AGENT-1136, AGENT-1229: Add auth to unconfigured-ignition

[zaneb]

This adds auth support to the unconfigured-ignition. This has no effect
on the appliance, because all of the relevant files are overwritten by
the config ISO when it is attached so it is the config ISO that
ultimately controls the auth settings.

However, for the interactive installer, this means that the
unconfigured-ignition generated by assisted-service will contain the
necessary keys/tokens and config to enable auth.

This change depends on openshift-assisted/assisted-installer-ui#3454

[openshift-ci-robot]

@zaneb: This pull request references AGENT-1136 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references AGENT-1236 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This adds auth support to the unconfigured-ignition. This has no effect
on the appliance, because all of the relevant files are overwritten by
the config ISO when it is attached so it is the config ISO that
ultimately controls the auth settings.

However, for the interactive installer, this means that the
unconfigured-ignition generated by assisted-service will contain the
necessary keys/tokens and config to enable auth.

This change depends on openshift-assisted/assisted-installer-ui#3454

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 858a50a8-028f-478f-9082-a806ef92b4c8

📥 Commits

Reviewing files that changed from the base of the PR and between 351ef05 and 448f168.

📒 Files selected for processing (3)

• pkg/asset/agent/image/ignition.go
• pkg/asset/agent/image/unconfigured_ignition.go
• pkg/asset/agent/image/unconfigured_ignition_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/asset/agent/image/ignition.go

---

Walkthrough

Removed token expiry from ignition template data and getTemplateData; added gencrypto.AuthConfig as a dependency and populated ignition templates with authentication fields (public key and tokens); updated rendezvous file permissions to 0600; adjusted agent UI systemd unit ExecStart to export AIUI_APP_API_URL and USER_AUTH_TOKEN.

Changes

Cohort / File(s)	Summary
Systemd Unit Configuration data/data/agent/systemd/units/agent-ui.service.template	ExecStart podman run now exposes AIUI_APP_API_URL via --env (no inline value) and adds USER_AUTH_TOKEN via --env; final image argument ($INSTALLER_UI_IMAGE) unchanged.
Ignition Template Core pkg/asset/agent/image/ignition.go	Removed TokenExpiry from agentTemplateData; removed tokenExpiry/authTokenExpiry parameter from getTemplateData and updated call sites.
Unconfigured Ignition Asset pkg/asset/agent/image/unconfigured_ignition.go	Added gencrypto.AuthConfig dependency; Generate now fetches authConfig and sets PublicKeyPEM, AgentAuthToken, UserAuthToken, WatcherAuthToken, and AuthType into template data; rendezvous host file permissions changed from 0644 to 0600.
Tests pkg/asset/agent/image/unconfigured_ignition_test.go, pkg/asset/agent/image/ignition_test.go	Tests updated to include gencrypto.AuthConfig dependency and to match the new getTemplateData signature (removed parameters).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	Test file mentioned in PR summary (unconfigured_ignition_test.go) cannot be located or examined in the repository to verify Ginkgo test quality requirements.	Provide access to the test file or verify it exists in the repository. Clarify if Ginkgo tests are used in this codebase.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'AGENT-1136, AGENT-1229: Add auth to unconfigured-ignition' directly describes the main change: adding authentication support to unconfigured-ignition, which aligns with the changeset modifications across multiple files to integrate auth tokens and keys.
Stable And Deterministic Test Names	✅ Passed	This PR does not include any Ginkgo tests. The test modifications use standard Go testing patterns with static, descriptive test names.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.3)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[zaneb]

/cc @pawanpinjarkar

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@zaneb: This pull request references AGENT-1136 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references AGENT-1236 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This adds auth support to the unconfigured-ignition. This has no effect
on the appliance, because all of the relevant files are overwritten by
the config ISO when it is attached so it is the config ISO that
ultimately controls the auth settings.

However, for the interactive installer, this means that the
unconfigured-ignition generated by assisted-service will contain the
necessary keys/tokens and config to enable auth.

