Description
During installation MCO does not create /var/home/core/.ssh/authorized_keys which should have the ignition bootstrap key in it. This prevents core from logging into the server if #2087 is enabled as reading authorized_keys.d is disabled. if #2087 is disabled, login succeeds as authorized_keys.d is read and the ignition key is available.
Steps to reproduce the issue:
Install OKD 4.7
Describe the results you received:
unable to ssh into server after installation. If I manually create the authorized_keys file I can log in successfully
Describe the results you expected:
successful ssh into servers
Additional information you deem important (e.g. issue happens only occasionally):
[root@os-utils-d02 qa-4.7]# oc get mc
NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE
00-master 451aa6521d737f849302a98fae2dff213a99eff4 3.2.0 15h
00-worker 451aa6521d737f849302a98fae2dff213a99eff4 3.2.0 15h
01-master-container-runtime 451aa6521d737f849302a98fae2dff213a99eff4 3.2.0 15h
01-master-kubelet 451aa6521d737f849302a98fae2dff213a99eff4 3.2.0 15h
01-worker-container-runtime 451aa6521d737f849302a98fae2dff213a99eff4 3.2.0 15h
01-worker-kubelet 451aa6521d737f849302a98fae2dff213a99eff4 3.2.0 15h
99-master-generated-registries 451aa6521d737f849302a98fae2dff213a99eff4 3.2.0 15h
99-master-okd-extensions 3.1.0 15h
99-master-ssh 3.1.0 15h
99-okd-master-disable-mitigations 3.1.0 15h
99-okd-worker-disable-mitigations 3.1.0 15h
99-worker-generated-registries 451aa6521d737f849302a98fae2dff213a99eff4 3.2.0 15h
99-worker-okd-extensions 3.1.0 15h
99-worker-ssh 3.1.0 15h
rendered-master-24161f6ba4983107f6f1799baa94a8c3 451aa6521d737f849302a98fae2dff213a99eff4 3.2.0 15h
rendered-worker-7cfc5c07b9d03981cbf576692ff98026 451aa6521d737f849302a98fae2dff213a99eff4 3.2.0 15h
Interestingly enough the rendered-master and rendered-worker have the 99-master-ssh and 99-worker-ssh embedded in it as expected.
If I update 99-master-ssh with a new or additional key, the MCO reconciles the change and generates a proper authorized_keys file.
Output of oc adm release info --commits | grep machine-config-operator:
Unfortunately I'm using a custom 4.7 MCO because of the DNS issues in 4,7.
However, as it also fails in 4.6:
machine-config-operator https://github.com/openshift/machine-config-operator eb9778355a9020673e8ce9aee092cb98d80cde5e
Additional environment details (platform, options, etc.):
OKD 4.7 vSphere IPI
must-gather logs from clean OKD 4.7 install
Description
During installation MCO does not create /var/home/core/.ssh/authorized_keys which should have the ignition bootstrap key in it. This prevents core from logging into the server if #2087 is enabled as reading authorized_keys.d is disabled. if #2087 is disabled, login succeeds as authorized_keys.d is read and the ignition key is available.
Steps to reproduce the issue:
Install OKD 4.7
Describe the results you received:
unable to ssh into server after installation. If I manually create the authorized_keys file I can log in successfully
Describe the results you expected:
successful ssh into servers
Additional information you deem important (e.g. issue happens only occasionally):
Interestingly enough the rendered-master and rendered-worker have the 99-master-ssh and 99-worker-ssh embedded in it as expected.
If I update 99-master-ssh with a new or additional key, the MCO reconciles the change and generates a proper authorized_keys file.
Output of
oc adm release info --commits | grep machine-config-operator:Additional environment details (platform, options, etc.):
OKD 4.7 vSphere IPI
must-gather logs from clean OKD 4.7 install