Loading...

XML

Word

Printable

Type: Feature Request
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: openshift-4.14, openshift-4.15, openshift-4.16, openshift-4.17, openshift-4.18, openshift-4.19
Component/s: agent-based-installer, Installer
Labels:

Target Version:
None
Activity Type:
Product / Portfolio Work
Status Summary:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Products:
None
Hierarchy Progress Bar:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Review Complete:
None
PX Impact Score:
PX Impact Range:
None
PX Priority Data:
None
PX Technical Impact:
None
PX Technical Impact Notes:
None
PX Scheduling Request:
None

1. Proposed title of this feature request

SSH authorized_keys customisation at install time via the install-config.yaml

2. What is the nature and description of the request?

When generating an `install-config.yaml` file using the `openshift-install` CLI tool, the user is forced to select from existing public SSH keys in the users home directory, ensuring a valid public key is used.

The same goes when using the "Assisted Installer" to create a cluster via the Red Hat Hybrid Cloud Console: the Discovery ISO generation form enforces strict public SSH key format

The provided key ends up in the `core` user's home directory, in an `.ssh/authorized_keys.d/ignition` file in the deployed nodes.

Despite the enforced format when generating the file, the `install-config.yaml` can be manually created, or a generated file modified, to change the `sshKey` content to contain extra options that are not part of a standard public key but are still valid for an `authorized_keys` file, and then use the `openshift-install create cluster` command to deploy a cluster using the modified `install-config.yaml` and still results in a working deployment.

This does not work however when using the agent-based installer, as the agent will attempt to validate the content of the `sshKey` parameter and will deam it to be invalid.

3. Why does the customer need this? (List the business requirements here)

The customer is specifically attempting to restrict which external hosts are allowed to use by substituting the standard public SSH key in the `install-config.yaml` with a customised value along the lines of:

from="aaa.aaa.aaa.aaa,bbb.bbb.bbb.bbb" ssh-ed25519 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx user@example.com

This is a valid `authorized_keys` file, but is not a valid public SSH key. Using the `openshift-install` tool to complete the cluster deployment works, but when using the agent-based installer, the key is rejected as invalid.

The customer would like to use the same `install-config.yaml` that they have used with other install methods with the agent-based installer too.

4. List any affected packages or components.

Agent-based installer
openshift-install
Assisted Installer

Assignee:: Ramon Acedo

Reporter:: Paul Webster

Need Info From:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/08/19 6:46 AM

Updated:: 2025/10/09 11:34 PM

Target start:: None

Target end:: None

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates