Merge pull request openshift#8393 from pawanpinjarkar/authenticate-systemd

openshift-merge-bot[bot] · web-flow · commit 341dcbf8ab8d · 2024-07-05T18:08:16.000Z
AGENT-876: Authenticate systemd services and curl requests
diff --git a/data/data/agent/files/usr/local/bin/add-node.sh b/data/data/agent/files/usr/local/bin/add-node.sh
@@ -2,15 +2,15 @@
 set -e
 
 # shellcheck disable=SC1091
-source issue_status.sh
-
-BASE_URL="${SERVICE_BASE_URL}api/assisted-install/v2"
+source "common.sh"
+# shellcheck disable=SC1091
+source "issue_status.sh"
 
 cluster_id=""
 while [[ "${cluster_id}" = "" ]]
 do
     # Get cluster id
-    cluster_id=$(curl -s -S "${BASE_URL}/clusters" | jq -r .[].id)
+    cluster_id=$(curl_assisted_service "/clusters" | jq -r .[].id)
     if [[ "${cluster_id}" = "" ]]; then
         sleep 2
     fi
@@ -24,7 +24,7 @@ status_issue="90_add-node"
 host_ready=false
 while [[ $host_ready == false ]]
 do
-    host_status=$(curl -s -S "${BASE_URL}/infra-envs/${INFRA_ENV_ID}/hosts" | jq -r ".[].status")
+    host_status=$(curl_assisted_service "/infra-envs/${INFRA_ENV_ID}/hosts" | jq -r ".[].status")
     if [[ "${host_status}" != "known" ]]; then
         printf '\\e{yellow}Waiting for the host to be ready' | set_issue "${status_issue}"
         sleep 10
@@ -33,12 +33,12 @@ do
     fi
 done
 
-HOST_ID=$(curl -s "${BASE_URL}/infra-envs/${INFRA_ENV_ID}/hosts" | jq -r '.[].id')
+HOST_ID=$(curl_assisted_service "/infra-envs/${INFRA_ENV_ID}/hosts" | jq -r '.[].id')
 printf '\nHost %s is ready for installation\n' "${HOST_ID}" 1>&2
 clear_issue "${status_issue}"
 
 # Add the current host to the cluster
-res=$(curl -X POST -s -S -w "%{http_code}\\n" -o /dev/null "${BASE_URL}/infra-envs/${INFRA_ENV_ID}/hosts/${HOST_ID}/actions/install")
+res=$(curl_assisted_service "/infra-envs/${INFRA_ENV_ID}/hosts/${HOST_ID}/actions/install" POST -w "%{http_code}" -o /dev/null)
 if [[ $res = "202" ]]; then 
     printf '\nHost installation started\n' 1>&2
 else
diff --git a/data/data/agent/files/usr/local/bin/common.sh b/data/data/agent/files/usr/local/bin/common.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+curl_assisted_service() {
+    local endpoint=$1
+    local method=${2:-GET}
+    local additional_options=("${@:3}")  # Capture all arguments starting from the third one
+    local baseURL="${SERVICE_BASE_URL}api/assisted-install/v2"
+
+    case "${method}" in
+        "POST")
+            curl -s -S -X POST "${additional_options[@]}" "${baseURL}${endpoint}" \
+            -H "Authorization: ${AGENT_AUTH_TOKEN}" \
+            -H "accept: application/json" \
+            -H "Content-Type: application/json" \
+            ;;
+        "GET")
+            curl -s -S -X GET "${additional_options[@]}" "${baseURL}${endpoint}" \
+            -H "Authorization: ${AGENT_AUTH_TOKEN}" \
+            -H "Accept: application/json"
+            ;;
+    esac
+}
diff --git a/data/data/agent/files/usr/local/bin/start-cluster-installation.sh b/data/data/agent/files/usr/local/bin/start-cluster-installation.sh
@@ -2,15 +2,15 @@
 set -e
 
