#1903: rename root login --> system and save ssh certs locally as sys…

…admin@CLUSTER
nforgeio · Apr 19, 2024 · 8bd0619 · 8bd0619
1 parent 1f1be91
commit 8bd0619
Show file tree

Hide file tree

Showing 17 changed files with 106 additions and 97 deletions.
diff --git a/Doc/Release/0.11.0-beta.4.md b/Doc/Release/0.11.0-beta.4.md
@@ -24,5 +24,6 @@ Release documentation: https://docs.neonforge.com/docs/neonkube
 
 # Details
 
-* **bug** [#1899](https://github.com/nforgeio/neonKUBE/issues/1899)
-* **bug** [#1901](https://github.com/nforgeio/neonKUBE/issues/1901)
+* **BREAKING:** [#1903: rename root login --> system and save ssh certs locally as sysadmin@CLUSTER](https://github.com/nforgeio/neonKUBE/issues/1903)
+* **bug** [#1899: [neon-cluster-operator]: MinWorkerNodeVcpuJob shouldn't be disabled](https://github.com/nforgeio/neonKUBE/issues/1899)
+* **bug** [#1901: neon-cluster-operator: wrap-up issues](https://github.com/nforgeio/neonKUBE/issues/1901)
diff --git a/Lib/Neon.Kube.Setup/KubeSetup.Operations.cs b/Lib/Neon.Kube.Setup/KubeSetup.Operations.cs
@@ -865,16 +865,16 @@ exit 1
 
                             // Edit the Kubernetes configuration file to rename the context:
                             //
-                            //       CLUSTERNAME-admin@kubernetes --> root@CLUSTERNAME
+                            //       CLUSTERNAME-admin@kubernetes --> sysadmin@CLUSTERNAME
                             //
                             // rename the user:
                             //
-                            //      CLUSTERNAME-admin --> CLUSTERNAME-root 
+                            //      CLUSTERNAME-admin --> CLUSTERNAME-sysadmin 
 
                             var adminConfig = firstControlNode.DownloadText("/etc/kubernetes/admin.conf");
 
-                            adminConfig = adminConfig.Replace($"kubernetes-admin@{cluster.Name}", $"root@{cluster.SetupState.ClusterDefinition.Name}");
-                            adminConfig = adminConfig.Replace("kubernetes-admin", $"root@{cluster.Name}");
+                            adminConfig = adminConfig.Replace($"kubernetes-admin@{cluster.Name}", $"sysadmin@{cluster.SetupState.ClusterDefinition.Name}");
+                            adminConfig = adminConfig.Replace("kubernetes-admin", $"sysadmin@{cluster.Name}");
 
                             firstControlNode.UploadText("/etc/kubernetes/admin.conf", adminConfig, permissions: "600", owner: "root:root");
                         });

diff --git a/Lib/Neon.Kube.Setup/KubeSetup.PrepareCluster.cs b/Lib/Neon.Kube.Setup/KubeSetup.PrepareCluster.cs
@@ -187,7 +187,7 @@ public static async Task<ISetupController> CreateClusterPrepareControllerAsync(
             // Initialize the setup state.  This is backed by a file and is used to
             // persist setup related state across the cluster prepare and setup phases.
 
-            var contextName = $"{KubeConst.RootUser}@{clusterDefinition.Name}";
+            var contextName = $"{KubeConst.SysAdminUser}@{clusterDefinition.Name}";
 
             if (KubeSetupState.Exists(contextName))
             {
@@ -392,7 +392,7 @@ public static async Task<ISetupController> CreateClusterPrepareControllerAsync(
             // Add the provisioning steps.
 
             controller.AddWaitUntilOnlineStep(timeout: TimeSpan.FromMinutes(15));
-            controller.AddNodeStep("check node operating system", (controller, node) => node.VerifyNodeOS());
+            controller.AddNodeStep("check operating system", (controller, node) => node.VerifyNodeOS());
 
             controller.AddNodeStep("delete boot script",
                 (controller, node) =>

diff --git a/Lib/Neon.Kube.Setup/KubeSetup.SetupCluster.cs b/Lib/Neon.Kube.Setup/KubeSetup.SetupCluster.cs
@@ -92,9 +92,9 @@ public static async Task<ISetupController> CreateClusterSetupControllerAsync(
             var logFolder = KubeHelper.LogFolder;
 
             // Ensure that the cluster's setup state file exists and that it
-            // indicates that tyhe cluster was prepared.
+            // indicates that the cluster was prepared.
 
