From 9e099a636e82f2c18f054714a3fe5a9bda642151 Mon Sep 17 00:00:00 2001
From: Zane Bitter <zbitter@redhat.com>
Date: Wed, 11 Mar 2026 17:17:43 +1300
Subject: [PATCH 1/3] Remove unused template field

---
 pkg/asset/agent/image/ignition.go | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/pkg/asset/agent/image/ignition.go b/pkg/asset/agent/image/ignition.go
index ae0f6c0991..3db06763af 100644
--- a/pkg/asset/agent/image/ignition.go
+++ b/pkg/asset/agent/image/ignition.go
@@ -84,7 +84,6 @@ type agentTemplateData struct {
 	AgentAuthToken            string
 	UserAuthToken             string
 	WatcherAuthToken          string
-	TokenExpiry               string
 	AuthType                  string
 	CaBundleMount             string
 	DisableImagePolicy        bool
@@ -291,7 +290,6 @@ func (a *Ignition) Generate(ctx context.Context, dependencies asset.Parents) err
 		authConfig.AgentAuthToken,
 		authConfig.UserAuthToken,
 		authConfig.WatcherAuthToken,
-		authConfig.AuthTokenExpiry,
 		caBundleMount,
 		len(registriesConfig.MirrorConfig) > 0,
 		numMasters, numArbiters, numWorkers,
@@ -437,7 +435,7 @@ func shouldDisableImagePolicy() bool {
 }
 
 func getTemplateData(name, pullSecret, releaseImageList, releaseImage, releaseImageMirror, publicContainerRegistries,
-	imageTypeISO, infraEnvID, publicKey, authType, agentAuthToken, userAuthToken, watcherAuthToken, tokenExpiry, caBundleMount string,
+	imageTypeISO, infraEnvID, publicKey, authType, agentAuthToken, userAuthToken, watcherAuthToken, caBundleMount string,
 	haveMirrorConfig bool,
 	numMasters, numArbiters, numWorkers int,
 	osImage *models.OsImage,
@@ -463,7 +461,6 @@ func getTemplateData(name, pullSecret, releaseImageList, releaseImage, releaseIm
 		AgentAuthToken:            agentAuthToken,
 		UserAuthToken:             userAuthToken,
 		WatcherAuthToken:          watcherAuthToken,
-		TokenExpiry:               tokenExpiry,
 		CaBundleMount:             caBundleMount,
 		DisableImagePolicy:        shouldDisableImagePolicy(),
 	}

From 46e566ed0d7bced34a6baf5d5ff60f92b2e98f76 Mon Sep 17 00:00:00 2001
From: Zane Bitter <zbitter@redhat.com>
Date: Wed, 11 Mar 2026 17:50:36 +1300
Subject: [PATCH 2/3] AGENT-1136: Pass auth token to UI

The UI can use this token to authenticate to the assisted-service API.
---
 data/data/agent/systemd/units/agent-ui.service.template | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/data/agent/systemd/units/agent-ui.service.template b/data/data/agent/systemd/units/agent-ui.service.template
index 9e51ff14a7..fa2ee87618 100644
--- a/data/data/agent/systemd/units/agent-ui.service.template
+++ b/data/data/agent/systemd/units/agent-ui.service.template
@@ -13,7 +13,7 @@ EnvironmentFile=/etc/assisted/rendezvous-host.env
 Restart=on-failure
 ExecStartPre=/bin/rm -f %t/%n.ctr-id
 ExecStartPre=/usr/local/bin/wait-for-assisted-service.sh
-ExecStart=/usr/bin/podman run --sdnotify=conmon --net host --cidfile=%t/%n.ctr-id --cgroups=no-conmon --log-driver=journald --rm --pod-id-file=%t/assisted-service-pod.pod-id --replace -d --name=agent-installer-ui --env AIUI_APP_API_URL $INSTALLER_UI_IMAGE
+ExecStart=/usr/bin/podman run --sdnotify=conmon --net host --cidfile=%t/%n.ctr-id --cgroups=no-conmon --log-driver=journald --rm --pod-id-file=%t/assisted-service-pod.pod-id --replace -d --name=agent-installer-ui --env AIUI_APP_API_URL --env USER_AUTH_TOKEN $INSTALLER_UI_IMAGE
 ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
 ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
 

From bda1e889f6ff1ec33a8dd8f140d603ccb1734b02 Mon Sep 17 00:00:00 2001
From: Zane Bitter <zbitter@redhat.com>
Date: Mon, 22 Sep 2025 16:00:52 +1200
Subject: [PATCH 3/3] AGENT-1229: Add auth to unconfigured-ignition

This adds auth support to the unconfigured-ignition. This has no effect
on the appliance, because all of the relevant files are overwritten by
the config ISO when it is attached so it is the config ISO that
ultimately controls the auth settings.