 # shellcheck disable=SC1091
-source issue_status.sh
-
-BASE_URL="${SERVICE_BASE_URL}api/assisted-install/v2"
+source "common.sh"
+# shellcheck disable=SC1091
+source "issue_status.sh"
 
 cluster_id=""
 while [[ "${cluster_id}" = "" ]]
 do
     # Get cluster id
-    cluster_id=$(curl -s -S "${BASE_URL}/clusters" | jq -r .[].id)
+    cluster_id=$(curl_assisted_service "/clusters" GET | jq -r .[].id)
     if [[ "${cluster_id}" = "" ]]; then
         sleep 2
     fi
@@ -28,7 +28,7 @@ status_issue="90_start-install"
 num_known_hosts() {
     local known_hosts=0
     local insufficient_hosts=0
-    host_status=$(curl -s -S "${BASE_URL}/infra-envs/${INFRA_ENV_ID}/hosts" | jq -r .[].status)
+    host_status=$(curl_assisted_service "/infra-envs/${INFRA_ENV_ID}/hosts" GET | jq -r .[].status)
     if [[ -n ${host_status} ]]; then
         for status in ${host_status}; do
             if [[ "${status}" == "known" ]]; then
@@ -58,17 +58,17 @@ clear_issue "${status_issue}"
 while [[ "${cluster_status}" != "installed" ]]
 do
     sleep 5
-    cluster_status=$(curl -s -S "${BASE_URL}/clusters" | jq -r .[].status)
+    cluster_status=$(curl_assisted_service "/clusters" GET | jq -r .[].status)
     echo "Cluster status: ${cluster_status}" 1>&2
     # Start the cluster install, if it transitions back to Ready due to a failure,
     # then it will be restarted
     case "${cluster_status}" in
         "ready")
             echo "Starting cluster installation..." 1>&2
-            curl -s -S -X POST "${BASE_URL}/clusters/${cluster_id}/actions/install" \
-                -H 'accept: application/json' \
-                -d ''
-            echo "Cluster installation started" 1>&2
+            res=$(curl_assisted_service "/clusters/${cluster_id}/actions/install" POST -w "%{http_code}" -o /dev/null)
+            if [[ $res = "202" ]]; then 
+                printf '\nCluster installation started\n' 1>&2
+            fi
             ;&
         "installed" | "preparing-for-installation" | "installing")
             printf '\\e{lightgreen}Cluster installation in progress\\e{reset}' | set_issue "${status_issue}"
diff --git a/data/data/agent/files/usr/local/bin/wait-for-assisted-service.sh b/data/data/agent/files/usr/local/bin/wait-for-assisted-service.sh
@@ -1,8 +1,12 @@
 #!/bin/bash
 set -e
 
+# shellcheck disable=SC1091
+source "common.sh"
+
 echo "Waiting for assisted-service to be ready"
-until curl --output /dev/null --silent --fail "${SERVICE_BASE_URL}/api/assisted-install/v2/infra-envs"; do
+
+until curl_assisted_service "/infra-envs" GET -o /dev/null --silent --fail; do
     printf '.'
     sleep 5
 done
diff --git a/data/data/agent/files/usr/local/share/assisted-service/assisted-service.env.template b/data/data/agent/files/usr/local/share/assisted-service/assisted-service.env.template
@@ -19,3 +19,4 @@ OPENSHIFT_INSTALL_RELEASE_IMAGE_MIRROR={{.ReleaseImageMirror}}
 STORAGE=filesystem
 INFRA_ENV_ID={{.InfraEnvID}}
 EC_PUBLIC_KEY_PEM={{.PublicKeyPEM}}
+AGENT_AUTH_TOKEN={{.Token}}
diff --git a/data/data/agent/systemd/units/agent-register-cluster.service.template b/data/data/agent/systemd/units/agent-register-cluster.service.template
@@ -15,7 +15,7 @@ EnvironmentFile=/usr/local/share/assisted-service/agent-images.env
 EnvironmentFile=/usr/local/share/assisted-service/assisted-service.env
 ExecStartPre=/bin/rm -f %t/%n.ctr-id
 ExecStartPre=/usr/local/bin/wait-for-assisted-service.sh
-ExecStart=podman run --net host --cidfile=%t/%n.ctr-id --cgroups=no-conmon --log-driver=journald --rm --pod-id-file=%t/assisted-service-pod.pod-id --replace --name=agent-register-cluster -v /etc/assisted/manifests:/manifests -v /etc/assisted/extra-manifests:/extra-manifests {{ if .HaveMirrorConfig }}-v /etc/containers:/etc/containers{{ end }} {{.CaBundleMount}} --env SERVICE_BASE_URL --env OPENSHIFT_INSTALL_RELEASE_IMAGE_MIRROR $SERVICE_IMAGE /usr/local/bin/agent-installer-client registerCluster
+ExecStart=podman run --net host --cidfile=%t/%n.ctr-id --cgroups=no-conmon --log-driver=journald --rm --pod-id-file=%t/assisted-service-pod.pod-id --replace --name=agent-register-cluster -v /etc/assisted/manifests:/manifests -v /etc/assisted/extra-manifests:/extra-manifests {{ if .HaveMirrorConfig }}-v /etc/containers:/etc/containers{{ end }} {{.CaBundleMount}} --env SERVICE_BASE_URL --env OPENSHIFT_INSTALL_RELEASE_IMAGE_MIRROR --env AGENT_AUTH_TOKEN $SERVICE_IMAGE /usr/local/bin/agent-installer-client registerCluster
 ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
 ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
 