-            var contextName    = KubeContextName.Parse($"root@{clusterDefinition.Name}");
+            var contextName    = KubeContextName.Parse($"sysadmin@{clusterDefinition.Name}");
             var setupStatePath = KubeSetupState.GetPath((string)contextName);
             var setupState     = (KubeSetupState)null;
 

diff --git a/Lib/Neon.Kube.XenServer/XenServerHostingManager.cs b/Lib/Neon.Kube.XenServer/XenServerHostingManager.cs
@@ -1462,7 +1462,7 @@ public override async Task<ClusterHealth> GetClusterHealthAsync(TimeSpan timeout
             // We're going to infer the cluster provisiong status by examining the
             // cluster login and the state of the VMs deployed to the XenServer hosts.
 
-            var contextName = $"root@{cluster.Name}";   // $todo(jefflill): Hardcoding this breaks SSO login (probably need to add context name to ClusterProxy).
+            var contextName = $"sysadmin@{cluster.Name}";   // $todo(jefflill): Hardcoding this breaks SSO login (probably need to add context name to ClusterProxy).
             var context     = KubeHelper.KubeConfig.GetContext(contextName);
 
             // Report when any XenServer hosts are offline.

diff --git a/Lib/Neon.Kube.Xunit/ClusterFixture.cs b/Lib/Neon.Kube.Xunit/ClusterFixture.cs
@@ -624,7 +624,7 @@ public TestFixtureStatus StartWithClusterDefinition(ClusterDefinition clusterDef
             // its cluster definition matches the test cluster's definition.
             ;
             var clusterExists     = false;
-            var configContextName = KubeContextName.Parse($"root@{clusterDefinition.Name}");
+            var configContextName = KubeContextName.Parse($"sysadmin@{clusterDefinition.Name}");
             var configContext     = KubeHelper.KubeConfig.GetContext(configContextName);
 
             if (configContext != null)

diff --git a/Lib/Neon.Kube/Config/KubeConfigCluster.cs b/Lib/Neon.Kube/Config/KubeConfigCluster.cs
@@ -225,13 +225,7 @@ public string SshUsername
         }
 
         /// <summary>
-        /// <para>
-        /// Specifies the SSH padmin assword for cluster nodes.
-        /// </para>
-        /// <note>
-        /// Technically, this is actually the admin user account password on the cluster nodes,
-        /// not an SSH password because clusters disable SSH password authentication.
-        /// </note>
+        /// Specifies the SSH admin password for cluster nodes.
         /// </summary>
         [JsonIgnore]
         [YamlIgnore]

diff --git a/Lib/Neon.Kube/Kube/KubeHelper.cs b/Lib/Neon.Kube/Kube/KubeHelper.cs
@@ -2141,93 +2141,93 @@ public static KubeSshKey GetBuiltinDesktopSshKey()
             //
             // This key was generated using the NEONCLOUD neon-image tool via:
             //
-            //      neon-image sshkey NEONDESKTOP root
+            //      neon-image sshkey neon-desktop sysadmin
             //
             // SSH keys don't have an expiration so this key could potentionally work
             // forever, as long as the encryption algorithms are still supported.
 