However, for the interactive installer, this means that the
unconfigured-ignition generated by assisted-service will contain the
necessary keys/tokens and config to enable auth.
---
 pkg/asset/agent/image/unconfigured_ignition.go      | 11 +++++++++--
 pkg/asset/agent/image/unconfigured_ignition_test.go |  2 ++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/pkg/asset/agent/image/unconfigured_ignition.go b/pkg/asset/agent/image/unconfigured_ignition.go
index 6ed9e20014..d5976e0ce8 100644
--- a/pkg/asset/agent/image/unconfigured_ignition.go
+++ b/pkg/asset/agent/image/unconfigured_ignition.go
@@ -17,6 +17,7 @@ import (
 	"github.com/openshift/installer/pkg/asset"
 	"github.com/openshift/installer/pkg/asset/agent/agentconfig"
 	"github.com/openshift/installer/pkg/asset/agent/common"
+	"github.com/openshift/installer/pkg/asset/agent/gencrypto"
 	"github.com/openshift/installer/pkg/asset/agent/manifests"
 	"github.com/openshift/installer/pkg/asset/agent/workflow"
 	"github.com/openshift/installer/pkg/asset/ignition"
@@ -83,6 +84,7 @@ func (a *UnconfiguredIgnition) Dependencies() []asset.Asset {
 		&manifests.AgentPullSecret{},
 		&manifests.ClusterImageSet{},
 		&manifests.NMStateConfig{},
+		&gencrypto.AuthConfig{},
 		&common.InfraEnvID{},
 	}
 }
@@ -98,7 +100,8 @@ func (a *UnconfiguredIgnition) Generate(ctx context.Context, dependencies asset.
 	pullSecretAsset := &manifests.AgentPullSecret{}
 	nmStateConfigs := &manifests.NMStateConfig{}
 	agentConfig := &agentconfig.AgentConfig{}
-	dependencies.Get(agentWorkflow, infraEnvAsset, clusterImageSetAsset, pullSecretAsset, nmStateConfigs, infraEnvIDAsset, agentConfig)
+	authConfig := &gencrypto.AuthConfig{}
+	dependencies.Get(agentWorkflow, infraEnvAsset, clusterImageSetAsset, pullSecretAsset, nmStateConfigs, infraEnvIDAsset, agentConfig, authConfig)
 
 	if agentWorkflow.Workflow != workflow.AgentWorkflowTypeInstall {
 		return fmt.Errorf("AgentWorkflowType value not supported: %s", agentWorkflow.Workflow)
@@ -160,7 +163,11 @@ func (a *UnconfiguredIgnition) Generate(ctx context.Context, dependencies asset.
 		InfraEnvID:                infraEnvID,
 		OSImage:                   osImage,
 		Proxy:                     infraEnv.Spec.Proxy,
-		AuthType:                  "none",
+		PublicKeyPEM:              authConfig.PublicKey,
+		AgentAuthToken:            authConfig.AgentAuthToken,
+		UserAuthToken:             authConfig.UserAuthToken,
+		WatcherAuthToken:          authConfig.WatcherAuthToken,
+		AuthType:                  authConfig.AuthType,
 		DisableImagePolicy:        shouldDisableImagePolicy(),
 	}
 
diff --git a/pkg/asset/agent/image/unconfigured_ignition_test.go b/pkg/asset/agent/image/unconfigured_ignition_test.go
index 858c62fc73..ce31f01459 100644
--- a/pkg/asset/agent/image/unconfigured_ignition_test.go
+++ b/pkg/asset/agent/image/unconfigured_ignition_test.go
@@ -14,6 +14,7 @@ import (
 	"github.com/openshift/installer/pkg/asset"
 	"github.com/openshift/installer/pkg/asset/agent/agentconfig"
 	"github.com/openshift/installer/pkg/asset/agent/common"
+	"github.com/openshift/installer/pkg/asset/agent/gencrypto"
 	"github.com/openshift/installer/pkg/asset/agent/manifests"
 	"github.com/openshift/installer/pkg/asset/agent/workflow"
 )
@@ -96,6 +97,7 @@ func buildUnconfiguredIgnitionAssetDefaultDependencies(t *testing.T) []asset.Ass
 		&manifests.NMStateConfig{},
 		&common.InfraEnvID{},
 		&agentconfig.AgentConfig{},
+		&gencrypto.AuthConfig{},
 	}
 }