Merge pull request openshift#8105 from pawanpinjarkar/generate-ecdsa-keys

AGENT-868: Generate ECDSA public private keys and pass it to assisted service

Author: openshift-merge-bot[bot]

data/data/agent/files/usr/local/share/assisted-service/assisted-service.env.template

@@ -18,3 +18,5 @@ RELEASE_IMAGES={{.ReleaseImages}}
 OPENSHIFT_INSTALL_RELEASE_IMAGE_MIRROR={{.ReleaseImageMirror}}
 STORAGE=filesystem
 INFRA_ENV_ID={{.InfraEnvID}}
+EC_PUBLIC_KEY_PEM={{.PublicKeyPEM}}
+EC_PRIVATE_KEY_PEM={{.PrivateKeyPEM}}

pkg/asset/agent/gencrypto/authconfig.go

@@ -0,0 +1,99 @@
+package gencrypto
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/pem"
+
+	"github.com/openshift/installer/pkg/asset"
+)
+
+// AuthConfig is an asset that generates ECDSA public and private keys.
+type AuthConfig struct {
+	PublicKey, PrivateKey string
+}
+
+var _ asset.WritableAsset = (*AuthConfig)(nil)
+
+// Dependencies returns the assets on which the AuthConfig asset depends.
+func (a *AuthConfig) Dependencies() []asset.Asset {
+	return []asset.Asset{}
+}
+
+// Generate generates the auth config for agent installer APIs.
+func (a *AuthConfig) Generate(dependencies asset.Parents) error {
+	PublicKey, PrivateKey, err := keyPairPEM()
+	if err != nil {
+		return err
+	}
+	a.PublicKey = PublicKey
+	a.PrivateKey = PrivateKey
+
+	return nil
+}
+
+// Name returns the human-friendly name of the asset.
+func (a *AuthConfig) Name() string {
+	return "Agent Installer API Auth Config"
+}
+
+// Load returns the auth config from disk.
+func (a *AuthConfig) Load(f asset.FileFetcher) (bool, error) {
+	// The AuthConfig will not be needed by another asset so load is noop.
+	// This is implemented because it is required by WritableAsset
+	return false, nil
+}
+
+// Files returns the files generated by the asset.
+func (a *AuthConfig) Files() []*asset.File {
+	// Return empty array because File will never be loaded.
+	return []*asset.File{}
+}
+
+// Reused from assisted-service.
+// https://github.com/openshift/assisted-service/blob/d3c0122452c74ad208055b8b6ee412812431a83f/internal/gencrypto/keys.go#L13-L54
+func keyPairPEM() (string, string, error) {
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return "", "", err
+	}
+
+	// encode private key to PEM string
+	privBytes, err := x509.MarshalECPrivateKey(priv)
+	if err != nil {
+		return "", "", err
+	}
+
+	block := &pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: privBytes,
+	}
+
+	var privKeyPEM bytes.Buffer
+	err = pem.Encode(&privKeyPEM, block)
+	if err != nil {
+		return "", "", err
+	}
+
+	// encode public key to PEM string
+	pubBytes, err := x509.MarshalPKIXPublicKey(priv.Public())
+	if err != nil {
+		return "", "", err
+	}
+
+	block = &pem.Block{
+		Type:  "EC PUBLIC KEY",
+		Bytes: pubBytes,
+	}
+
+	var pubKeyPEM bytes.Buffer
+	err = pem.Encode(&pubKeyPEM, block)
+	if err != nil {
+		return "", "", err
+	}
+
+	return pubKeyPEM.String(), privKeyPEM.String(), nil
+}

pkg/asset/agent/gencrypto/authconfig_test.go

@@ -0,0 +1,28 @@
+package gencrypto
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAuthConfig_Generate(t *testing.T) {
+	cases := []struct {
+		name string
+	}{
+		{
+			name: "generate-public-private-keys",
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			authConfigAsset := &AuthConfig{}
+			err := authConfigAsset.Generate(nil)
+
+			assert.NoError(t, err)
+
+			assert.Contains(t, authConfigAsset.PrivateKey, "BEGIN EC PRIVATE KEY")
+			assert.Contains(t, authConfigAsset.PublicKey, "BEGIN EC PUBLIC KEY")
+		})
+	}
+}

pkg/asset/agent/image/ignition.go

@@ -23,6 +23,7 @@ import (
 	"github.com/openshift/installer/pkg/asset"
 	agentcommon "github.com/openshift/installer/pkg/asset/agent"
 	"github.com/openshift/installer/pkg/asset/agent/agentconfig"
+	"github.com/openshift/installer/pkg/asset/agent/gencrypto"
 	"github.com/openshift/installer/pkg/asset/agent/manifests"
 	"github.com/openshift/installer/pkg/asset/agent/mirror"
 	"github.com/openshift/installer/pkg/asset/ignition"
@@ -68,6 +69,8 @@ type agentTemplateData struct {
 	Proxy                     *v1beta1.Proxy
 	ConfigImageFiles          string
 	ImageTypeISO              string
+	PublicKeyPEM              string
+	PrivateKeyPEM             string
 }
 