diff --git a/data/data/agent/systemd/units/agent-register-infraenv.service.template b/data/data/agent/systemd/units/agent-register-infraenv.service.template
@@ -12,7 +12,7 @@ EnvironmentFile=/etc/assisted/rendezvous-host.env
 EnvironmentFile=/usr/local/share/assisted-service/agent-images.env
 EnvironmentFile=/usr/local/share/assisted-service/assisted-service.env
 ExecStartPre=/bin/rm -f %t/%n.ctr-id
-ExecStart=podman run --net host --cidfile=%t/%n.ctr-id --cgroups=no-conmon --log-driver=journald --rm --pod-id-file=%t/assisted-service-pod.pod-id --replace --name=agent-register-infraenv -v /etc/assisted/manifests:/manifests --env SERVICE_BASE_URL --env IMAGE_TYPE_ISO $SERVICE_IMAGE /usr/local/bin/agent-installer-client registerInfraEnv
+ExecStart=podman run --net host --cidfile=%t/%n.ctr-id --cgroups=no-conmon --log-driver=journald --rm --pod-id-file=%t/assisted-service-pod.pod-id --replace --name=agent-register-infraenv -v /etc/assisted/manifests:/manifests --env SERVICE_BASE_URL --env IMAGE_TYPE_ISO --env AGENT_AUTH_TOKEN $SERVICE_IMAGE /usr/local/bin/agent-installer-client registerInfraEnv
 ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
 ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
 
diff --git a/data/data/agent/systemd/units/apply-host-config.service b/data/data/agent/systemd/units/apply-host-config.service
@@ -14,7 +14,7 @@ EnvironmentFile=/usr/local/share/assisted-service/assisted-service.env
 ExecStartPre=/bin/rm -f %t/%n.ctr-id
 ExecStartPre=/bin/mkdir -p %t/agent-installer /etc/assisted/hostconfig
 ExecStartPre=/usr/local/bin/wait-for-assisted-service.sh
-ExecStart=podman run --net host --cidfile=%t/%n.ctr-id --cgroups=no-conmon --log-driver=journald --restart=on-failure:10 --pod-id-file=%t/assisted-service-pod.pod-id --replace --name=apply-host-config -v /etc/assisted/hostconfig:/etc/assisted/hostconfig -v %t/agent-installer:/var/run/agent-installer:z --env SERVICE_BASE_URL --env INFRA_ENV_ID --env WORKFLOW_TYPE $SERVICE_IMAGE /usr/local/bin/agent-installer-client configure
+ExecStart=podman run --net host --cidfile=%t/%n.ctr-id --cgroups=no-conmon --log-driver=journald --restart=on-failure:10 --pod-id-file=%t/assisted-service-pod.pod-id --replace --name=apply-host-config -v /etc/assisted/hostconfig:/etc/assisted/hostconfig -v %t/agent-installer:/var/run/agent-installer:z --env SERVICE_BASE_URL --env INFRA_ENV_ID --env WORKFLOW_TYPE --env AGENT_AUTH_TOKEN $SERVICE_IMAGE /usr/local/bin/agent-installer-client configure
 ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
 ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
 
diff --git a/pkg/asset/agent/image/ignition.go b/pkg/asset/agent/image/ignition.go
@@ -75,6 +75,7 @@ type agentTemplateData struct {
 	ConfigImageFiles          string
 	ImageTypeISO              string
 	PublicKeyPEM              string
+	Token                     string
 	CaBundleMount             string
 }
 
