Generate an ignition-auth key and provide it to the MCS

This is an optional hardening for access to Ignition; the installer
generates a random key (separately for master/worker pool) and installs
it into the `openshift-machine-config-operator` namespace.  If the MCS
finds an `ignition-auth` secret with the `master/worker` keys, it will use it:
openshift/machine-config-operator#736

This PR just generates those secrets, so we can land it before the
MCO PR as well.

data/data/manifests/bootkube/openshift-config-secret-ignition-auth.yaml.template

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  namespace: openshift-machine-config-operator
+  name: ignition-auth
+data:
+  master: {{.IgnitionAuthMasterBase64}}
+  worker: {{.IgnitionAuthWorkerBase64}}

pkg/asset/ignition/machine/master.go

@@ -28,6 +28,7 @@ var _ asset.WritableAsset = (*Master)(nil)
 func (a *Master) Dependencies() []asset.Asset {
 	return []asset.Asset{
 		&installconfig.InstallConfig{},
+		&installconfig.IgnitionAuth{},
 		&tls.RootCA{},
 	}
 }
@@ -36,9 +37,10 @@ func (a *Master) Dependencies() []asset.Asset {
 func (a *Master) Generate(dependencies asset.Parents) error {
 	installConfig := &installconfig.InstallConfig{}
 	rootCA := &tls.RootCA{}
-	dependencies.Get(installConfig, rootCA)
+	ignitionAuth := &installconfig.IgnitionAuth{}
+	dependencies.Get(installConfig, rootCA, ignitionAuth)
 
-	a.Config = pointerIgnitionConfig(installConfig.Config, rootCA.Cert(), "master")
+	a.Config = pointerIgnitionConfig(installConfig.Config, rootCA.Cert(), "master", ignitionAuth.Master)
 
 	data, err := json.Marshal(a.Config)
 	if err != nil {

pkg/asset/ignition/machine/node.go

@@ -12,18 +12,20 @@ import (
 
 // pointerIgnitionConfig generates a config which references the remote config
 // served by the machine config server.
-func pointerIgnitionConfig(installConfig *types.InstallConfig, rootCA []byte, role string) *ignition.Config {
+func pointerIgnitionConfig(installConfig *types.InstallConfig, rootCA []byte, role, auth string) *ignition.Config {
+	authURL := url.URL{
+		Scheme: "https",
+		Host:   fmt.Sprintf("api-int.%s:22623", installConfig.ClusterDomain()),
+		Path:   fmt.Sprintf("/config/%s", role),
+	}
+	authURL.Query().Set("auth", auth)
 	return &ignition.Config{
 		Ignition: ignition.Ignition{
 			Version: ignition.MaxVersion.String(),
 			Config: ignition.IgnitionConfig{
 				Append: []ignition.ConfigReference{{
 					Source: func() *url.URL {
-						return &url.URL{
-							Scheme: "https",
-							Host:   fmt.Sprintf("api-int.%s:22623", installConfig.ClusterDomain()),
-							Path:   fmt.Sprintf("/config/%s", role),
-						}
+						return &authURL
 					}().String(),
 				}},
 			},

pkg/asset/ignition/machine/worker.go

@@ -28,6 +28,8 @@ var _ asset.WritableAsset = (*Worker)(nil)
 func (a *Worker) Dependencies() []asset.Asset {
 	return []asset.Asset{
 		&installconfig.InstallConfig{},
+		&installconfig.IgnitionAuth{},
+
 		&tls.RootCA{},
 	}
 }
@@ -36,9 +38,10 @@ func (a *Worker) Dependencies() []asset.Asset {
 func (a *Worker) Generate(dependencies asset.Parents) error {
 	installConfig := &installconfig.InstallConfig{}
 	rootCA := &tls.RootCA{}
-	dependencies.Get(installConfig, rootCA)
+	ignitionAuth := &installconfig.IgnitionAuth{}
+	dependencies.Get(installConfig, rootCA, ignitionAuth)
 
-	a.Config = pointerIgnitionConfig(installConfig.Config, rootCA.Cert(), "worker")
+	a.Config = pointerIgnitionConfig(installConfig.Config, rootCA.Cert(), "worker", ignitionAuth.Worker)
 
 	data, err := json.Marshal(a.Config)
 	if err != nil {

pkg/asset/installconfig/ignitionauth.go

@@ -0,0 +1,32 @@
+package installconfig
+
+import (
+	utilrand "k8s.io/apimachinery/pkg/util/rand"
+
+	"github.com/openshift/installer/pkg/asset"
+)
+
+// IgnitionAuth gates access to the Machine Config Server
+type IgnitionAuth struct {
+	Master string
+	Worker string
+}
+
+var _ asset.Asset = (*IgnitionAuth)(nil)
+
+// Dependencies returns nothing.
+func (a *IgnitionAuth) Dependencies() []asset.Asset {
+	return []asset.Asset{}
+}
+
+// Generate generates a new IgnitionAuth
+func (a *IgnitionAuth) Generate(dep asset.Parents) error {
+	a.Master = utilrand.String(64)
+	a.Worker = utilrand.String(64)
+	return nil
+}
+
+// Name returns the human-friendly name of the asset.
+func (a *IgnitionAuth) Name() string {
+	return "Ignition Auth"
+}

