Merge pull request openshift#8395 from pawanpinjarkar/authenticate-agent-service

openshift-merge-bot[bot] · web-flow · commit a8b4b1cc6bae · 2024-07-09T07:45:06.000Z
AGENT-875: Authenticate agents
diff --git a/data/data/agent/files/usr/local/bin/start-agent.sh b/data/data/agent/files/usr/local/bin/start-agent.sh
@@ -1,11 +1,14 @@
 #!/bin/bash
 
+# shellcheck disable=SC1091
+source "common.sh"
+
 >&2 echo "Waiting for infra-env-id to be available"
 INFRA_ENV_ID=""
 until [[ $INFRA_ENV_ID != "" && $INFRA_ENV_ID != "null" ]]; do
     sleep 5
     >&2 echo "Querying assisted-service for infra-env-id..."
-    INFRA_ENV_ID=$(curl -s -S "${SERVICE_BASE_URL}/api/assisted-install/v2/infra-envs" | jq -r .[0].id)
+    INFRA_ENV_ID=$(curl_assisted_service "/infra-envs" GET | jq -r .[0].id)
 done
 echo "Fetched infra-env-id and found: $INFRA_ENV_ID"
 
diff --git a/pkg/asset/agent/image/ignition.go b/pkg/asset/agent/image/ignition.go
@@ -272,7 +272,7 @@ func (a *Ignition) Generate(_ context.Context, dependencies asset.Parents) error
 
 	rendezvousHostFile := ignition.FileFromString(rendezvousHostEnvPath,
 		"root", 0644,
-		getRendezvousHostEnv(agentTemplateData.ServiceProtocol, a.RendezvousIP, agentWorkflow.Workflow))
+		getRendezvousHostEnv(agentTemplateData.ServiceProtocol, a.RendezvousIP, keyPairAsset.Token, agentWorkflow.Workflow))
 	config.Storage.Files = append(config.Storage.Files, rendezvousHostFile)
 
 	err = addBootstrapScripts(&config, agentManifests.ClusterImageSet.Spec.ReleaseImage)
@@ -378,8 +378,7 @@ func getTemplateData(name, pullSecret, releaseImageList, releaseImage,
 	infraEnvID string,
 	osImage *models.OsImage,
 	proxy *v1beta1.Proxy,
-	imageTypeISO,
-	publicKey, token, caBundleMount string) *agentTemplateData {
+	imageTypeISO, publicKey, token, caBundleMount string) *agentTemplateData {
 	return &agentTemplateData{
 		ServiceProtocol:           "http",
 		PullSecret:                pullSecret,
@@ -401,7 +400,7 @@ func getTemplateData(name, pullSecret, releaseImageList, releaseImage,
 	}
 }
 
-func getRendezvousHostEnv(serviceProtocol, nodeZeroIP string, workflowType workflow.AgentWorkflowType) string {
+func getRendezvousHostEnv(serviceProtocol, nodeZeroIP, token string, workflowType workflow.AgentWorkflowType) string {
 	serviceBaseURL := url.URL{
 		Scheme: serviceProtocol,
 		Host:   net.JoinHostPort(nodeZeroIP, "8090"),
@@ -412,12 +411,23 @@ func getRendezvousHostEnv(serviceProtocol, nodeZeroIP string, workflowType workf
 		Host:   net.JoinHostPort(nodeZeroIP, "8888"),
 		Path:   "/",
 	}
+	// AGENT_AUTH_TOKEN is required to authenticate API requests against agent-installer-local auth type.
+	// PULL_SECRET_TOKEN contains the same value as AGENT_AUTH_TOKEN. The name PULL_SECRET_TOKEN is used in
+	// assisted-installer-agent, which is responsible for authenticating API requests related to agents.
+	// Historically, PULL_SECRET_TOKEN was used solely to store the pull secrets.
+	// However, as the authentication mechanisms have evolved, PULL_SECRET_TOKEN now
+	// stores a JWT (JSON Web Token) in the context of local authentication.
+	// Consequently, PULL_SECRET_TOKEN must be set with the value of AGENT_AUTH_TOKEN to maintain compatibility
+	// and ensure successful authentication.
+	// In the absence of PULL_SECRET_TOKEN, the cluster installation will wait forever.
 
 	return fmt.Sprintf(`NODE_ZERO_IP=%s
 SERVICE_BASE_URL=%s
 IMAGE_SERVICE_BASE_URL=%s
+AGENT_AUTH_TOKEN=%s
+PULL_SECRET_TOKEN=%s
 WORKFLOW_TYPE=%s
-`, nodeZeroIP, serviceBaseURL.String(), imageServiceBaseURL.String(), workflowType)
+`, nodeZeroIP, serviceBaseURL.String(), imageServiceBaseURL.String(), token, token, workflowType)
 }
 
 func getAddNodesEnv(clusterInfo joiner.ClusterInfo) string {
diff --git a/pkg/asset/agent/image/ignition_test.go b/pkg/asset/agent/image/ignition_test.go
@@ -114,9 +114,10 @@ func TestIgnition_getTemplateData(t *testing.T) {
 
 func TestIgnition_getRendezvousHostEnv(t *testing.T) {
 	nodeZeroIP := "2001:db8::dead:beef"
-	rendezvousHostEnv := getRendezvousHostEnv("http", nodeZeroIP, workflow.AgentWorkflowTypeInstall)
+	token := "someToken"
+	rendezvousHostEnv := getRendezvousHostEnv("http", nodeZeroIP, token, workflow.AgentWorkflowTypeInstall)
 	assert.Equal(t,
-		"NODE_ZERO_IP="+nodeZeroIP+"\nSERVICE_BASE_URL=http://["+nodeZeroIP+"]:8090/\nIMAGE_SERVICE_BASE_URL=http://["+nodeZeroIP+"]:8888/\nWORKFLOW_TYPE=install\n",
+		"NODE_ZERO_IP="+nodeZeroIP+"\nSERVICE_BASE_URL=http://["+nodeZeroIP+"]:8090/\nIMAGE_SERVICE_BASE_URL=http://["+nodeZeroIP+"]:8888/\nAGENT_AUTH_TOKEN="+token+"\nPULL_SECRET_TOKEN="+token+"\nWORKFLOW_TYPE=install\n",
 		rendezvousHostEnv)
 }
 
