Merge pull request openshift#8270 from pawanpinjarkar/authenticate-wait-for

AGENT-871: Authenticate wait for

Author: openshift-merge-bot[bot]

data/data/agent/files/usr/local/share/assisted-service/assisted-service.env.template

@@ -19,4 +19,3 @@ OPENSHIFT_INSTALL_RELEASE_IMAGE_MIRROR={{.ReleaseImageMirror}}
 STORAGE=filesystem
 INFRA_ENV_ID={{.InfraEnvID}}
 EC_PUBLIC_KEY_PEM={{.PublicKeyPEM}}
-EC_PRIVATE_KEY_PEM={{.PrivateKeyPEM}}

go.mod

@@ -42,6 +42,7 @@ require (
 	github.com/diskfs/go-diskfs v1.4.0
 	github.com/form3tech-oss/jwt-go v3.2.3+incompatible
 	github.com/go-openapi/errors v0.22.0
+	github.com/go-openapi/runtime v0.28.0
 	github.com/go-openapi/strfmt v0.23.0
 	github.com/go-openapi/swag v0.23.0
 	github.com/go-playground/validator/v10 v10.19.0
@@ -177,7 +178,6 @@ require (
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/loads v0.22.0 // indirect
-	github.com/go-openapi/runtime v0.28.0 // indirect
 	github.com/go-openapi/spec v0.21.0 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect

pkg/agent/cluster.go

@@ -70,7 +70,12 @@ func NewCluster(ctx context.Context, assetDir, rendezvousIP, kubeconfigPath, ssh
 	czero := &Cluster{}
 	capi := &clientSet{}
 
-	restclient, err := NewNodeZeroRestClient(ctx, rendezvousIP, sshKey)
+	authToken, err := FindAuthTokenFromAssetStore(assetDir)
+	if err != nil {
+		logrus.Fatal(err)
+	}
+
+	restclient, err := NewNodeZeroRestClient(ctx, rendezvousIP, sshKey, authToken)
 	if err != nil {
 		logrus.Fatal(err)
 	}

pkg/agent/rest.go

@@ -15,6 +15,7 @@ import (
 	"github.com/openshift/assisted-service/client/installer"
 	"github.com/openshift/assisted-service/models"
 	"github.com/openshift/installer/pkg/asset/agent/agentconfig"
+	"github.com/openshift/installer/pkg/asset/agent/gencrypto"
 	"github.com/openshift/installer/pkg/asset/agent/image"
 	"github.com/openshift/installer/pkg/asset/agent/manifests"
 	"github.com/openshift/installer/pkg/asset/installconfig"
@@ -32,7 +33,7 @@ type NodeZeroRestClient struct {
 }
 
 // NewNodeZeroRestClient Initialize a new rest client to interact with the Agent Rest API on node zero.
-func NewNodeZeroRestClient(ctx context.Context, rendezvousIP string, sshKey string) (*NodeZeroRestClient, error) {
+func NewNodeZeroRestClient(ctx context.Context, rendezvousIP, sshKey, token string) (*NodeZeroRestClient, error) {
 	restClient := &NodeZeroRestClient{}
 
 	// Get SSH Keys which can be used to determine if Rest API failures are due to network connectivity issues
@@ -46,6 +47,9 @@ func NewNodeZeroRestClient(ctx context.Context, rendezvousIP string, sshKey stri
 		Host:   net.JoinHostPort(rendezvousIP, "8090"),
 		Path:   client.DefaultBasePath,
 	}
+
+	config.AuthInfo = gencrypto.UserAuthHeaderWriter(token)
+
 	client := client.New(config)
 
 	restClient.Client = client
@@ -115,6 +119,27 @@ func FindRendezvouIPAndSSHKeyFromAssetStore(assetDir string) (string, string, er
 	return rendezvousIP, sshKey, nil
 }
 
