AGENT-872: Generate non-expiring local JWT tokens and save it in the asset store

Author: pawanpinjarkar

go.mod

@@ -44,6 +44,7 @@ require (
 	github.com/go-openapi/strfmt v0.23.0
 	github.com/go-openapi/swag v0.22.9
 	github.com/go-playground/validator/v10 v10.19.0
+	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/golang/mock v1.7.0-rc.1
 	github.com/golang/protobuf v1.5.4
 	github.com/google/go-cmp v0.6.0
@@ -183,7 +184,6 @@ require (
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/gobuffalo/flect v1.0.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/btree v1.0.1 // indirect

pkg/asset/agent/common/utility.go

@@ -0,0 +1,11 @@
+package common
+
+import "github.com/google/uuid"
+
+// InfraEnvID holds an uniuqe identifier for infra env resource.
+var InfraEnvID string
+
+func init() {
+	// Generate a UUID during initialization
+	InfraEnvID = uuid.New().String()
+}

pkg/asset/agent/gencrypto/authconfig.go

@@ -8,14 +8,25 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 
+	"github.com/golang-jwt/jwt/v4"
+
 	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/agent/common"
 )
 
-// AuthConfig is an asset that generates ECDSA public and private keys.
+// AuthConfig is an asset that generates ECDSA public/private keys, JWT token.
 type AuthConfig struct {
-	PublicKey, PrivateKey string
+	PublicKey, PrivateKey, Token string
 }
 
+// LocalJWTKeyType suggests the key type to be used for the token.
+type LocalJWTKeyType string
+
+const (
+	// InfraEnvKey is used to generate token using infra env id.
+	InfraEnvKey LocalJWTKeyType = "infra_env_id"
+)
+
 var _ asset.WritableAsset = (*AuthConfig)(nil)
 
 // Dependencies returns the assets on which the AuthConfig asset depends.
@@ -32,6 +43,12 @@ func (a *AuthConfig) Generate(dependencies asset.Parents) error {
 	a.PublicKey = PublicKey
 	a.PrivateKey = PrivateKey
 
+	token, err := localJWTForKey(common.InfraEnvID, a.PrivateKey)
+	if err != nil {
+		return err
+	}
+	a.Token = token
+
 	return nil
 }
 
@@ -53,7 +70,7 @@ func (a *AuthConfig) Files() []*asset.File {
 	return []*asset.File{}
 }
 
-// Reused from assisted-service.
+// Referenced from assisted-service.
 // https://github.com/openshift/assisted-service/blob/d3c0122452c74ad208055b8b6ee412812431a83f/internal/gencrypto/keys.go#L13-L54
 func keyPairPEM() (string, string, error) {
 	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
@@ -97,3 +114,23 @@ func keyPairPEM() (string, string, error) {
 
 	return pubKeyPEM.String(), privKeyPEM.String(), nil
 }
+
+// Referenced from assisted-service.
+// https://github.com/openshift/assisted-service/blob/d3c0122452c74ad208055b8b6ee412812431a83f/internal/gencrypto/token.go#L33-L50
+func localJWTForKey(id string, privateKkeyPem string) (string, error) {
+	priv, err := jwt.ParseECPrivateKeyFromPEM([]byte(privateKkeyPem))
+	if err != nil {
+		return "", err
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodES256, jwt.MapClaims{
+		string(InfraEnvKey): id,
+	})
+
+	tokenString, err := token.SignedString(priv)
+	if err != nil {
+		return "", err
+	}
+
+	return tokenString, nil
+}

pkg/asset/agent/gencrypto/authconfig_test.go

@@ -23,6 +23,7 @@ func TestAuthConfig_Generate(t *testing.T) {
 
 			assert.Contains(t, authConfigAsset.PrivateKey, "BEGIN EC PRIVATE KEY")
 			assert.Contains(t, authConfigAsset.PublicKey, "BEGIN EC PUBLIC KEY")
+			assert.NotEmpty(t, authConfigAsset.Token)
 		})
 	}
 }

pkg/asset/agent/image/ignition.go

@@ -13,7 +13,6 @@ import (
 	igntypes "github.com/coreos/ignition/v2/config/v3_2/types"
 	"github.com/coreos/stream-metadata-go/arch"
 	"github.com/coreos/stream-metadata-go/stream"
-	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"gopkg.in/yaml.v2"
@@ -24,6 +23,7 @@ import (
 	"github.com/openshift/installer/pkg/asset"
 	agentcommon "github.com/openshift/installer/pkg/asset/agent"
 	"github.com/openshift/installer/pkg/asset/agent/agentconfig"
+	"github.com/openshift/installer/pkg/asset/agent/common"
 	"github.com/openshift/installer/pkg/asset/agent/gencrypto"
 	"github.com/openshift/installer/pkg/asset/agent/joiner"
 	"github.com/openshift/installer/pkg/asset/agent/manifests"
@@ -229,7 +229,7 @@ func (a *Ignition) Generate(dependencies asset.Parents) error {
 
 	releaseImageMirror := mirror.GetMirrorFromRelease(agentManifests.ClusterImageSet.Spec.ReleaseImage, registriesConfig)
 
-	infraEnvID := uuid.New().String()
+	infraEnvID := common.InfraEnvID
 	logrus.Debug("Generated random infra-env id ", infraEnvID)
 
 	osImage, err := getOSImagesInfo(archName, openshiftVersion, streamGetter)

pkg/asset/agent/image/unconfigured_ignition.go

@@ -7,11 +7,11 @@ import (
 
 	igntypes "github.com/coreos/ignition/v2/config/v3_2/types"
 	"github.com/coreos/stream-metadata-go/arch"
-	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 
 	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/agent/common"
 	"github.com/openshift/installer/pkg/asset/agent/manifests"
 	"github.com/openshift/installer/pkg/asset/agent/mirror"
 	"github.com/openshift/installer/pkg/asset/ignition"
@@ -122,7 +122,7 @@ func (a *UnconfiguredIgnition) Generate(dependencies asset.Parents) error {
 	registryCABundle := &mirror.CaBundle{}
 	dependencies.Get(registriesConfig, registryCABundle)
 
-	infraEnvID := uuid.New().String()
+	infraEnvID := common.InfraEnvID
 	logrus.Debug("Generated random infra-env id ", infraEnvID)
 
 	openshiftVersion, err := version.Version()