             var keyYaml =
 @"
 publicPUB: |
-  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMn/0u0xfoXbY5Uvcct/6oz5SzVW7g6wmGR2bN5YA5E6i+ivWMiJNNity47WrGLuAHQYYVawgKGesRrXjpmRVOhg35nreKGISa8eRoferQXaGF+hKfPOaordLyNGTzTiuRhuvth4DsKRNz+g0n4JOgfnIa7MsgNnCnC163yj8itcLCLSN/14OkKQRX7RRsEpnMOHDkXOsDok7YVA9ZmlBwQjCrhERxUOJSsGkByakDk9OGBsVg6nCYQ59xNWGAQL8MLFfCg3/KrvTPtW1y5+BqVI0TKJ8XgyhkjgEmHRh1wK/F1FPJ4ogGcZNj1ZV+7GR+cs9o1lzl7ns2CNberIHr root@neon-desktop
-publicOpenSSH: |+
+  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEslLqqMimG0SIrQFs+nPl7Ah8TSoKRBJuPwhVkefMzUol1Rvlm7Yc0kRwhBTQkS7H9g51CENEo42D8trorj3d1rRTGpiOjCuxvMg71l0xDPN3Kjovde2TT3rDp0apqT24+SGu8xupbd2cmsK13eOfEL4RxufIyJSnpc7sxGM7MmbnFC8fDrE3yxZTA4+Qa1bUpM66XD569mCSr4l0zSQcVkGxlPCYIVT0WLWxf1Jbe+ZVvMQrvQ5S5tBejvp7O+SPZXONewzX+nOWhyOuMin+PELMPQiYAyRf8DpQ4l/e1h0MnQcAv09TBk9H4bJefGgPfNcDB5OAN6QafT6Nwfyn sysadmin@neon-desktop
+publicOpenSSH: |
   -----BEGIN RSA PUBLIC KEY-----
-  MIIBCgKCAQEAzJ/9LtMX6F22OVL3HLf+qM+Us1Vu4OsJhkdmzeWAOROovor1jIiT
-  TYrcuO1qxi7gB0GGFWsIChnrEa146ZkVToYN+Z63ihiEmvHkaH3q0F2hhfoSnzzm
-  qK3S8jRk804rkYbr7YeA7CkTc/oNJ+CToH5yGuzLIDZwpwtet8o/IrXCwi0jf9eD
-  pCkEV+0UbBKZzDhw5FzrA6JO2FQPWZpQcEIwq4REcVDiUrBpAcmpA5PThgbFYOpw
-  mEOfcTVhgEC/DCxXwoN/yq70z7VtcufgalSNEyifF4MoZI4BJh0YdcCvxdRTyeKI
-  BnGTY9WVfuxkfnLPaNZc5e57NgjW3qyB6wIDAQAB
+  MIIBCgKCAQEAxLJS6qjIphtEiK0BbPpz5ewIfE0qCkQSbj8IVZHnzM1KJdUb5Zu2
+  HNJEcIQU0JEux/YOdQhDRKONg/La6K493da0UxqYjowrsbzIO9ZdMQzzdyo6L3Xt
+  k096w6dGqak9uPkhrvMbqW3dnJrCtd3jnxC+EcbnyMiUp6XO7MRjOzJm5xQvHw6x
+  N8sWUwOPkGtW1KTOulw+evZgkq+JdM0kHFZBsZTwmCFU9Fi1sX9SW3vmVbzEK70O
+  UubQXo76ezvkj2VzjXsM1/pzlocjrjIp/jxCzD0ImAMkX/A6UOJf3tYdDJ0HAL9P
+  UwZPR+GyXnxoD3zXAweTgDekGn0+jcH8pwIDAQAB
   -----END RSA PUBLIC KEY-----
-publicSSH2: |+
+publicSSH2: |
   ---- BEGIN SSH2 PUBLIC KEY ----
-  AAAAB3NzaC1yc2EAAAADAQABAAABAQDMn/0u0xfoXbY5Uvcct/6oz5SzVW7g6wmGR2bN5Y
-  A5E6i+ivWMiJNNity47WrGLuAHQYYVawgKGesRrXjpmRVOhg35nreKGISa8eRoferQXaGF
-  +hKfPOaordLyNGTzTiuRhuvth4DsKRNz+g0n4JOgfnIa7MsgNnCnC163yj8itcLCLSN/14
