Merge pull request openshift#8802 from pawanpinjarkar/auth-token-status-service

AGENT-937: Check Authentication Token for Node Boot-Up on day2

Author: openshift-merge-bot[bot]

data/data/agent/files/usr/local/bin/agent-auth-token-status.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -e
+
+# shellcheck disable=SC1091
+source "issue_status.sh"
+
+status_issue="65_token"
+
+export TZ=UTC
+check_token_expiry() {
+  expiry_epoch=$(date -d "${AGENT_AUTH_TOKEN_EXPIRY}" +%s)
+  current_epoch=$(date +%s)
+
+  if [ "$current_epoch" -gt "$expiry_epoch" ]; then
+    printf '\\e{lightred}The authentication token has expired. Please generate a new ISO using the "oc adm node-image create" command, then reboot the node.\\e{reset}'| set_issue "${status_issue}"
+    exit 1
+  fi
+}
+
+while true; do
+  check_token_expiry
+  sleep 5
+done

data/data/agent/systemd/units/agent-auth-token-status.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=service that displays a message if agent auth token is expired.
+Wants=network-online.target
+After=network-online.target agent-interactive-console.service
+ConditionPathExists=/etc/assisted/add-nodes.env
+
+[Service]
+Type=simple
+EnvironmentFile=/etc/assisted/add-nodes.env
+ExecStart=/usr/local/bin/agent-auth-token-status.sh
+Restart=no
+
+[Install]
+WantedBy=multi-user.target agent-add-node.service

pkg/asset/agent/gencrypto/authconfig.go

@@ -39,7 +39,7 @@ const AuthType = "agent-installer-local"
 
 // AuthConfig is an asset that generates ECDSA public/private keys, JWT token.
 type AuthConfig struct {
-	PublicKey, AgentAuthToken, AuthType string
+	PublicKey, AgentAuthToken, AgentAuthTokenExpiry, AuthType string
 }
 
 var _ asset.Asset = (*AuthConfig)(nil)
@@ -93,6 +93,7 @@ func (a *AuthConfig) Generate(_ context.Context, dependencies asset.Parents) err
 
 		// Auth tokens expires after 48 hours
 		expiry := time.Now().UTC().Add(48 * time.Hour)
+		a.AgentAuthTokenExpiry = expiry.Format(time.RFC3339)
 		token, err := generateToken(infraEnvID.ID, privateKey, expiry)
 		if err != nil {
 			return err
@@ -239,7 +240,7 @@ func (a *AuthConfig) createOrUpdateAuthTokenSecret(kubeconfigPath string) error
 		if err != nil {
 			return err
 		}
-		logrus.Debug("auth token secret regenerated and updated in the cluster")
+		logrus.Debug("Auth token secret regenerated and updated in the cluster")
 	} else {
 		// Update the token in asset store with the retrieved token from the cluster
 		a.AgentAuthToken = retrievedToken
@@ -250,7 +251,7 @@ func (a *AuthConfig) createOrUpdateAuthTokenSecret(kubeconfigPath string) error
 		}
 		// Update the asset store with the retrieved public key associated with the valid token from the cluster
 		a.PublicKey = retrievedPublicKey
-		logrus.Debugf("reusing existing auth token (valid up to %s)", expiryTime)
+		logrus.Debugf("Reusing existing auth token (valid up to %s)", expiryTime)
 	}
 	return err
 }

pkg/asset/agent/image/ignition.go

@@ -76,6 +76,7 @@ type agentTemplateData struct {
 	ImageTypeISO              string
 	PublicKeyPEM              string
 	Token                     string
+	TokenExpiry               string
 	AuthType                  string
 	CaBundleMount             string
 }
@@ -188,11 +189,16 @@ func (a *Ignition) Generate(_ context.Context, dependencies asset.Parents) error
 		// that all the hosts defined are workers.
 		numMasters = 0
 		numWorkers = len(addNodesConfig.Config.Hosts)
+
 		// Enable add-nodes specific services
 		enabledServices = append(enabledServices, "agent-add-node.service")
 		// Generate add-nodes.env file
-		addNodesEnvFile := ignition.FileFromString(addNodesEnvPath, "root", 0644, getAddNodesEnv(*clusterInfo))
+		addNodesEnvFile := ignition.FileFromString(addNodesEnvPath, "root", 0644, getAddNodesEnv(*clusterInfo, authConfig.AgentAuthTokenExpiry))
 		config.Storage.Files = append(config.Storage.Files, addNodesEnvFile)
+
+		// Enable auth token service
+		enabledServices = append(enabledServices, "agent-auth-token-status.service")
+
 		// Version matches the source cluster one
 		openshiftVersion = clusterInfo.Version
 		streamGetter = func(ctx context.Context) (*stream.Stream, error) {
@@ -260,11 +266,13 @@ func (a *Ignition) Generate(_ context.Context, dependencies asset.Parents) error
 		authConfig.PublicKey,
 		authConfig.AuthType,
 		authConfig.AgentAuthToken,
+		authConfig.AgentAuthTokenExpiry,
 		caBundleMount,
 		len(registriesConfig.MirrorConfig) > 0,
 		numMasters, numWorkers,
 		osImage,
-		infraEnv.Spec.Proxy)
+		infraEnv.Spec.Proxy,
+	)
 
