Write SSH keys directly to authorized_keys, not to fragment file

The MCO currently expects to manage SSH keys directly in authorized_keys. As a result, any keys written to the fragment file can't be removed by the MCO. To avoid this, we'll stop RHCOS from reading the fragment file, but that would make Ignition-written keys ineffective unless we also have Ignition write directly to authorized_keys. https://bugzilla.redhat.com/show_bug.cgi?id=1868062
coreos · Aug 20, 2020 · 67fcfb6 · 67fcfb6
1 parent a43c4b1
commit 67fcfb6
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/ignition.spec b/ignition.spec
@@ -64,7 +64,7 @@
 
 Name:           ignition
 Version:        2.6.0
-Release:        2.rhaos4.6.git%{shortcommit}%{?dist}
+Release:        3.rhaos4.6.git%{shortcommit}%{?dist}
 Summary:        First boot installer and configuration tool
 License:        ASL 2.0
 URL:            https://%{provider_prefix}
@@ -430,7 +430,7 @@ ln -s ../../../ src/%{provider_prefix}
 
 export LDFLAGS=%{ldflags}
 # Enable SELinux relabeling
-export LDFLAGS+=' -X github.com/coreos/ignition/v2/internal/distro.selinuxRelabel=true '
+export LDFLAGS+=' -X github.com/coreos/ignition/v2/internal/distro.selinuxRelabel=true -X github.com/coreos/ignition/v2/internal/distro.writeAuthorizedKeysFragment=false '
 
 # Modules, baby!
 export GO111MODULE=on
@@ -555,6 +555,9 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %endif
 
 %changelog
+* Thu Aug 20 2020 Benjamin Gilbert <[email protected]> - 2.6.0-3.rhaos4.6.git947598e
+- Write SSH keys directly to authorized_keys, not to fragment file
+
 * Wed Aug 12 2020 Benjamin Gilbert <[email protected]> - 2.6.0-2.rhaos4.6.git947598e
 - Fix sector size detection on s390x