-  OkKQRX7RRsEpnMOHDkXOsDok7YVA9ZmlBwQjCrhERxUOJSsGkByakDk9OGBsVg6nCYQ59x
-  NWGAQL8MLFfCg3/KrvTPtW1y5+BqVI0TKJ8XgyhkjgEmHRh1wK/F1FPJ4ogGcZNj1ZV+7G
-  R+cs9o1lzl7ns2CNberIHr
+  AAAAB3NzaC1yc2EAAAADAQABAAABAQDEslLqqMimG0SIrQFs+nPl7Ah8TSoKRBJuPwhVke
+  fMzUol1Rvlm7Yc0kRwhBTQkS7H9g51CENEo42D8trorj3d1rRTGpiOjCuxvMg71l0xDPN3
+  Kjovde2TT3rDp0apqT24+SGu8xupbd2cmsK13eOfEL4RxufIyJSnpc7sxGM7MmbnFC8fDr
+  E3yxZTA4+Qa1bUpM66XD569mCSr4l0zSQcVkGxlPCYIVT0WLWxf1Jbe+ZVvMQrvQ5S5tBe
+  jvp7O+SPZXONewzX+nOWhyOuMin+PELMPQiYAyRf8DpQ4l/e1h0MnQcAv09TBk9H4bJefG
+  gPfNcDB5OAN6QafT6Nwfyn
   ---- END SSH2 PUBLIC KEY ----
 privateOpenSSH: |
   -----BEGIN OPENSSH PRIVATE KEY-----
   b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
-  NhAAAAAwEAAQAAAQEAzJ/9LtMX6F22OVL3HLf+qM+Us1Vu4OsJhkdmzeWAOROovor1jIiT
-  TYrcuO1qxi7gB0GGFWsIChnrEa146ZkVToYN+Z63ihiEmvHkaH3q0F2hhfoSnzzmqK3S8j
-  Rk804rkYbr7YeA7CkTc/oNJ+CToH5yGuzLIDZwpwtet8o/IrXCwi0jf9eDpCkEV+0UbBKZ
-  zDhw5FzrA6JO2FQPWZpQcEIwq4REcVDiUrBpAcmpA5PThgbFYOpwmEOfcTVhgEC/DCxXwo
-  N/yq70z7VtcufgalSNEyifF4MoZI4BJh0YdcCvxdRTyeKIBnGTY9WVfuxkfnLPaNZc5e57
-  NgjW3qyB6wAAA8guz+ajLs/mowAAAAdzc2gtcnNhAAABAQDMn/0u0xfoXbY5Uvcct/6oz5
-  SzVW7g6wmGR2bN5YA5E6i+ivWMiJNNity47WrGLuAHQYYVawgKGesRrXjpmRVOhg35nreK
-  GISa8eRoferQXaGF+hKfPOaordLyNGTzTiuRhuvth4DsKRNz+g0n4JOgfnIa7MsgNnCnC1
-  63yj8itcLCLSN/14OkKQRX7RRsEpnMOHDkXOsDok7YVA9ZmlBwQjCrhERxUOJSsGkByakD
-  k9OGBsVg6nCYQ59xNWGAQL8MLFfCg3/KrvTPtW1y5+BqVI0TKJ8XgyhkjgEmHRh1wK/F1F
-  PJ4ogGcZNj1ZV+7GR+cs9o1lzl7ns2CNberIHrAAAAAwEAAQAAAQABdUZllgV+l2RcBjZS
-  kxESfOAvYvV2TtZziYC3COKgBX7XVMApLzP1gn7OJorzPJRGGPZuoqOdBtBBAP5yk6+uLp
-  Bc7f+a0U/olr6s6/DHaVNkVALb9aAjJZHyPeNWRIFU+SQnPibyB9zmn6qGVThYFW6UuIk+
-  AoVM+2zCXIOUqLmlj7Jp6llwQnrLe84+SrabMJRmy7Vc5+vgGE/6KkAtXEn1QYMoD7uD/Y
-  CZ/+XBaSrCO0Wx7wrEJQyH/4kzztIwHOLFxI4UQt+bg8vY7lSkFTPYVZu/x1HuMZ3ByiEE
-  5JOdk7c9iPsAi5PX72M0PZnliD+iy/Ou1WnMrkpoLSzRAAAAgQC5YvFRwjBEVv8/4TIWwH
-  w9IxLlCySnndJCldyuGuVsIr+vDXqFteEEX4GVf2KzxQTsihq498ixERrF021E0jZPdxhv
-  m27xL9T3rshI9nqqMogRMbsSFlF1IYvPQKluqpuwzS9N9kwnJt8TsrOE2i9negYOH6VCCs
