In this KB, Steps are provided on how to recover the ssh keys from the cluster for TCA-CPs. This enables the customer to continue to login to the CaaS cluster from TCA-CP VM.

Symptoms:

The user will not be able to ssh into the CaaS cluster from TCA-CP.

VMware Telco Cloud Automation 3.1.1 onwards

After migrating TCA from 2.3 to 3.0 there is a post-migration step to restore ssh keys for each TCA-CP. If this manual step is skipped and TCA is upgraded to 3.1.1 or above, the ssh keys on the TCA-CP file system and the ssh keys in the cluster where TCA-CP is deployed differ. This causes the ssh login to the CaaS clusters to fail.

TCA migrated from 2.3 directly to 3.1.0 and above does not face this issue.

1. ssh login into each affected TCA-CP as root user.
2. Run the script /opt/vmware/scripts/restore_ssh_key_from_cluster.sh. The script will try to recover keys from backup-override-kbs-app-cr-config first. This configmap is created at the time of 2.3 to 3.0 migration or 2.3 to 3.1 migration. If this configmap does not exist, the script expects the keys to be present in override-kbs-app-cr-secret. This is the case for TCA 3.1.1 onwards. If this secret does not exist either, the script will print error override-kbs-app-cr-secret does not exist, no keys to recover indicating that ssh keys were not recovered from the cluster.