for your use case to the /<installation_directory>/cluster/config.yaml
file:
User type | Configuration parameters |
---|---|
Root |
ansible_user: root ansible_ssh_pass: SHARED_PASSWORD ansible_ssh_common_args: "-oPubkeyAuthentication=no"Where SHARED_PASSWORDis the password for each root user. |
Non-root |
ansible_user: non_root ansible_ssh_pass: SHARED_PASSWORD ansible_become: true ansible_become_password: "{{ ansible_ssh_pass }}" ansible_ssh_common_args: "-oPubkeyAuthentication=no"Where SHARED_PASSWORDis the password for each user. |
Configuring password authentication by using the hosts
file
The hosts
file can be used to set password authentication for nodes that use the same or different passwords.
Add the configuration parameters for your use case to the /<installation_directory>/cluster/hosts
file:
-
For root user, append each IP address with the
ansible_user
,ansible_ssh_pass
,ansible_ssh_common_args
, and optionalansible_port
parameters for the root user on that node, as shown in the following code:[master] <master_node_IP_address> ansible_user="root" ansible_ssh_pass="<NODE_PASSWORD>" ansible_ssh_common_args="-oPubkeyAuthentication=no" ansible_port="<PORT_VALUE>" [worker] <worker_node_IP_address> ansible_user="root" ansible_ssh_pass="<NODE_PASSWORD>" ansible_ssh_common_args="-oPubkeyAuthentication=no" ansible_port="<PORT_VALUE>" [proxy] <proxy_node_IP_address> ansible_user="root" ansible_ssh_pass="<NODE_PASSWORD>" ansible_ssh_common_args="-oPubkeyAuthentication=no" ansible_port="<PORT_VALUE>" [management] <management_node_IP_address> ansible_user="root" ansible_ssh_pass="<NODE_PASSWORD>" ansible_ssh_common_args="-oPubkeyAuthentication=no" ansible_port="<PORT_VALUE>" [va] <va_node_IP_address> ansible_user="root" ansible_ssh_pass="<NODE_PASSWORD>" ansible_ssh_common_args="-oPubkeyAuthentication=no" ansible_port="<PORT_VALUE>"
Where
<NODE_PASSWORD>
is the password for the root user on that node, and<PORT_VALUE>
is your customized SSH port. -
For non-root users, append each IP address with the
ansible_user
,ansible_ssh_pass
,ansible_ssh_common_args
,ansible_become
,ansible_become_password
, and optionalansible_port
parameters, as shown in the following code:[master] <master_node_IP_address> ansible_user="<USER>" ansible_ssh_pass="<NODE_PASSWORD>" ansible_become=true ansible_become_password="<NODE_PASSWORD>" ansible_port="<PORT_VALUE>" ansible_ssh_common_args="-oPubkeyAuthentication=no" [worker] <worker_node_IP_address> ansible_user="<USER>" ansible_ssh_pass="<NODE_PASSWORD>" ansible_become=true ansible_become_password="<NODE_PASSWORD>" ansible_port="<PORT_VALUE>" ansible_ssh_common_args="-oPubkeyAuthentication=no" [proxy] <proxy_node_IP_address> ansible_user="<USER>" ansible_ssh_pass="<NODE_PASSWORD>" ansible_become=true ansible_become_password="<NODE_PASSWORD>" ansible_port="<PORT_VALUE>" ansible_ssh_common_args="-oPubkeyAuthentication=no" [management] <management_node_IP_address> ansible_user="<USER>" ansible_ssh_pass="<NODE_PASSWORD>" ansible_become=true ansible_become_password="<NODE_PASSWORD>" ansible_port="<PORT_VALUE>" ansible_ssh_common_args="-oPubkeyAuthentication=no" [va] <va_node_IP_address> ansible_user="<USER>" ansible_ssh_pass="<NODE_PASSWORD>" ansible_become=true ansible_become_password="<NODE_PASSWORD>" ansible_ssh_common_args="-oPubkeyAuthentication=no"
Where
<USER>
is the non-root user that has root permission on that node,<NODE_PASSWORD>
is the password for this non-root user, and<PORT_VALUE>
is your customized SSH port.