-  1OQ0DQ3rSPbAAAAIEA8BpOu3gRuLIMkjh2C/NTTRpBx2kVaXi6HQf2pLKjx9HNncsEiH7M
-  SZjs3K8DS+dVhkt3D5E9WBQR2tdEX6ZFnLoqY4ZbJrPX0nCchiZ+AqIf0TDK9K2Czlk4Tn
-  +4gY+0i5H97t0TPaVKVsOUDS9EQsrsous+bCDEvoGNbq0d6QMAAACBANosVwUFtbOWnCRN
-  LtKyVHXcnqENlUK2mwVnAu1nzCLe4pVRtt/QCyHsL8NqErHowcWcHtNMziaqqxfmGgLCZX
-  u1vGXl6fB80+rK3gy5Z1wvWYBi8Ig2+5Peoev8hQl0y7nFeMFuDyIS/nVbDwYMVmCrOMnL
-  HOKikzBRwp9Nvkr5AAAAEXJvb3RAbmVvbi1kZXNrdG9wAQ==
+  NhAAAAAwEAAQAAAQEAxLJS6qjIphtEiK0BbPpz5ewIfE0qCkQSbj8IVZHnzM1KJdUb5Zu2
+  HNJEcIQU0JEux/YOdQhDRKONg/La6K493da0UxqYjowrsbzIO9ZdMQzzdyo6L3Xtk096w6
+  dGqak9uPkhrvMbqW3dnJrCtd3jnxC+EcbnyMiUp6XO7MRjOzJm5xQvHw6xN8sWUwOPkGtW
+  1KTOulw+evZgkq+JdM0kHFZBsZTwmCFU9Fi1sX9SW3vmVbzEK70OUubQXo76ezvkj2VzjX
+  sM1/pzlocjrjIp/jxCzD0ImAMkX/A6UOJf3tYdDJ0HAL9PUwZPR+GyXnxoD3zXAweTgDek
+  Gn0+jcH8pwAAA9Bv6c9eb+nPXgAAAAdzc2gtcnNhAAABAQDEslLqqMimG0SIrQFs+nPl7A
+  h8TSoKRBJuPwhVkefMzUol1Rvlm7Yc0kRwhBTQkS7H9g51CENEo42D8trorj3d1rRTGpiO
+  jCuxvMg71l0xDPN3Kjovde2TT3rDp0apqT24+SGu8xupbd2cmsK13eOfEL4RxufIyJSnpc
+  7sxGM7MmbnFC8fDrE3yxZTA4+Qa1bUpM66XD569mCSr4l0zSQcVkGxlPCYIVT0WLWxf1Jb
+  e+ZVvMQrvQ5S5tBejvp7O+SPZXONewzX+nOWhyOuMin+PELMPQiYAyRf8DpQ4l/e1h0MnQ
+  cAv09TBk9H4bJefGgPfNcDB5OAN6QafT6NwfynAAAAAwEAAQAAAQArUJmx0zlcWuTctDx8
+  IysilrfHp7Z6TENCw96x+U9yakLJ0gQyq/eOoT8xB+UNiOskXasRWqB1nQ6s3+4VD0nQcF
+  eFdXXi7jsxCMGPa8VZ5+A1fbcSfIW0yuvd6hhFhF9zPGmOfTq6NNd4hRwbsKFPhgBVKdgg
+  /wq9YGYQ/a5cenoXQWY7v8xzvUZ5tpnx2d5hr1/SXL8BcnCVD7X95s4FYl/36+P+UUibPn
+  jXzVskvPYB0r9RNvOlo7GUiDmjKVDZhAwaklR653fDZCdl1O5//Ky8+0Vj5qTT1yt+F2d9
+  vYgoA4wQbkr01/0X9Q/LUrBPHmWl3ovje3q2NHND8QUBAAAAgEuj0eHjt2OPOm80OCz+BP
+  81ruqOXMoZRwl5OtY0RUoGZPggO0MLPKDfCqJHTCMTr8IMYMQKJgoFxI6IGirpml+n6/vY
+  WBQlxYQNPvWw47qqTLhHudDU/dlaG1JybVM0r19vX4lUbATTIbetGERh4QimePFXyqn5ZY
+  bGTCoXhYoJAAAAgQDjnaGcxfeUExBPE6GekKiCXl4ixdJM5VBWd7Qxsfcira0pZ+9ZGZv9
+  TrYSTj3OntwkjupjvEuiPKOAdsLPcopVxC5zXvFkuxHoQ7tUgkHcdjP3QAxNq33VEicSkV
+  qTJsEuRXJMtw1CKpaWaNNYcHYchAQtHPOhUefz5Nhcwts9MwAAAIEA3TmiTANFg4mYQXKF
+  Wm2HgjwiURqhedjjBf+7AT2AFRVAjnSTgApY8dHI4W5/nhgm8gvqw7Mp0J4UWtQKWxSPtn
