VMware vSphere Tanzu部署_16_TKC集群节点VM密码获取

SupervisorControlPlaneVM密码获取

通过SSH方式登录vcenter

• vcenter开启SSH服务

• 通过SSH工具登录vcenter

执行获取密码脚本

• 在vcenter shell模式下执行/usr/lib/vmware-wcp/decryptK8Pwd.py命令

WARNING! The remote SSH server rejected X11 forwarding request.
Connected to service

    * List APIs: "help api list"
    * List Plugins: "help pi list"
    * Launch BASH: "shell"

Command> shell
Shell access is granted to root
root@localhost [ ~ ]# 

root@localhost [ ~ ]# /usr/lib/vmware-wcp/decryptK8Pwd.py
Read key from file

Connected to PSQL

Cluster: domain-c1006:5faca4d7-1112-4fca-abe4-59c2c8e11d31
IP: 192.168.201.20
PWD: aHj64&m':U0Q>$;5
------------------------------------------------------------

root@localhost [ ~ ]# 

• 登录节点

[C:\~]$ ssh [email protected]


Connecting to 192.168.201.20:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.


WARNING! The remote SSH server rejected X11 forwarding request.
 06:34:35 up 2 days, 18:36,  0 users,  load average: 5.26, 3.67, 3.33

18 Security notice(s)
Run 'tdnf updateinfo info' to see the details.
root@423d5427dfdd12d9b2d6c462d1d172d1 [ ~ ]# 

Tanzu Kubernetes Cluster Nodes密码获取

• 登录tanzu集群

jianhua@napp:~/tkc$ kubectl vsphere login --server=192.168.203.194 \
--vsphere-username [email protected] \
--insecure-skip-tls-verify


KUBECTL_VSPHERE_PASSWORD environment variable is not set. Please enter the password below
Password: 
Logged in successfully.

You have access to the following contexts:
   192.168.203.194
   tkc-01

If the context you wish to use is not in this list, you may need to try
logging in again later, or contact your cluster administrator.

To change context, use `kubectl config use-context <workload name>`
jianhua@napp:~/tkc$ 

• 切换context

jianhua@napp:~/tkc$ kubectl config use-context tkc-01
Switched to context "tkc-01".
jianhua@napp:~/tkc$ 

• 获取节点信息

jianhua@napp:~/tkc$ kubectl get virtualmachine -o wide
NAME                                                          POWERSTATE   CLASS                IMAGE                                                            PRIMARY-IP        AGE
tkc-dev-cluster-control-plane-jmrk5                           poweredOn    best-effort-xsmall   ob-22748270-tkgs-ova-photon-3-v1.26.10---vmware.1-fips.1-tkg.1   192.168.202.101   40h
tkc-dev-cluster-tck-dev-worker-zt5ls-779c467dd4xwbb9p-fpq6d   poweredOn    best-effort-xsmall   ob-22748270-tkgs-ova-photon-3-v1.26.10---vmware.1-fips.1-tkg.1   192.168.202.102   40h
tkc-dev-cluster-tck-dev-worker-zt5ls-779c467dd4xwbb9p-kl9tx   poweredOn    best-effort-xsmall   ob-22748270-tkgs-ova-photon-3-v1.26.10---vmware.1-fips.1-tkg.1   192.168.202.103   40h
jianhua@napp:~/tkc$ 

• 获取secrets

jianhua@napp:~/tkc$ kubectl get secrets
NAME                                         TYPE                                  DATA   AGE
tkc-dev-cluster-auth-svc-cert                kubernetes.io/tls                     3      38h
tkc-dev-cluster-ca                           cluster.x-k8s.io/secret               2      38h
tkc-dev-cluster-ccm-secret                   kubernetes.io/service-account-token   3      38h
tkc-dev-cluster-control-plane-h5d9h          cluster.x-k8s.io/secret               2      38h
tkc-dev-cluster-encryption                   Opaque                                1      38h
tkc-dev-cluster-etcd                         cluster.x-k8s.io/secret               2      38h
tkc-dev-cluster-extensions-ca                kubernetes.io/tls                     3      38h
tkc-dev-cluster-kubeconfig                   cluster.x-k8s.io/secret               1      38h
tkc-dev-cluster-metrics-server-cert          kubernetes.io/tls                     3      38h
tkc-dev-cluster-proxy                        cluster.x-k8s.io/secret               2      38h
tkc-dev-cluster-pvcsi-secret                 kubernetes.io/service-account-token   3      38h
tkc-dev-cluster-sa                           cluster.x-k8s.io/secret               2      38h
tkc-dev-cluster-ssh                          kubernetes.io/ssh-auth                1      38h
tkc-dev-cluster-ssh-password                 Opaque                                1      38h
tkc-dev-cluster-tck-dev-worker-mrt8q-7zsp4   cluster.x-k8s.io/secret               2      38h
tkc-dev-cluster-tck-dev-worker-mrt8q-fnm9s   cluster.x-k8s.io/secret               2      38h
jianhua@napp:~/tkc$ 


jianhua@napp:~/tkc$ kubectl get secrets tkc-dev-cluster-ssh-password -o yaml
apiVersion: v1
data:
  ssh-passwordkey: VEVGQTFMMDV2YU5tWHh5YUczay9JcSt2cGRJbXdBbFFnc1pRa294TDBSQT0=
kind: Secret
metadata:
  creationTimestamp: "2024-07-03T13:33:52Z"
  name: tkc-dev-cluster-ssh-password
  namespace: tkc-01
  ownerReferences:
  - apiVersion: run.tanzu.vmware.com/v1alpha2
    kind: TanzuKubernetesCluster
    name: tkc-dev-cluster
    uid: 827649f0-84e9-40b7-afdf-df4f8406bb43
  resourceVersion: "768450"
  uid: 2bd82333-1643-4037-b2fc-aa6b33d730cf
type: Opaque
jianhua@napp:~/tkc$ 

• 解密secrets

jianhua@napp:~/tkc$ echo VEVGQTFMMDV2YU5tWHh5YUczay9JcSt2cGRJbXdBbFFnc1pRa294TDBSQT0= | base64 --decode
TEFA1L05vaNmXxyaG3k/Iq+vpdImwAlQgsZQkoxL0RA=jianhua@napp:~/tkc$ 

• 登录节点

节点上的用户名为vmware-system-user

jianhua@napp:~/tkc$ ssh [email protected]
The authenticity of host '192.168.202.101 (192.168.202.101)' can't be established.
ED25519 key fingerprint is SHA256:BH2AbB4Py+nRdt+zVX5j7YvbJkx5trZA7xqqKlzQmYc.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.202.101' (ED25519) to the list of known hosts.
([email protected]) Password: 
 03:53:33 up 1 day, 14:17,  0 users,  load average: 2.50, 1.75, 1.87
tdnf update info not available yet!
-bash: TMOUT: readonly variable
vmware-system-user@tkc-dev-cluster-control-plane-jmrk5 [ ~ ]$ 

参考文章

• Supervisor Control Plane VM's： https://knowledge.broadcom.com/external/article?legacyId=90194
• SSH to Tanzu Kubernetes Cluster Nodes：https://docs.vmware.com/en/VMware-vSphere/7.0/vmware-vsphere-with-tanzu/GUID-37DC1DF2-119B-4E9E-8CA6-C194F39DDEDA.html