+// FindAuthTokenFromAssetStore returns the auth token.
+func FindAuthTokenFromAssetStore(assetDir string) (string, error) {
+	authConfigAsset := &gencrypto.AuthConfig{}
+
+	assetStore, err := assetstore.NewStore(assetDir)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to create asset store")
+	}
+
+	authConfig, authConfigError := assetStore.Load(authConfigAsset)
+
+	if authConfigError != nil {
+		logrus.Debug(errors.Wrapf(authConfigError, "failed to load %s", authConfigAsset.Name()))
+		return "", errors.New("failed to load AuthConfig")
+	}
+
+	token := authConfig.(*gencrypto.AuthConfig).Token
+
+	return token, nil
+}
+
 // IsRestAPILive Determine if the Agent Rest API on node zero has initialized
 func (rest *NodeZeroRestClient) IsRestAPILive() bool {
 	// GET /v2/infraenvs

pkg/asset/agent/gencrypto/auth_utils.go

@@ -0,0 +1,13 @@
+package gencrypto
+
+import (
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+)
+
+// UserAuthHeaderWriter sets the JWT authorization token.
+func UserAuthHeaderWriter(token string) runtime.ClientAuthInfoWriter {
+	return runtime.ClientAuthInfoWriterFunc(func(r runtime.ClientRequest, _ strfmt.Registry) error {
+		return r.SetHeaderParam("Authorization", token)
+	})
+}

pkg/asset/agent/gencrypto/authconfig.go

@@ -7,6 +7,7 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/pem"
 
 	"github.com/golang-jwt/jwt/v4"
@@ -17,9 +18,11 @@ import (
 
 // AuthConfig is an asset that generates ECDSA public/private keys, JWT token.
 type AuthConfig struct {
-	PublicKey, PrivateKey, Token string
+	PublicKey, Token string
 }
 
+var _ asset.Asset = (*AuthConfig)(nil)
+
 // LocalJWTKeyType suggests the key type to be used for the token.
 type LocalJWTKeyType string
 
@@ -41,14 +44,17 @@ func (a *AuthConfig) Dependencies() []asset.Asset {
 func (a *AuthConfig) Generate(_ context.Context, dependencies asset.Parents) error {
 	infraEnvID := &common.InfraEnvID{}
 	dependencies.Get(infraEnvID)
-	PublicKey, PrivateKey, err := keyPairPEM()
+
+	publicKey, privateKey, err := keyPairPEM()
 	if err != nil {
 		return err
 	}
-	a.PublicKey = PublicKey
-	a.PrivateKey = PrivateKey
+	// Encode to Base64 (Standard encoding)
+	encodedPubKeyPEM := base64.StdEncoding.EncodeToString([]byte(publicKey))
+
+	a.PublicKey = encodedPubKeyPEM
 
-	token, err := localJWTForKey(infraEnvID.ID, a.PrivateKey)
+	token, err := localJWTForKey(infraEnvID.ID, privateKey)
 	if err != nil {
 		return err
 	}
@@ -58,7 +64,7 @@ func (a *AuthConfig) Generate(_ context.Context, dependencies asset.Parents) err
 }
 
 // Name returns the human-friendly name of the asset.
-func (a *AuthConfig) Name() string {
+func (*AuthConfig) Name() string {
 	return "Agent Installer API Auth Config"
 }
 

pkg/asset/agent/gencrypto/authconfig_test.go

@@ -15,7 +15,7 @@ func TestAuthConfig_Generate(t *testing.T) {
 		name string
 	}{
 		{
-			name: "generate-public-private-keys",
+			name: "generate-public-key-and-token",
 		},
 	}
 	for _, tc := range cases {
@@ -28,8 +28,7 @@ func TestAuthConfig_Generate(t *testing.T) {
 
 			assert.NoError(t, err)
 