This change depends on openshift-assisted/assisted-installer-ui#3454

Summary by CodeRabbit

• New Features

• Enhanced authentication system with support for multiple authentication token types (agent, user, and watcher)

• Added public key authentication configuration support

• Improvements

• Simplified user authentication token handling in the agent initialization process

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@zaneb: This pull request references AGENT-1136 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references AGENT-1229 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This adds auth support to the unconfigured-ignition. This has no effect
on the appliance, because all of the relevant files are overwritten by
the config ISO when it is attached so it is the config ISO that
ultimately controls the auth settings.

However, for the interactive installer, this means that the
unconfigured-ignition generated by assisted-service will contain the
necessary keys/tokens and config to enable auth.

This change depends on openshift-assisted/assisted-installer-ui#3454

Summary by CodeRabbit

• New Features

• Enhanced authentication system with support for multiple authentication token types (agent, user, and watcher)

• Added public key authentication configuration support

• Improvements

• Simplified user authentication token handling in the agent initialization process

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign bfournie for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• data/data/agent/OWNERS
• pkg/asset/agent/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@zaneb: This pull request references AGENT-1136 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references AGENT-1229 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This adds auth support to the unconfigured-ignition. This has no effect
on the appliance, because all of the relevant files are overwritten by
the config ISO when it is attached so it is the config ISO that
ultimately controls the auth settings.

However, for the interactive installer, this means that the
unconfigured-ignition generated by assisted-service will contain the
necessary keys/tokens and config to enable auth.

This change depends on openshift-assisted/assisted-installer-ui#3454

Summary by CodeRabbit

• New Features

• Support for multiple authentication token types (agent, user, watcher)

• Public-key based authentication configuration added

• Service now exposes user auth token to the agent runtime

• Improvements

• Simplified handling of user authentication tokens during agent initialization

• Streamlined ignition generation to include auth-related fields for runtime use

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[zaneb]

/jira refresh

[openshift-ci-robot]

@zaneb: This pull request references AGENT-1136 which is a valid jira issue.

This pull request references AGENT-1229 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@zaneb: This pull request references AGENT-1136 which is a valid jira issue.

This pull request references AGENT-1229 which is a valid jira issue.

Details

In response to this:

This adds auth support to the unconfigured-ignition. This has no effect
on the appliance, because all of the relevant files are overwritten by
the config ISO when it is attached so it is the config ISO that
ultimately controls the auth settings.

However, for the interactive installer, this means that the
unconfigured-ignition generated by assisted-service will contain the
necessary keys/tokens and config to enable auth.

This change depends on openshift-assisted/assisted-installer-ui#3454

Summary by CodeRabbit

• New Features

• Support for multiple authentication token types (agent, user, watcher)

• Public-key based authentication configuration added

• Service unit now passes user auth token into the runtime via environment

• Improvements

• Simplified handling of user authentication tokens during agent startup

• Ignition output now includes auth-related fields for runtime use

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@zaneb: This pull request references AGENT-1136 which is a valid jira issue.

This pull request references AGENT-1229 which is a valid jira issue.

Details

In response to this:

This adds auth support to the unconfigured-ignition. This has no effect
on the appliance, because all of the relevant files are overwritten by
the config ISO when it is attached so it is the config ISO that
ultimately controls the auth settings.

However, for the interactive installer, this means that the
unconfigured-ignition generated by assisted-service will contain the
necessary keys/tokens and config to enable auth.

This change depends on openshift-assisted/assisted-installer-ui#3454

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

pkg/asset/agent/image/ignition.go (1)

437-442: Reduce positional-argument risk in getTemplateData.

Line 438 now contributes to a long list of same-typed string args, which is brittle and easy to misorder (especially auth-related fields). Prefer a single input struct (or passing *agentTemplateData directly) to make call sites self-documenting.

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/agent/image/ignition.go` around lines 437 - 442, The
getTemplateData function currently takes many same-typed string and int
parameters which is brittle; refactor it to accept a single parameter (either a
pointer to agentTemplateData or a new input struct) instead of the long
positional list so call sites become self-documenting and order-safe; update the
getTemplateData signature (replace the long parameter list including name,
pullSecret, releaseImageList, releaseImage, releaseImageMirror,
publicContainerRegistries, imageTypeISO, infraEnvID, publicKey, authType,
agentAuthToken, userAuthToken, watcherAuthToken, caBundleMount,
haveMirrorConfig, numMasters, numArbiters, numWorkers, osImage, proxy) to take
*agentTemplateData (or a dedicated struct), adapt all callers to construct and
pass that struct, and ensure any field-level validation or defaults previously
done inside getTemplateData are preserved after the change.

pkg/asset/agent/image/unconfigured_ignition_test.go (1)

100-100: Add content assertions for auth output, not only dependency wiring.

