Revert "templates: Disable SSH keys lookup from authorized_keys.d"

[LorbusChris]

This reverts commit 5ed6fa3.

Not having SSH access to the bootstrap node/before MCO starts successfully on OKD is hindering the ability to debug installation related failures immensely.

We'll need to find another way to solve this properly.
/cc @bgilbert

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: LorbusChris
To complete the pull request process, please assign sinnykumari after the PR has been reviewed.
You can assign the PR to them by writing /assign @sinnykumari in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[LorbusChris]

/test okd-e2e-gcp-op

[openshift-merge-robot]

@LorbusChris: The following tests failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/okd-e2e-aws	300ac27	link	/test okd-e2e-aws
ci/prow/e2e-agnostic-upgrade	300ac27	link	/test e2e-agnostic-upgrade
ci/prow/okd-e2e-gcp-op	300ac27	link	/test okd-e2e-gcp-op

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[cgwalters]

Didn't we agree there's an important security issue being fixed by that change? I think we need a plan other than just reverting.

I don't fully understand the problem here honestly - actually, how can the MCO affect SSH access to the bootstrap? Isn't all the Ignition for that generated by the installer?

Would it somehow address the problem to move writing this file into the MCD-as-daemonset logic instead of Ignition?

[LorbusChris]

@cgwalters the MCO doesn't affect the bootstrap node - it's just that we do not currently have SSH access to any node before MCO starts to manage the key, as Ignition on FCOS writes it to authorized_keys.d which is now disabled.
Only the MCO will write it to authorized_keys where it can then be looked up by SSH.

[LorbusChris]

I wonder, how is ignition configured on RHCOS to write to authorized_keys instead of authorized_keys.d, and could we configure it to do the same on OKD's FCOS?

[bgilbert]

I think @cgwalters's point is that authorized_keys.d is only disabled because of the MCO template being removed by this PR, and that template isn't applied on the bootstrap node.

Ignition on RHCOS writes to authorized_keys because of a compile-time flag in the Ignition RHCOS package.

[LorbusChris]

I think @cgwalters's point is that authorized_keys.d is only disabled because of the MCO template being removed by this PR, and that template isn't applied on the bootstrap node.

oh that's right 🤦‍♂️, I'll close this PR.

Ignition on RHCOS writes to authorized_keys because of a compile-time flag in the Ignition RHCOS package.

@bgilbert does Ignition have any runtime config options? Could we make this into one?

[bgilbert]

does Ignition have any runtime config options? Could we make this into one?

We generally avoid them, and there's very little opportunity to invoke one anyway, since the initramfs environment is mostly not customizable by the user. Perhaps we should revisit writing the sshd_config fragment after Ignition runs.