 // Name returns the human-friendly name of the asset.
@@ -89,6 +92,7 @@ func (a *Ignition) Dependencies() []asset.Asset {
 		&agentconfig.AgentHosts{},
 		&mirror.RegistriesConf{},
 		&mirror.CaBundle{},
+		&gencrypto.AuthConfig{},
 	}
 }
 
@@ -98,7 +102,8 @@ func (a *Ignition) Generate(dependencies asset.Parents) error {
 	agentConfigAsset := &agentconfig.AgentConfig{}
 	agentHostsAsset := &agentconfig.AgentHosts{}
 	extraManifests := &manifests.ExtraManifests{}
-	dependencies.Get(agentManifests, agentConfigAsset, agentHostsAsset, extraManifests)
+	keyPairAsset := &gencrypto.AuthConfig{}
+	dependencies.Get(agentManifests, agentConfigAsset, agentHostsAsset, extraManifests, keyPairAsset)
 
 	pwd := &password.KubeadminPassword{}
 	dependencies.Get(pwd)
@@ -193,7 +198,10 @@ func (a *Ignition) Generate(dependencies asset.Parents) error {
 		infraEnvID,
 		osImage,
 		infraEnv.Spec.Proxy,
-		imageTypeISO)
+		imageTypeISO,
+		keyPairAsset.PrivateKey,
+		keyPairAsset.PublicKey,
+	)
 
 	err = bootstrap.AddStorageFiles(&config, "/", "agent/files", agentTemplateData)
 	if err != nil {
@@ -309,7 +317,7 @@ func getTemplateData(name, pullSecret, releaseImageList, releaseImage,
 	infraEnvID string,
 	osImage *models.OsImage,
 	proxy *v1beta1.Proxy,
-	imageTypeISO string) *agentTemplateData {
+	imageTypeISO, privateKey, publicKey string) *agentTemplateData {
 	return &agentTemplateData{
 		ServiceProtocol:           "http",
 		PullSecret:                pullSecret,
@@ -325,6 +333,8 @@ func getTemplateData(name, pullSecret, releaseImageList, releaseImage,
 		OSImage:                   osImage,
 		Proxy:                     proxy,
 		ImageTypeISO:              imageTypeISO,
+		PrivateKeyPEM:             privateKey,
+		PublicKeyPEM:              publicKey,
 	}
 }
 

pkg/asset/agent/image/ignition_test.go

@@ -21,6 +21,7 @@ import (
 	hivev1 "github.com/openshift/hive/apis/hive/v1"
 	"github.com/openshift/installer/pkg/asset"
 	"github.com/openshift/installer/pkg/asset/agent/agentconfig"
+	"github.com/openshift/installer/pkg/asset/agent/gencrypto"
 	"github.com/openshift/installer/pkg/asset/agent/manifests"
 	"github.com/openshift/installer/pkg/asset/agent/mirror"
 	"github.com/openshift/installer/pkg/asset/password"
@@ -86,7 +87,10 @@ func TestIgnition_getTemplateData(t *testing.T) {
 	}
 	clusterName := "test-agent-cluster-install.test"
 
-	templateData := getTemplateData(clusterName, pullSecret, releaseImageList, releaseImage, releaseImageMirror, haveMirrorConfig, publicContainerRegistries, agentClusterInstall, infraEnvID, osImage, proxy, "minimal-iso")
+	privateKey := "-----BEGIN EC PUBLIC KEY-----\nMFkwEwYHKoAiDHV4tg==\n-----END EC PUBLIC KEY-----\n"
+	publicKey := "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIOSCfDNmx0qe6dncV4tg==\n-----END EC PRIVATE KEY-----\n"
+
+	templateData := getTemplateData(clusterName, pullSecret, releaseImageList, releaseImage, releaseImageMirror, haveMirrorConfig, publicContainerRegistries, agentClusterInstall, infraEnvID, osImage, proxy, "minimal-iso", privateKey, publicKey)
 	assert.Equal(t, clusterName, templateData.ClusterName)
 	assert.Equal(t, "http", templateData.ServiceProtocol)
 	assert.Equal(t, pullSecret, templateData.PullSecret)
@@ -100,6 +104,8 @@ func TestIgnition_getTemplateData(t *testing.T) {
 	assert.Equal(t, infraEnvID, templateData.InfraEnvID)
 	assert.Equal(t, osImage, templateData.OSImage)
 	assert.Equal(t, proxy, templateData.Proxy)
+	assert.Equal(t, privateKey, templateData.PrivateKeyPEM)
+	assert.Equal(t, publicKey, templateData.PublicKeyPEM)
 }
 
 func TestIgnition_getRendezvousHostEnv(t *testing.T) {
@@ -657,6 +663,7 @@ func buildIgnitionAssetDefaultDependencies(t *testing.T) []asset.Asset {
 		&tls.KubeAPIServerServiceNetworkSignerCertKey{},
 		&tls.AdminKubeConfigSignerCertKey{},
 		&tls.AdminKubeConfigClientCertKey{},
+		&gencrypto.AuthConfig{},
 	}
 }