+  o9tmoqmI1e2OVRAqYLMDYYh9QjEKZ9NUpzdJGAUk3YqNyHdmLFbrv3onNz0bE+kVS33pzH
+  kaXzMnM/G9NW+r0AAAAVc3lzYWRtaW5AbmVvbi1kZXNrdG9wAQIDBAUG
   -----END OPENSSH PRIVATE KEY-----
 privatePEM: |
   -----BEGIN RSA PRIVATE KEY-----
-  MIIEpAIBAAKCAQEAzJ/9LtMX6F22OVL3HLf+qM+Us1Vu4OsJhkdmzeWAOROovor1
-  jIiTTYrcuO1qxi7gB0GGFWsIChnrEa146ZkVToYN+Z63ihiEmvHkaH3q0F2hhfoS
-  nzzmqK3S8jRk804rkYbr7YeA7CkTc/oNJ+CToH5yGuzLIDZwpwtet8o/IrXCwi0j
-  f9eDpCkEV+0UbBKZzDhw5FzrA6JO2FQPWZpQcEIwq4REcVDiUrBpAcmpA5PThgbF
-  YOpwmEOfcTVhgEC/DCxXwoN/yq70z7VtcufgalSNEyifF4MoZI4BJh0YdcCvxdRT
-  yeKIBnGTY9WVfuxkfnLPaNZc5e57NgjW3qyB6wIDAQABAoIBAAF1RmWWBX6XZFwG
-  NlKTERJ84C9i9XZO1nOJgLcI4qAFftdUwCkvM/WCfs4mivM8lEYY9m6io50G0EEA
-  /nKTr64ukFzt/5rRT+iWvqzr8MdpU2RUAtv1oCMlkfI941ZEgVT5JCc+JvIH3Oaf
-  qoZVOFgVbpS4iT4ChUz7bMJcg5SouaWPsmnqWXBCest7zj5KtpswlGbLtVzn6+AY
-  T/oqQC1cSfVBgygPu4P9gJn/5cFpKsI7RbHvCsQlDIf/iTPO0jAc4sXEjhRC35uD
-  y9juVKQVM9hVm7/HUe4xncHKIQTkk52Ttz2I+wCLk9fvYzQ9meWIP6LL867Vacyu
-  SmgtLNECgYEA8BpOu3gRuLIMkjh2C/NTTRpBx2kVaXi6HQf2pLKjx9HNncsEiH7M
-  SZjs3K8DS+dVhkt3D5E9WBQR2tdEX6ZFnLoqY4ZbJrPX0nCchiZ+AqIf0TDK9K2C
-  zlk4Tn+4gY+0i5H97t0TPaVKVsOUDS9EQsrsous+bCDEvoGNbq0d6QMCgYEA2ixX
-  BQW1s5acJE0u0rJUddyeoQ2VQrabBWcC7WfMIt7ilVG239ALIewvw2oSsejBxZwe
-  00zOJqqrF+YaAsJle7W8ZeXp8HzT6sreDLlnXC9ZgGLwiDb7k96h6/yFCXTLucV4
-  wW4PIhL+dVsPBgxWYKs4ycsc4qKTMFHCn02+SvkCgYBuHSKOh3pZIg7x4EMDKAzE
-  B46zTVYskNmKBuTuk57ZPTb3buwdTUmTVzcJ3pm8bdOjS2jHEuz3P/0QSDlrRG4Y
-  eqiGDFAxZ7lLIaonO+/+dSvyXFY38HtU90YDej+765P5jnLO4US5uNxm/jsf8NV1
-  bGsqLIjsPfr9A51BbNOS0QKBgQCtp4VMFhNeco6txlFym0bm2UfZ4Tng8//H+Qo3
-  dNrjFo07VOM+mhWCVsBdxlxDB4TUiUNv5D5iQI4WY6xobdrg8PKYGLxwEquKwxaj
-  Ah/nHDkdG6NgiIMOW7J+Z2xs7m4J28gWDkg1UvD+8A+xPLi0ERUOaYEAU27ckvda
-  XUMN4QKBgQC5YvFRwjBEVv8/4TIWwHw9IxLlCySnndJCldyuGuVsIr+vDXqFteEE
-  X4GVf2KzxQTsihq498ixERrF021E0jZPdxhvm27xL9T3rshI9nqqMogRMbsSFlF1
-  IYvPQKluqpuwzS9N9kwnJt8TsrOE2i9negYOH6VCCs1OQ0DQ3rSPbA==
+  MIIEogIBAAKCAQEAxLJS6qjIphtEiK0BbPpz5ewIfE0qCkQSbj8IVZHnzM1KJdUb
+  5Zu2HNJEcIQU0JEux/YOdQhDRKONg/La6K493da0UxqYjowrsbzIO9ZdMQzzdyo6