-			assert.Contains(t, authConfigAsset.PrivateKey, "BEGIN EC PRIVATE KEY")
-			assert.Contains(t, authConfigAsset.PublicKey, "BEGIN EC PUBLIC KEY")
+			assert.NotEmpty(t, authConfigAsset.PublicKey)
 			assert.NotEmpty(t, authConfigAsset.Token)
 		})
 	}

pkg/asset/agent/image/ignition.go

@@ -73,7 +73,6 @@ type agentTemplateData struct {
 	ConfigImageFiles          string
 	ImageTypeISO              string
 	PublicKeyPEM              string
-	PrivateKeyPEM             string
 	CaBundleMount             string
 }
 
@@ -255,7 +254,6 @@ func (a *Ignition) Generate(_ context.Context, dependencies asset.Parents) error
 		osImage,
 		infraEnv.Spec.Proxy,
 		imageTypeISO,
-		keyPairAsset.PrivateKey,
 		keyPairAsset.PublicKey,
 		caBundleMount)
 
@@ -373,7 +371,7 @@ func getTemplateData(name, pullSecret, releaseImageList, releaseImage,
 	osImage *models.OsImage,
 	proxy *v1beta1.Proxy,
 	imageTypeISO,
-	privateKey, publicKey string,
+	publicKey string,
 	caBundleMount string) *agentTemplateData {
 	return &agentTemplateData{
 		ServiceProtocol:           "http",
@@ -390,7 +388,6 @@ func getTemplateData(name, pullSecret, releaseImageList, releaseImage,
 		OSImage:                   osImage,
 		Proxy:                     proxy,
 		ImageTypeISO:              imageTypeISO,
-		PrivateKeyPEM:             privateKey,
 		PublicKeyPEM:              publicKey,
 		CaBundleMount:             caBundleMount,
 	}

pkg/asset/agent/image/ignition_test.go

@@ -91,10 +91,9 @@ func TestIgnition_getTemplateData(t *testing.T) {
 	}
 	clusterName := "test-agent-cluster-install.test"
 
-	privateKey := "-----BEGIN EC PUBLIC KEY-----\nMFkwEwYHKoAiDHV4tg==\n-----END EC PUBLIC KEY-----\n"
-	publicKey := "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIOSCfDNmx0qe6dncV4tg==\n-----END EC PRIVATE KEY-----\n" //nolint:gosec
+	publicKey := "-----BEGIN EC PUBLIC KEY-----\nMHcCAQEEIOSCfDNmx0qe6dncV4tg==\n-----END EC PUBLIC KEY-----\n"
 
-	templateData := getTemplateData(clusterName, pullSecret, releaseImageList, releaseImage, releaseImageMirror, haveMirrorConfig, publicContainerRegistries, agentClusterInstall.Spec.ProvisionRequirements.ControlPlaneAgents, agentClusterInstall.Spec.ProvisionRequirements.WorkerAgents, infraEnvID, osImage, proxy, "minimal-iso", privateKey, publicKey, "")
+	templateData := getTemplateData(clusterName, pullSecret, releaseImageList, releaseImage, releaseImageMirror, haveMirrorConfig, publicContainerRegistries, agentClusterInstall.Spec.ProvisionRequirements.ControlPlaneAgents, agentClusterInstall.Spec.ProvisionRequirements.WorkerAgents, infraEnvID, osImage, proxy, "minimal-iso", publicKey, "")
 	assert.Equal(t, clusterName, templateData.ClusterName)
 	assert.Equal(t, "http", templateData.ServiceProtocol)
 	assert.Equal(t, pullSecret, templateData.PullSecret)
@@ -108,7 +107,6 @@ func TestIgnition_getTemplateData(t *testing.T) {
 	assert.Equal(t, infraEnvID, templateData.InfraEnvID)
 	assert.Equal(t, osImage, templateData.OSImage)
 	assert.Equal(t, proxy, templateData.Proxy)
-	assert.Equal(t, privateKey, templateData.PrivateKeyPEM)
 	assert.Equal(t, publicKey, templateData.PublicKeyPEM)
 }