OCPBUGS-16227: add Passwd to bootstrap served ignition

[cdoern]

This ensures that the first nodes always know about core, and the authorized ssh keys.

New nodes should get the full passwd config since it is now in the data the MCS serves via the appenders.

now, all machineConfigs should have the core user (even firstboot) and all scaled nodes should have a filled /home/core/.ssh/authorized_keys.d/ignition

[openshift-ci-robot]

@cdoern: This pull request references Jira Issue OCPBUGS-16227, which is invalid:

• expected the bug to target the "4.14.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This ensures that the first nodes always know about core, and the authorized ssh keys.

New nodes should get the full passwd config since it is now in the data the MCS serves via the appenders.

now, all machineConfigs should have the core user (even firstboot) and all scaled nodes should have a filled /home/core/.ssh/authorized_keys.d/ignition

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[cdoern]

/jira refresh

[openshift-ci-robot]

@cdoern: This pull request references Jira Issue OCPBUGS-16227, which is invalid:

• expected the bug to target the "4.14.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[cdoern]

/jira refresh

[openshift-ci-robot]

@cdoern: This pull request references Jira Issue OCPBUGS-16227, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.14.0) matches configured target version for branch (4.14.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sergiordlr

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[cdoern]

/retest-required

[cdoern]

/test e2e-aws-ovn

[cdoern]

/test e2e-aws-ovn-upgrade

[cdoern]

/test e2e-gcp-op

[sergiordlr]

Verified using IPI on AWS:

Steps:

1. Scale up a machineset

$ oc scale machineset $(oc get -n openshift-machine-api machineset -ojsonpath="{.items[0].metadata.name}") --replicas 2
machineset.machine.openshift.io/sregidor-sshsc2-lkhq4-worker-us-east-2a scaled

2. Wait until the new worker is added

$ oc get nodes
NAME STATUS ROLES AGE VERSION
.....
ip-10-0-55-5.us-east-2.compute.internal Ready worker 83s v1.27.3+4aaeaec
.........

3. Verify that the new worker has the right ssh key value in .ssh

$ oc debug  node/$(oc get nodes -l node-role.kubernetes.io/worker -ojsonpath="{.items[-1].metadata.name}" --sort-by .metadata.creationTimestamp) -- chroot /host cat /home/core/.ssh/authorized_keys.d/ignition
Starting pod/ip-10-0-55-5us-east-2computeinternal-debug-nptgg ...
To use host binaries, run `chroot /host`
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWkwurd.......

Removing debug pod ...

The following test cases were executed and passed:

passed: (5m46s) 2023-07-26T10:23:03 "[sig-mco] MCO password Author:sregidor-NonPreRelease-High-59426-ssh keys can be updated in new dir on RHCOS9 node[Disruptive] [Serial]"
passed: (26m38s) 2023-07-26T10:49:41 "[sig-mco] MCO scale Author:sregidor-NonPreRelease-High-52822-Create new config resources with 2.2.0 ignition boot image nodes [Disruptive] [Serial]"
passed: (10m33s) 2023-07-26T11:00:14 "[sig-mco] MCO scale Author:sregidor-NonHyperShiftHOST-NonPreRelease-LongDuration-High-63894-Scaleup using 4.1 cloud image[Disruptive] [Serial]"
passed: (2m59s) 2023-07-26T11:03:13 "[sig-mco] MCO password Author:sregidor-NonPreRelease-Medium-59900-Create a password for a user different from 'core' user[Disruptive] [Serial]"
passed: (7m43s) 2023-07-26T11:10:56 "[sig-mco] MCO password Author:sregidor-NonPreRelease-High-59417-MCD create/update password with MachineConfig in CoreOS nodes[Disruptive] [Serial]"
passed: (2m3s) 2023-07-26T11:13:10 "[sig-mco] MCO password Author:sregidor-NonPreRelease-High-59424-ssh keys can be found in new dir on RHCOS9 node [Disruptive] [Serial]"
passed: (4m43s) 2023-07-26T11:17:52 "[sig-mco] MCO password Author:sregidor-NonPreRelease-Medium-64986-Remove all ssh keys [Disruptive] [Serial]"
passed: (4m21s) 2023-07-26T11:22:14 "[sig-mco] MCO password Author:sregidor-NonPreRelease-Medium-62533-Passwd login must not work with ssh[Disruptive] [Serial]"
passed: (9m15s) 2023-07-26T11:37:45 "[sig-mco] MCO password Author:sregidor-NonPreRelease-High-60129-MCD create/update password with MachineConfig in RHEL nodes[Disruptive] [Serial]"

We can add the qe-approved label

/label qe-approved

[cdoern]

/test e2e-aws-ovn

[cdoern]

/retest-required

[cdoern]

/test e2e-aws-ovn

[cdoern]

/test e2e-aws-ovn

[cdoern]

/retest-required

[sinnykumari]

Thanks Charlie for fixing this.
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cdoern, sinnykumari

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [cdoern,sinnykumari]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@cdoern: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	21e9a64	link	false	/test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci-robot]

@cdoern: Jira Issue OCPBUGS-16227: All pull requests linked via external trackers have merged:

• openshift/machine-config-operator#3811

Jira Issue OCPBUGS-16227 has been moved to the MODIFIED state.

In response to this:

This ensures that the first nodes always know about core, and the authorized ssh keys.

New nodes should get the full passwd config since it is now in the data the MCS serves via the appenders.

now, all machineConfigs should have the core user (even firstboot) and all scaled nodes should have a filled /home/core/.ssh/authorized_keys.d/ignition

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.