+  L3Xtk096w6dGqak9uPkhrvMbqW3dnJrCtd3jnxC+EcbnyMiUp6XO7MRjOzJm5xQv
+  Hw6xN8sWUwOPkGtW1KTOulw+evZgkq+JdM0kHFZBsZTwmCFU9Fi1sX9SW3vmVbzE
+  K70OUubQXo76ezvkj2VzjXsM1/pzlocjrjIp/jxCzD0ImAMkX/A6UOJf3tYdDJ0H
+  AL9PUwZPR+GyXnxoD3zXAweTgDekGn0+jcH8pwIDAQABAoIBACtQmbHTOVxa5Ny0
+  PHwjKyKWt8entnpMQ0LD3rH5T3JqQsnSBDKr946hPzEH5Q2I6yRdqxFaoHWdDqzf
+  7hUPSdBwV4V1deLuOzEIwY9rxVnn4DV9txJ8hbTK693qGEWEX3M8aY59Oro013iF
+  HBuwoU+GAFUp2CD/Cr1gZhD9rlx6ehdBZju/zHO9Rnm2mfHZ3mGvX9JcvwFycJUP
+  tf3mzgViX/fr4/5RSJs+eNfNWyS89gHSv1E286WjsZSIOaMpUNmEDBqSVHrnd8Nk
+  J2XU7n/8rLz7RWPmpNPXK34XZ329iCgDjBBuSvTX/Rf1D8tSsE8eZaXei+N7erY0
+  c0PxBQECgYEA452hnMX3lBMQTxOhnpCogl5eIsXSTOVQVne0MbH3Iq2tKWfvWRmb
+  /U62Ek49zp7cJI7qY7xLojyjgHbCz3KKVcQuc17xZLsR6EO7VIJB3HYz90AMTat9
+  1RInEpFakybBLkVyTLcNQiqWlmjTWHB2HIQELRzzoVHn8+TYXMLbPTMCgYEA3Tmi
+  TANFg4mYQXKFWm2HgjwiURqhedjjBf+7AT2AFRVAjnSTgApY8dHI4W5/nhgm8gvq
+  w7Mp0J4UWtQKWxSPtno9tmoqmI1e2OVRAqYLMDYYh9QjEKZ9NUpzdJGAUk3YqNyH
+  dmLFbrv3onNz0bE+kVS33pzHkaXzMnM/G9NW+r0CgYAp85Co43fpK8ZSvMyJ/CGC
+  vb/d6tYC5DT1auSkUCe7lYUX35cmteihPFOkdhVAMtliR5D9xuOtyD1eXQU01OiY
+  PCtPik01gqEfTPSG8+cNqh+Tz5M08Ymkrs7SxkWKX5c1XwldCFQCQPU2TaW+ZCPw
+  x4g5hF+G+SCmPCSAnE1qLwKBgFnLL/YcidWnPtapzjjzJkKVd/Rlk89qWlOwBk6t
+  kNR96NMpvEkHaizVUu01tbUM5pnufl7q1PkpgOeRE5b+lIqjuXLWSu3ay/nLsoMZ
+  tIbgHjrbv1Pd0AqWaqCRAn3lvSBlStKhqrOUtiIJLKSbheLleTBxgIu8ySbcImx/
+  7tkdAoGAS6PR4eO3Y486bzQ4LP4E/zWu6o5cyhlHCXk61jRFSgZk+CA7Qws8oN8K
+  okdMIxOvwgxgxAomCgXEjogaKumaX6fr+9hYFCXFhA0+9bDjuqpMuEe50NT92Vob
+  UnJtUzSvX29fiVRsBNMht60YRGHhCKZ48VfKqfllhsZMKheFigk=
   -----END RSA PRIVATE KEY-----
 fingerprint-SHA256: |-
-  2048 SHA256:/iqR31hw7aZI4BFWNjBd/Lsf5xZrwkd1+jIq6PafEpc root@neon-desktop (RSA)
+  2048 SHA256:3RSnLcWeie26esBIDmfy4LrHEkGf+gQYIjL13KHcGbg sysadmin@neon-desktop (RSA)
 fingerprint-MD5: |-
-  2048 MD5:14:17:80:10:c0:66:1a:b6:34:e8:64:0c:f3:5b:66:21 root@neon-desktop (RSA)
+  2048 MD5:a7:e5:58:d6:9f:88:b8:3e:b7:81:f9:f3:d6:8c:9c:98 sysadmin@neon-desktop (RSA)
 passphrase: 
 ";
             return NeonHelper.YamlDeserialize<KubeSshKey>(keyYaml);