@@ -261,6 +262,7 @@ func (a *Ignition) Generate(_ context.Context, dependencies asset.Parents) error
 		infraEnv.Spec.Proxy,
 		imageTypeISO,
 		keyPairAsset.PublicKey,
+		keyPairAsset.Token,
 		caBundleMount)
 
 	err = bootstrap.AddStorageFiles(&config, "/", "agent/files", agentTemplateData)
@@ -377,8 +379,7 @@ func getTemplateData(name, pullSecret, releaseImageList, releaseImage,
 	osImage *models.OsImage,
 	proxy *v1beta1.Proxy,
 	imageTypeISO,
-	publicKey string,
-	caBundleMount string) *agentTemplateData {
+	publicKey, token, caBundleMount string) *agentTemplateData {
 	return &agentTemplateData{
 		ServiceProtocol:           "http",
 		PullSecret:                pullSecret,
@@ -395,6 +396,7 @@ func getTemplateData(name, pullSecret, releaseImageList, releaseImage,
 		Proxy:                     proxy,
 		ImageTypeISO:              imageTypeISO,
 		PublicKeyPEM:              publicKey,
+		Token:                     token,
 		CaBundleMount:             caBundleMount,
 	}
 }
diff --git a/pkg/asset/agent/image/ignition_test.go b/pkg/asset/agent/image/ignition_test.go
@@ -92,8 +92,9 @@ func TestIgnition_getTemplateData(t *testing.T) {
 	clusterName := "test-agent-cluster-install.test"
 
 	publicKey := "-----BEGIN EC PUBLIC KEY-----\nMHcCAQEEIOSCfDNmx0qe6dncV4tg==\n-----END EC PUBLIC KEY-----\n"
+	token := "someToken"
 
-	templateData := getTemplateData(clusterName, pullSecret, releaseImageList, releaseImage, releaseImageMirror, haveMirrorConfig, publicContainerRegistries, agentClusterInstall.Spec.ProvisionRequirements.ControlPlaneAgents, agentClusterInstall.Spec.ProvisionRequirements.WorkerAgents, infraEnvID, osImage, proxy, "minimal-iso", publicKey, "")
+	templateData := getTemplateData(clusterName, pullSecret, releaseImageList, releaseImage, releaseImageMirror, haveMirrorConfig, publicContainerRegistries, agentClusterInstall.Spec.ProvisionRequirements.ControlPlaneAgents, agentClusterInstall.Spec.ProvisionRequirements.WorkerAgents, infraEnvID, osImage, proxy, "minimal-iso", publicKey, token, "")
 	assert.Equal(t, clusterName, templateData.ClusterName)
 	assert.Equal(t, "http", templateData.ServiceProtocol)
 	assert.Equal(t, pullSecret, templateData.PullSecret)
@@ -108,6 +109,7 @@ func TestIgnition_getTemplateData(t *testing.T) {
 	assert.Equal(t, osImage, templateData.OSImage)
 	assert.Equal(t, proxy, templateData.Proxy)
 	assert.Equal(t, publicKey, templateData.PublicKeyPEM)
+	assert.Equal(t, token, templateData.Token)
 }
 
 func TestIgnition_getRendezvousHostEnv(t *testing.T) {
@@ -391,6 +393,7 @@ func commonFiles() []string {
 		"/usr/local/bin/load-config-iso.sh",
 		"/etc/udev/rules.d/80-agent-config-image.rules",
 		"/usr/local/bin/add-node.sh",
+		"/usr/local/bin/common.sh",
 	}
 }
 
