Add k8s-admin user

Create a non-root k8s-admin account on instances and update Terraform/Ansible to use it.

Signed-off-by: Sudharshan Muralidharan <sudharshan.muralidharan1@ibm.com>

Author: sudharshanibm

kubetest2-tf/data/vpc/main.tf

@@ -37,6 +37,23 @@ resource "ibm_is_instance_template" "node_template" {
     subnet          = local.subnet_id
     security_groups = [local.security_group_id]
   }
+
+  user_data = <<-EOT
+#!/bin/bash
+# Create k8s-admin user for Kubernetes cluster management
+useradd -m -s /bin/bash k8s-admin
+# Add to sudo group (Ubuntu/Debian) or wheel group (RHEL/CentOS)
+usermod -aG sudo k8s-admin 2>/dev/null || usermod -aG wheel k8s-admin
+# Allow passwordless sudo
+echo "k8s-admin ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/k8s-admin
+chmod 0440 /etc/sudoers.d/k8s-admin
+# Setup SSH directory and copy authorized keys from root
+mkdir -p /home/k8s-admin/.ssh
+cp /root/.ssh/authorized_keys /home/k8s-admin/.ssh/authorized_keys
+chown -R k8s-admin:k8s-admin /home/k8s-admin/.ssh
+chmod 700 /home/k8s-admin/.ssh
+chmod 600 /home/k8s-admin/.ssh/authorized_keys
+EOT
 }
 
 module "master" {
@@ -61,14 +78,14 @@ module "workers" {
 resource "null_resource" "wait-for-master-completes" {
   connection {
     type        = "ssh"
-    user        = "root"
+    user        = "k8s-admin"
     host        = module.master.public_ip
     private_key = file(var.ssh_private_key)
     timeout     = "20m"
   }
   provisioner "remote-exec" {
     inline = [
-      "cloud-init status -w"
+      "sudo cloud-init status -w"
     ]
   }
 }
@@ -77,14 +94,14 @@ resource "null_resource" "wait-for-workers-completes" {
   count = var.workers_count
   connection {
     type        = "ssh"
-    user        = "root"
+    user        = "k8s-admin"
     host        = module.workers[count.index].public_ip
     private_key = file(var.ssh_private_key)
     timeout     = "15m"
   }
   provisioner "remote-exec" {
     inline = [
-      "cloud-init status -w"
+      "sudo cloud-init status -w"
     ]
   }
 }

kubetest2-tf/deployer/deployer.go

@@ -50,6 +50,17 @@ const (
 [workers]
 {{range .Workers}}{{.}}
 {{end}}
+{{if .IsVPC}}
+[masters:vars]
+ansible_user=k8s-admin
+ansible_become=true
+ansible_become_method=sudo
+
+[workers:vars]
+ansible_user=k8s-admin
+ansible_become=true
+ansible_become_method=sudo
+{{end}}
 `
 )
 
@@ -58,6 +69,7 @@ var GitTag string
 type AnsibleInventory struct {
 	Masters []string
 	Workers []string
+	IsVPC   bool
 }
 
 // Add additional Linux package dependencies here, used by checkDependencies()
@@ -269,7 +281,9 @@ func (d *deployer) Up() error {
 			break
 		}
 	}
-	inventory := AnsibleInventory{}
+	inventory := AnsibleInventory{
+		IsVPC: d.TargetProvider == "vpc",
+	}
 	tfMetaOutput, err := terraform.Output(d.tmpDir, d.TargetProvider)
 	if err != nil {
 		return err