AGENT-875: Authenticate agents

[pawanpinjarkar]

• Set JWT token in the expected env var AGENT_AUTH_TOKEN
• Set authorization header in the API requests

[openshift-ci-robot]

@pawanpinjarkar: This pull request references AGENT-875 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.16.0" version, but no target version was set.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[pawanpinjarkar]

/hold

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from pawanpinjarkar. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• data/data/agent/OWNERS
• pkg/asset/agent/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@pawanpinjarkar: This pull request references AGENT-875 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.16.0" version, but no target version was set.

In response to this:

• Set JWT token in the expected env var PULL_SECRET_TOKEN
• Set authorization header in the API requests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pawanpinjarkar]

/hold cancel

[pawanpinjarkar]

/cc @rwsu @andfasano

[pawanpinjarkar]

@rwsu WDYT? I think the token will be needed for the nodes making API requests to assisted service once the new auth type is enabled.

[zaneb]

I don't think it's required here because both services already include rendezvous-host.env where you already added it above.

[zaneb]

This currently results in the same token being used for both the agents and the scripts that drive the assisted API. I can't remember what we said about how we would do authz in the future, but maybe it makes sense to pass them separately even if they have the same value right now.
I guess that would also solve the issue that "PULL_SECRET_TOKEN" is not the ideal name from assisted-service's perspective, bit is required for assisted-installer-agent.

[pawanpinjarkar]

yes, its been renamed to AGENT_AUTH_TOKEN

[openshift-ci-robot]

@pawanpinjarkar: This pull request references AGENT-875 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.16.0" version, but no target version was set.

In response to this:

• Set JWT token in the expected env var AGENT_AUTH_TOKEN
• Set authorization header in the API requests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pawanpinjarkar]

To test the authentication feature, this and other code changes from relevant PRs need to work together.
Please note, this PR only adds the code necessary to authenticate agent service, however, the complete functionality to work end to end depends on below PRs

• AGENT-869: Implement a new auth type for ABI  assisted-service#6174
• AGENT-876: Authenticate systemd services and curl requests #8393
• AGENT-875: Authenticate agents #8395

And most importantly, updating the auth type env var

• AGENT-870: Update AUTH_TYPE #8108

[openshift-ci]

@pawanpinjarkar: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-agent-compact-ipv4-appliance	779715e	link	false	/test e2e-agent-compact-ipv4-appliance
ci/prow/e2e-vsphere-ovn-upi	4fe147f	link	true	/test e2e-vsphere-ovn-upi
ci/prow/okd-e2e-agent-compact-ipv4	c23a3f5	link	false	/test okd-e2e-agent-compact-ipv4

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.