AGENT-871: Authenticate wait-for commands

- Base64 encode ECDSA public, private keys
- Set Authorization header param in the client

Author: pawanpinjarkar

cmd/openshift-install/agent/waitfor.go

@@ -71,8 +71,13 @@ func newWaitForBootstrapCompleteCmd() *cobra.Command {
 				logrus.Fatal(err)
 			}
 
+			authToken, err := agentpkg.FindAuthTokenFromAssetStore(assetDir)
+			if err != nil {
+				logrus.Fatal(err)
+			}
+
 			ctx := context.Background()
-			cluster, err := agentpkg.NewCluster(ctx, assetDir, rendezvousIP, kubeconfigPath, sshKey, workflow.AgentWorkflowTypeInstall)
+			cluster, err := agentpkg.NewCluster(ctx, assetDir, rendezvousIP, kubeconfigPath, sshKey, authToken, workflow.AgentWorkflowTypeInstall)
 			if err != nil {
 				logrus.Exit(exitCodeBootstrapFailed)
 			}
@@ -106,8 +111,13 @@ func newWaitForInstallCompleteCmd() *cobra.Command {
 				logrus.Fatal(err)
 			}
 
+			authToken, err := agentpkg.FindAuthTokenFromAssetStore(assetDir)
+			if err != nil {
+				logrus.Fatal(err)
+			}
+
 			ctx := context.Background()
-			cluster, err := agentpkg.NewCluster(ctx, assetDir, rendezvousIP, kubeconfigPath, sshKey, workflow.AgentWorkflowTypeInstall)
+			cluster, err := agentpkg.NewCluster(ctx, assetDir, rendezvousIP, kubeconfigPath, sshKey, authToken, workflow.AgentWorkflowTypeInstall)
 			if err != nil {
 				logrus.Exit(exitCodeBootstrapFailed)
 			}

go.mod

@@ -42,6 +42,7 @@ require (
 	github.com/diskfs/go-diskfs v1.4.0
 	github.com/form3tech-oss/jwt-go v3.2.3+incompatible
 	github.com/go-openapi/errors v0.22.0
+	github.com/go-openapi/runtime v0.26.2
 	github.com/go-openapi/strfmt v0.23.0
 	github.com/go-openapi/swag v0.23.0
 	github.com/go-playground/validator/v10 v10.19.0

pkg/agent/cluster.go

@@ -66,11 +66,11 @@ type clusterInstallStatusHistory struct {
 }
 
 // NewCluster initializes a Cluster object
-func NewCluster(ctx context.Context, assetDir, rendezvousIP, kubeconfigPath, sshKey string, workflowType workflow.AgentWorkflowType) (*Cluster, error) {
+func NewCluster(ctx context.Context, assetDir, rendezvousIP, kubeconfigPath, sshKey, authToken string, workflowType workflow.AgentWorkflowType) (*Cluster, error) {
 	czero := &Cluster{}
 	capi := &clientSet{}
 
-	restclient, err := NewNodeZeroRestClient(ctx, rendezvousIP, sshKey)
+	restclient, err := NewNodeZeroRestClient(ctx, rendezvousIP, sshKey, authToken)
 	if err != nil {
 		logrus.Fatal(err)
 	}

pkg/agent/rest.go

@@ -15,6 +15,7 @@ import (
 	"github.com/openshift/assisted-service/client/installer"
 	"github.com/openshift/assisted-service/models"
 	"github.com/openshift/installer/pkg/asset/agent/agentconfig"
+	"github.com/openshift/installer/pkg/asset/agent/gencrypto"
 	"github.com/openshift/installer/pkg/asset/agent/image"
 	"github.com/openshift/installer/pkg/asset/agent/manifests"
 	"github.com/openshift/installer/pkg/asset/installconfig"
@@ -32,7 +33,7 @@ type NodeZeroRestClient struct {
 }
 
 // NewNodeZeroRestClient Initialize a new rest client to interact with the Agent Rest API on node zero.
-func NewNodeZeroRestClient(ctx context.Context, rendezvousIP string, sshKey string) (*NodeZeroRestClient, error) {
+func NewNodeZeroRestClient(ctx context.Context, rendezvousIP, sshKey, token string) (*NodeZeroRestClient, error) {
 	restClient := &NodeZeroRestClient{}
 
 	// Get SSH Keys which can be used to determine if Rest API failures are due to network connectivity issues
@@ -46,6 +47,9 @@ func NewNodeZeroRestClient(ctx context.Context, rendezvousIP string, sshKey stri
 		Host:   net.JoinHostPort(rendezvousIP, "8090"),
 		Path:   client.DefaultBasePath,
 	}
+
+	config.AuthInfo = gencrypto.UserAuthHeaderWriter(token)
+
 	client := client.New(config)
 
 	restClient.Client = client
@@ -115,6 +119,26 @@ func FindRendezvouIPAndSSHKeyFromAssetStore(assetDir string) (string, string, er
 	return rendezvousIP, sshKey, nil
 }
 
