Closed marmijo closed 1 week ago
@marmijo As part of this, since it's touching the same part of the codebase, could you look at question 1 from https://github.com/coreos/coreos-assembler/issues/1835? Possibly it can be closed out if it's no longer an issue, or if there's a valid rationale for the Afterburn message.
For some reason, azure started populating the certs endpoint even when an SSH key is not provisioned. The afterburn logic currently expects the certs endpoint to either exist with an SSH public key in the certificate chain, or not exist at all. It looks like we are hitting a third case where the certs endpoint exists, but the certificate chain inside the referenced PKCS#12 file is empty. After speaking with @dustymabe, we decided to allow this case to succeed and still warn that an SSH public key was not provisioned.
https://github.com/coreos/afterburn/pull/1074 should resolve this issue.
I'll reopen this issue until a new Afterburn release can be cut (which will include the change made in https://github.com/coreos/afterburn/pull/1074) so we can continue to use it to snooze coreos.ignition.ssh.key
in the FCOS pipeline.
Test passes in the latest azure builds with afterburn-5.7.0-1
coreos.ignition.ssh.key
has been failing in thekola-azure
jenkins job since August 15, 2023 with the following error:Looking into the journal log file for the test shows: journal.txt console.txt
Afterburn fails to convert pkcs12 blob to ssh pubkey Before this failure, the fetching section looked like this:
Which is what other test's logs look like when an SSH key IS set. So it's looking like an SSH key is being set somehow, even though one isnt specified. This is causing the
.ssh/authorized_keys.d/afterburn
file to be created and the kola test fails.The certificates endpoint is now included in
http://168.63.129.16/machine/?comp=goalstate
so now it's being fetched and afterburn is failing directly after fetching the certificate.