AGENT-1136, AGENT-1229: Add auth to unconfigured-ignition

[zaneb]

This adds auth support to the unconfigured-ignition. This has no effect
on the appliance, because all of the relevant files are overwritten by
the config ISO when it is attached so it is the config ISO that
ultimately controls the auth settings.

However, for the interactive installer, this means that the
unconfigured-ignition generated by assisted-service will contain the
necessary keys/tokens and config to enable auth.

This change depends on openshift-assisted/assisted-installer-ui#3454

Summary by CodeRabbit

• New Features

  • Support for multiple authentication token types (agent, user, watcher)
  • Public-key based authentication configuration added
  • Service unit now passes user auth token into the runtime via environment

• Improvements

  • Simplified handling of user authentication tokens during agent startup
  • Ignition output now includes auth-related fields for runtime use

[openshift-ci-robot]

@zaneb: This pull request references AGENT-1136 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references AGENT-1236 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This adds auth support to the unconfigured-ignition. This has no effect
on the appliance, because all of the relevant files are overwritten by
the config ISO when it is attached so it is the config ISO that
ultimately controls the auth settings.

However, for the interactive installer, this means that the
unconfigured-ignition generated by assisted-service will contain the
necessary keys/tokens and config to enable auth.

This change depends on openshift-assisted/assisted-installer-ui#3454

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b6518fdf-8848-491a-8cb4-379690191d0f

📥 Commits

Reviewing files that changed from the base of the PR and between 8a341bd and bda1e88.

📒 Files selected for processing (4)

• data/data/agent/systemd/units/agent-ui.service.template
• pkg/asset/agent/image/ignition.go
• pkg/asset/agent/image/unconfigured_ignition.go
• pkg/asset/agent/image/unconfigured_ignition_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/asset/agent/image/unconfigured_ignition_test.go
• pkg/asset/agent/image/ignition.go

---

Walkthrough

Removed TokenExpiry from ignition template data and getTemplateData; introduced gencrypto.AuthConfig to supply PublicKeyPEM, AgentAuthToken, UserAuthToken, WatcherAuthToken, and AuthType for agent template data; updated the agent UI systemd unit template to pass USER_AUTH_TOKEN into the podman run environment.

Changes

Cohort / File(s)	Summary
Systemd Unit Configuration data/data/agent/systemd/units/agent-ui.service.template	Reordered how environment variables are passed to podman run and added USER_AUTH_TOKEN as an environment variable provided to the container (ExecStart adjusted accordingly).
Ignition Template Core pkg/asset/agent/image/ignition.go	Removed TokenExpiry from agentTemplateData and removed the tokenExpiry/authTokenExpiry parameter from getTemplateData; call sites updated to match the new signature.
Unconfigured Ignition Asset & Tests pkg/asset/agent/image/unconfigured_ignition.go, pkg/asset/agent/image/unconfigured_ignition_test.go	Added dependency on gencrypto.AuthConfig; populated new template fields PublicKeyPEM, AgentAuthToken, UserAuthToken, WatcherAuthToken, and AuthType from authConfig; tests updated to include the new dependency.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	Test file mentioned in PR summary (unconfigured_ignition_test.go) cannot be located or examined in the repository to verify Ginkgo test quality requirements.	Provide access to the test file or verify it exists in the repository. Clarify if Ginkgo tests are used in this codebase.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'AGENT-1136, AGENT-1229: Add auth to unconfigured-ignition' directly describes the main change: adding authentication support to unconfigured-ignition, which aligns with the changeset modifications across multiple files to integrate auth tokens and keys.
Stable And Deterministic Test Names	✅ Passed	This PR does not include any Ginkgo tests. The test modifications use standard Go testing patterns with static, descriptive test names.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[zaneb]

/cc @pawanpinjarkar

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@zaneb: This pull request references AGENT-1136 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references AGENT-1236 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This adds auth support to the unconfigured-ignition. This has no effect
on the appliance, because all of the relevant files are overwritten by
the config ISO when it is attached so it is the config ISO that
ultimately controls the auth settings.

However, for the interactive installer, this means that the
unconfigured-ignition generated by assisted-service will contain the
necessary keys/tokens and config to enable auth.

This change depends on openshift-assisted/assisted-installer-ui#3454

Summary by CodeRabbit

• New Features

• Enhanced authentication system with support for multiple authentication token types (agent, user, and watcher)

• Added public key authentication configuration support

• Improvements

• Simplified user authentication token handling in the agent initialization process

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@zaneb: This pull request references AGENT-1136 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references AGENT-1229 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This adds auth support to the unconfigured-ignition. This has no effect
on the appliance, because all of the relevant files are overwritten by
the config ISO when it is attached so it is the config ISO that
ultimately controls the auth settings.

However, for the interactive installer, this means that the
unconfigured-ignition generated by assisted-service will contain the
necessary keys/tokens and config to enable auth.

This change depends on openshift-assisted/assisted-installer-ui#3454

Summary by CodeRabbit

• New Features

• Enhanced authentication system with support for multiple authentication token types (agent, user, and watcher)

• Added public key authentication configuration support

• Improvements

• Simplified user authentication token handling in the agent initialization process

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign bfournie for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• data/data/agent/OWNERS
• pkg/asset/agent/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@zaneb: This pull request references AGENT-1136 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references AGENT-1229 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This adds auth support to the unconfigured-ignition. This has no effect
on the appliance, because all of the relevant files are overwritten by
the config ISO when it is attached so it is the config ISO that
ultimately controls the auth settings.

However, for the interactive installer, this means that the
unconfigured-ignition generated by assisted-service will contain the
necessary keys/tokens and config to enable auth.

This change depends on openshift-assisted/assisted-installer-ui#3454

Summary by CodeRabbit

• New Features

• Support for multiple authentication token types (agent, user, watcher)

• Public-key based authentication configuration added

• Service now exposes user auth token to the agent runtime

• Improvements

• Simplified handling of user authentication tokens during agent initialization

• Streamlined ignition generation to include auth-related fields for runtime use

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[zaneb]

/jira refresh

[openshift-ci-robot]

@zaneb: This pull request references AGENT-1136 which is a valid jira issue.

This pull request references AGENT-1229 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@zaneb: This pull request references AGENT-1136 which is a valid jira issue.

This pull request references AGENT-1229 which is a valid jira issue.

Details

In response to this:

This adds auth support to the unconfigured-ignition. This has no effect
on the appliance, because all of the relevant files are overwritten by
the config ISO when it is attached so it is the config ISO that
ultimately controls the auth settings.

However, for the interactive installer, this means that the
unconfigured-ignition generated by assisted-service will contain the
necessary keys/tokens and config to enable auth.

This change depends on openshift-assisted/assisted-installer-ui#3454

Summary by CodeRabbit

• New Features

• Support for multiple authentication token types (agent, user, watcher)

• Public-key based authentication configuration added

• Service unit now passes user auth token into the runtime via environment

• Improvements

• Simplified handling of user authentication tokens during agent startup

• Ignition output now includes auth-related fields for runtime use

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.