+// FindAuthTokenFromAssetStore returns the auth token.
+func FindAuthTokenFromAssetStore(assetDir string) (string, error) {
+	authConfigAsset := &gencrypto.AuthConfig{}
+
+	assetStore, err := assetstore.NewStore(assetDir)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to create asset store")
+	}
+
+	authConfig, authConfigError := assetStore.Load(authConfigAsset)
+
+	if authConfigError != nil {
+		logrus.Debug(errors.Wrapf(authConfigError, "failed to load %s", authConfigAsset.Name()))
+	}
+
+	token := authConfig.(*gencrypto.AuthConfig).Token
+
+	return token, nil
+}
+
 // IsRestAPILive Determine if the Agent Rest API on node zero has initialized
 func (rest *NodeZeroRestClient) IsRestAPILive() bool {
 	// GET /v2/infraenvs

pkg/asset/agent/gencrypto/auth_utils.go

@@ -0,0 +1,13 @@
+package gencrypto
+
+import (
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+)
+
+// UserAuthHeaderWriter sets the JWT authorization token.
+func UserAuthHeaderWriter(token string) runtime.ClientAuthInfoWriter {
+	return runtime.ClientAuthInfoWriterFunc(func(r runtime.ClientRequest, _ strfmt.Registry) error {
+		return r.SetHeaderParam("Authorization", token)
+	})
+}

pkg/asset/agent/gencrypto/authconfig.go

@@ -6,6 +6,7 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/pem"
 
 	"github.com/golang-jwt/jwt/v4"
@@ -19,6 +20,8 @@ type AuthConfig struct {
 	PublicKey, PrivateKey, Token string
 }
 
+var _ asset.Asset = (*AuthConfig)(nil)
+
 // LocalJWTKeyType suggests the key type to be used for the token.
 type LocalJWTKeyType string
 
@@ -40,14 +43,19 @@ func (a *AuthConfig) Dependencies() []asset.Asset {
 func (a *AuthConfig) Generate(dependencies asset.Parents) error {
 	infraEnvID := &common.InfraEnvID{}
 	dependencies.Get(infraEnvID)
+
 	PublicKey, PrivateKey, err := keyPairPEM()
 	if err != nil {
 		return err
 	}
-	a.PublicKey = PublicKey
-	a.PrivateKey = PrivateKey
+	// Encode to Base64 (Standard encoding)
+	encodedPrivateKeyPEM := base64.StdEncoding.EncodeToString([]byte(PrivateKey))
+	encodedPubKeyPEM := base64.StdEncoding.EncodeToString([]byte(PublicKey))
+
+	a.PrivateKey = encodedPrivateKeyPEM
+	a.PublicKey = encodedPubKeyPEM
 
-	token, err := localJWTForKey(infraEnvID.ID, a.PrivateKey)
+	token, err := localJWTForKey(infraEnvID.ID, PrivateKey)
 	if err != nil {
 		return err
 	}
@@ -57,7 +65,7 @@ func (a *AuthConfig) Generate(dependencies asset.Parents) error {
 }
 
 // Name returns the human-friendly name of the asset.
-func (a *AuthConfig) Name() string {
+func (*AuthConfig) Name() string {
 	return "Agent Installer API Auth Config"
 }
 

pkg/asset/agent/gencrypto/authconfig_test.go

@@ -27,8 +27,8 @@ func TestAuthConfig_Generate(t *testing.T) {
 
 			assert.NoError(t, err)
 
-			assert.Contains(t, authConfigAsset.PrivateKey, "BEGIN EC PRIVATE KEY")
-			assert.Contains(t, authConfigAsset.PublicKey, "BEGIN EC PUBLIC KEY")
+			assert.NotEmpty(t, authConfigAsset.PrivateKey)
+			assert.NotEmpty(t, authConfigAsset.PublicKey)
 			assert.NotEmpty(t, authConfigAsset.Token)
 		})
 	}

pkg/nodejoiner/monitoraddnodes.go

@@ -16,7 +16,8 @@ func NewMonitorAddNodesCommand(directory, kubeconfigPath string, ips []string) e
 		return err
 	}
 
-	cluster, err := agentpkg.NewCluster(context.Background(), "", ips[0], kubeconfigPath, "", workflow.AgentWorkflowTypeAddNodes)
+	var token string
+	cluster, err := agentpkg.NewCluster(context.Background(), "", ips[0], kubeconfigPath, "", token, workflow.AgentWorkflowTypeAddNodes)
 	if err != nil {
 		// TODO exit code enumerate
 		logrus.Exit(1)