pkg/asset/manifests/operators.go

@@ -55,6 +55,7 @@ func (m *Manifests) Dependencies() []asset.Asset {
 	return []asset.Asset{
 		&installconfig.ClusterID{},
 		&installconfig.InstallConfig{},
+		&installconfig.IgnitionAuth{},
 		&Ingress{},
 		&DNS{},
 		&Infrastructure{},
@@ -84,6 +85,7 @@ func (m *Manifests) Dependencies() []asset.Asset {
 		&bootkube.KubeSystemConfigmapRootCA{},
 		&bootkube.MachineConfigServerTLSSecret{},
 		&bootkube.OpenshiftConfigSecretPullSecret{},
+		&bootkube.OpenshiftConfigSecretIgnitionAuth{},
 		&bootkube.OpenshiftMachineConfigOperator{},
 	}
 }
@@ -136,6 +138,7 @@ func (m *Manifests) Files() []*asset.File {
 func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*asset.File {
 	clusterID := &installconfig.ClusterID{}
 	installConfig := &installconfig.InstallConfig{}
+	ignitionAuth := &installconfig.IgnitionAuth{}
 	mcsCertKey := &tls.MCSCertKey{}
 	etcdMetricCABundle := &tls.EtcdMetricCABundle{}
 	etcdMetricSignerClientCertKey := &tls.EtcdMetricSignerClientCertKey{}
@@ -147,6 +150,7 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
 	dependencies.Get(
 		clusterID,
 		installConfig,
+		ignitionAuth,
 		etcdSignerCertKey,
 		etcdCABundle,
 		etcdSignerClientCertKey,
@@ -179,6 +183,8 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
 		McsTLSCert:                 base64.StdEncoding.EncodeToString(mcsCertKey.Cert()),
 		McsTLSKey:                  base64.StdEncoding.EncodeToString(mcsCertKey.Key()),
 		PullSecretBase64:           base64.StdEncoding.EncodeToString([]byte(installConfig.Config.PullSecret)),
+		IgnitionAuthMasterBase64:   base64.StdEncoding.EncodeToString([]byte(ignitionAuth.Master)),
+		IgnitionAuthWorkerBase64:   base64.StdEncoding.EncodeToString([]byte(ignitionAuth.Master)),
 		RootCaCert:                 string(rootCA.Cert()),
 	}
 
@@ -200,6 +206,7 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
 		&bootkube.KubeSystemConfigmapRootCA{},
 		&bootkube.MachineConfigServerTLSSecret{},
 		&bootkube.OpenshiftConfigSecretPullSecret{},
+		&bootkube.OpenshiftConfigSecretIgnitionAuth{},
 		&bootkube.OpenshiftMachineConfigOperator{},
 	} {
 		dependencies.Get(a)

pkg/asset/manifests/template.go

@@ -53,6 +53,8 @@ type bootkubeTemplateData struct {
 	McsTLSCert                 string
 	McsTLSKey                  string
 	PullSecretBase64           string
+	IgnitionAuthMasterBase64   string
+	IgnitionAuthWorkerBase64   string
 	RootCaCert                 string
 	WorkerIgnConfig            string
 }

pkg/asset/targets/targets.go

@@ -46,6 +46,7 @@ var (
 		&bootkube.EtcdMetricSignerSecret{},
 		&bootkube.EtcdMetricServingCAConfigMap{},
 		&bootkube.OpenshiftConfigSecretPullSecret{},
+		&bootkube.OpenshiftConfigSecretIgnitionAuth{},
 		&openshift.BindingDiscovery{},
 		&openshift.CloudCredsSecret{},
 		&openshift.KubeadminPasswordSecret{},

pkg/asset/templates/content/bootkube/ignition-auth.go

@@ -0,0 +1,64 @@
+package bootkube
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/templates/content"
+)
+
+const (
+	openshiftConfigSecretIgnitionAuthFileName = "openshift-config-secret-ignition-auth.yaml.template"
+)
+
+var _ asset.WritableAsset = (*OpenshiftConfigSecretIgnitionAuth)(nil)
+
+// OpenshiftConfigSecretIgnitionAuth is the constant to represent contents of openshift-config-secret-ignition-auth.yaml.template file.
+type OpenshiftConfigSecretIgnitionAuth struct {
+	FileList []*asset.File
+}
+
+// Dependencies returns all of the dependencies directly needed by the asset
+func (t *OpenshiftConfigSecretIgnitionAuth) Dependencies() []asset.Asset {
+	return []asset.Asset{}
+}
+
+// Name returns the human-friendly name of the asset.
+func (t *OpenshiftConfigSecretIgnitionAuth) Name() string {
+	return "OpenshiftConfigSecretIgnitionAuth"
+}
+
+// Generate generates the actual files by this asset
+func (t *OpenshiftConfigSecretIgnitionAuth) Generate(parents asset.Parents) error {
+	fileName := openshiftConfigSecretIgnitionAuthFileName
+	data, err := content.GetBootkubeTemplate(fileName)
+	if err != nil {
+		return err
+	}
+	t.FileList = []*asset.File{
+		{
+			Filename: filepath.Join(content.TemplateDir, fileName),
+			Data:     []byte(data),
+		},
+	}
+	return nil
+}
+
+// Files returns the files generated by the asset.
+func (t *OpenshiftConfigSecretIgnitionAuth) Files() []*asset.File {
+	return t.FileList
+}
+
+// Load returns the asset from disk.
+func (t *OpenshiftConfigSecretIgnitionAuth) Load(f asset.FileFetcher) (bool, error) {
+	file, err := f.FetchByName(filepath.Join(content.TemplateDir, openshiftConfigSecretIgnitionAuthFileName))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	t.FileList = []*asset.File{file}
+	return true, nil
+}