Line 100 adds gencrypto.AuthConfig, but this test still mainly checks file existence. Add assertions for auth-bearing output (for example /etc/assisted/rendezvous-host.env.template containing USER_AUTH_TOKEN and PULL_SECRET_TOKEN) so auth regressions are caught directly.

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/agent/image/unconfigured_ignition_test.go` at line 100, The test
currently only asserts dependency wiring when adding gencrypto.AuthConfig;
extend it to assert the generated auth-bearing output contents as well by
reading the produced template file (e.g., the
`/etc/assisted/rendezvous-host.env.template` artifact created by the test) and
asserting it contains the expected tokens/keys such as `USER_AUTH_TOKEN` and
`PULL_SECRET_TOKEN`. Update the test that references gencrypto.AuthConfig in
unconfigured_ignition_test.go to open the created asset (use the same
helper/variable that locates produced files in that test), assert the file
exists, then assert its contents include those exact substrings so auth
regressions are caught. Ensure assertions reference the test helper/variable
names already used in the file to locate the output file.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/asset/agent/image/unconfigured_ignition.go`:
- Around line 166-170: The template data includes sensitive bearer tokens
(AgentAuthToken, UserAuthToken, WatcherAuthToken) which are then written to
/etc/assisted/rendezvous-host.env.template and /etc/assisted/rendezvous-host.env
with mode 0644; update the file write operations to use stricter permissions
(e.g., 0600 or 0640 depending on group requirements) so only the owner (and
optionally group) can read them, and ensure any helper that creates these files
or calls os.WriteFile / io.Write* sets the new mode consistently for both the
template and final file; change permission constants where
rendezvous-host.env.template and rendezvous-host.env are created/closed and add
a comment noting sensitive content handling.

---

Nitpick comments:
In `@pkg/asset/agent/image/ignition.go`:
- Around line 437-442: The getTemplateData function currently takes many
same-typed string and int parameters which is brittle; refactor it to accept a
single parameter (either a pointer to agentTemplateData or a new input struct)
instead of the long positional list so call sites become self-documenting and
order-safe; update the getTemplateData signature (replace the long parameter
list including name, pullSecret, releaseImageList, releaseImage,
releaseImageMirror, publicContainerRegistries, imageTypeISO, infraEnvID,
publicKey, authType, agentAuthToken, userAuthToken, watcherAuthToken,
caBundleMount, haveMirrorConfig, numMasters, numArbiters, numWorkers, osImage,
proxy) to take *agentTemplateData (or a dedicated struct), adapt all callers to
construct and pass that struct, and ensure any field-level validation or
defaults previously done inside getTemplateData are preserved after the change.

In `@pkg/asset/agent/image/unconfigured_ignition_test.go`:
- Line 100: The test currently only asserts dependency wiring when adding
gencrypto.AuthConfig; extend it to assert the generated auth-bearing output
contents as well by reading the produced template file (e.g., the
`/etc/assisted/rendezvous-host.env.template` artifact created by the test) and
asserting it contains the expected tokens/keys such as `USER_AUTH_TOKEN` and
`PULL_SECRET_TOKEN`. Update the test that references gencrypto.AuthConfig in
unconfigured_ignition_test.go to open the created asset (use the same
helper/variable that locates produced files in that test), assert the file
exists, then assert its contents include those exact substrings so auth
regressions are caught. Ensure assertions reference the test helper/variable
names already used in the file to locate the output file.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3b458534-d808-4a2e-afa9-9476ce15db22

📥 Commits

Reviewing files that changed from the base of the PR and between bda1e88 and 351ef05.

📒 Files selected for processing (5)

• data/data/agent/systemd/units/agent-ui.service.template
• pkg/asset/agent/image/ignition.go
• pkg/asset/agent/image/ignition_test.go
• pkg/asset/agent/image/unconfigured_ignition.go
• pkg/asset/agent/image/unconfigured_ignition_test.go