diff --git a/Lib/Neon.Kube/Proxy/ClusterProxy.cs b/Lib/Neon.Kube/Proxy/ClusterProxy.cs
@@ -1614,7 +1614,7 @@ public async Task DeleteClusterAsync()
             await SyncContext.Clear;
             Covenant.Assert(HostingManager != null);
 
-            var contextName = KubeContextName.Parse($"{KubeConst.RootUser}@{Name}");
+            var contextName = KubeContextName.Parse($"{KubeConst.SysAdminUser}@{Name}");
             var context     = KubeHelper.KubeConfig.GetContext(contextName);
 
             await HostingManager.DeleteClusterAsync(SetupState?.ClusterDefinition);

diff --git a/Test/Test.NeonCli/Test_ClusterAndLoginCommands.cs b/Test/Test.NeonCli/Test_ClusterAndLoginCommands.cs
@@ -83,7 +83,7 @@ private class ContextList : List<ListedContext>
 
         private const string clusterName  = "test-neoncli";
         private const string namePrefix   = "test-neoncli";
-        private const string clusterLogin = $"root@{clusterName}";
+        private const string clusterLogin = $"sysadmin@{clusterName}";
 
         private const string awsClusterDefinition =
 $@"

diff --git a/Tools/neon-cli/Commands/Cluster/ClusterCommand.cs b/Tools/neon-cli/Commands/Cluster/ClusterCommand.cs
@@ -57,7 +57,7 @@ neon cluster property   [-n] NAME
     neon cluster purpose    [unspecified | development | test | stage | production]
     neon cluster pause      [OPTIONS]
     neon cluster reset      [OPTIONS]
-    neon cluster setup      [OPTIONS] root@CLUSTER-NAME
+    neon cluster setup      [OPTIONS] sysadmin@CLUSTER-NAME
     neon cluster start
     neon cluster stop       [OPTIONS]
     neon cluster unlock

diff --git a/Tools/neon-cli/Commands/Cluster/ClusterDeleteCommand.cs b/Tools/neon-cli/Commands/Cluster/ClusterDeleteCommand.cs
@@ -117,7 +117,7 @@ public override async Task RunAsync(CommandLine commandLine)
             }
 
             var clusterName = commandLine.Arguments.ElementAtOrDefault(0);
-            var contextName = $"root@{clusterName}";
+            var contextName = $"sysadmin@{clusterName}";
             var force       = commandLine.HasOption("--force");
             var orgContext  = (KubeConfigContext)null;
 

diff --git a/Tools/neon-cli/Commands/Cluster/ClusterDeployCommand.cs b/Tools/neon-cli/Commands/Cluster/ClusterDeployCommand.cs
@@ -231,7 +231,7 @@ public override async Task RunAsync(CommandLine commandLine)
             //-----------------------------------------------------------------
             // neon cluster setup ...
 
-            args = new List<string>() { "cluster", "setup", $"root@{clusterDefinition.Name}" };
+            args = new List<string>() { "cluster", "setup", $"sysadmin@{clusterDefinition.Name}" };
 
             if (check)
             {

diff --git a/Tools/neon-cli/Commands/Cluster/ClusterPrepareCommand.cs b/Tools/neon-cli/Commands/Cluster/ClusterPrepareCommand.cs
@@ -63,7 +63,7 @@ prepare the cluster to provision any virtual machines ane network infrastructure
 and then you setup NEONKUBE on that, like:
 
     neon cluster prepare CLUSTER-DEF
-    neon cluster setup root@CLUSTER-NAME
+    neon cluster setup sysadmin@CLUSTER-NAME
 
 USAGE:
 

diff --git a/Tools/neon-cli/Commands/Cluster/ClusterSetupCommand.cs b/Tools/neon-cli/Commands/Cluster/ClusterSetupCommand.cs
@@ -67,18 +67,18 @@ definition file.  This is the second part of deploying a cluster in two
 machines and network infrastructure and then you setup NEONKUBE, like:
 
     neon cluster prepare CLUSTER-DEF
-    neon cluster setup root@CLUSTER-NAME
+    neon cluster setup sysadmin@CLUSTER-NAME
 
 NOTE: This is used by maintainers while debugging cluster setup.
 
 USAGE: 
 
-    neon cluster setup [OPTIONS] root@CLUSTER-NAME
+    neon cluster setup [OPTIONS] sysadmin@CLUSTER-NAME
 
 ARGUMENTS:
 
     CONTEXT-NAME        - Specifies the context name for the cluster, typically
-                          root@CLUSTER-NAME for a newly prepared cluster.
+                          sysadmin@CLUSTER-NAME for a newly prepared cluster.
 
 OPTIONS:
 
@@ -164,7 +164,7 @@ public override async Task RunAsync(CommandLine commandLine)
         {
             if (commandLine.Arguments.Length < 1)
             {
-                Console.Error.WriteLine("*** ERROR: [root@CLUSTER-NAME] argument is required.");
+                Console.Error.WriteLine("*** ERROR: [sysadmin@CLUSTER-NAME] argument is required.");
                 Program.Exit(-1);
             }