 	err = bootstrap.AddStorageFiles(&config, "/", "agent/files", agentTemplateData)
 	if err != nil {
@@ -374,7 +382,7 @@ func addBootstrapScripts(config *igntypes.Config, releaseImage string) (err erro
 }
 
 func getTemplateData(name, pullSecret, releaseImageList, releaseImage, releaseImageMirror, publicContainerRegistries,
-	imageTypeISO, infraEnvID, publicKey, authType, token, caBundleMount string,
+	imageTypeISO, infraEnvID, publicKey, authType, token, tokenExpiry, caBundleMount string,
 	haveMirrorConfig bool,
 	numMasters, numWorkers int,
 	osImage *models.OsImage,
@@ -397,6 +405,7 @@ func getTemplateData(name, pullSecret, releaseImageList, releaseImage, releaseIm
 		PublicKeyPEM:              publicKey,
 		AuthType:                  authType,
 		Token:                     token,
+		TokenExpiry:               tokenExpiry,
 		CaBundleMount:             caBundleMount,
 	}
 }
@@ -431,11 +440,12 @@ WORKFLOW_TYPE=%s
 `, nodeZeroIP, serviceBaseURL.String(), imageServiceBaseURL.String(), token, token, workflowType)
 }
 
-func getAddNodesEnv(clusterInfo joiner.ClusterInfo) string {
+func getAddNodesEnv(clusterInfo joiner.ClusterInfo, authTokenExpiry string) string {
 	return fmt.Sprintf(`CLUSTER_ID=%s
 CLUSTER_NAME=%s
 CLUSTER_API_VIP_DNS_NAME=%s
-`, clusterInfo.ClusterID, clusterInfo.ClusterName, clusterInfo.APIDNSName)
+AGENT_AUTH_TOKEN_EXPIRY=%s
+`, clusterInfo.ClusterID, clusterInfo.ClusterName, clusterInfo.APIDNSName, authTokenExpiry)
 }
 
 func addStaticNetworkConfig(config *igntypes.Config, staticNetworkConfig []*models.HostStaticNetworkConfig) (err error) {

pkg/asset/agent/image/ignition_test.go

@@ -93,7 +93,7 @@ func TestIgnition_getTemplateData(t *testing.T) {
 
 	publicKey := "-----BEGIN EC PUBLIC KEY-----\nMHcCAQEEIOSCfDNmx0qe6dncV4tg==\n-----END EC PUBLIC KEY-----\n"
 	token := "someToken"
-	templateData := getTemplateData(clusterName, pullSecret, releaseImageList, releaseImage, releaseImageMirror, publicContainerRegistries, "minimal-iso", infraEnvID, publicKey, gencrypto.AuthType, token, "", haveMirrorConfig, agentClusterInstall.Spec.ProvisionRequirements.ControlPlaneAgents, agentClusterInstall.Spec.ProvisionRequirements.WorkerAgents, osImage, proxy)
+	templateData := getTemplateData(clusterName, pullSecret, releaseImageList, releaseImage, releaseImageMirror, publicContainerRegistries, "minimal-iso", infraEnvID, publicKey, gencrypto.AuthType, token, "", "", haveMirrorConfig, agentClusterInstall.Spec.ProvisionRequirements.ControlPlaneAgents, agentClusterInstall.Spec.ProvisionRequirements.WorkerAgents, osImage, proxy)
 	assert.Equal(t, clusterName, templateData.ClusterName)
 	assert.Equal(t, "http", templateData.ServiceProtocol)
 	assert.Equal(t, pullSecret, templateData.PullSecret)
@@ -395,6 +395,7 @@ func commonFiles() []string {
 		"/usr/local/bin/load-config-iso.sh",
 		"/etc/udev/rules.d/80-agent-config-image.rules",
 		"/usr/local/bin/add-node.sh",
+		"/usr/local/bin/agent-auth-token-status.sh",
 		"/usr/local/bin/common.sh",
 	}
 }