Bug 1570905

Summary: [RFE] [Satellite 6] Option to Select available KeyPair in EC2 Compute Resource
Product: Red Hat Satellite Reporter: Anto P Joseph <ajoseph>
Component: Compute Resources - EC2Assignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED WONTFIX QA Contact: Lukáš Hellebrandt <lhellebr>
Severity: medium Docs Contact:
Priority: unspecified    
Version: UnspecifiedCC: bkearney, lhellebr, rjerrido, smercurio
Target Milestone: UnspecifiedKeywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-04 14:03:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Anto P Joseph 2018-04-23 16:46:51 UTC
Description of problem:

Currently, there is no option to add/select existing keypair while provisioning EC2 instance.

Instead, currently a key pair generated/assigned to each compute resource and all instances are assigned with the same keypair. and get's added to "ec2-user" or ssh user authorized keys file.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Provision ec2 instance using Satellite 6

Actual results:

the instance will be provisioned with keypair generated for Compute resource 
and with a naming convention of foreman-<ID>

Expected results:

Should be able to list and choose EC2 key-pairs while creating NEW-HOST

Additional info:

Comment 2 Steven Mercurio 2018-05-13 02:23:38 UTC
I will clarify the issue:

If the foreman-<GUID> key is going to be added to any other user other than root (ec2-user) This needs to be clear in the DOCs.  ALSO I think that is WRONG unless you are using cloud-init which I CAN/WILL NOT due to the following:

1) OTP with IDM initial registration is BROKEN on cloud-init (known issue/BZ) NOT ssh finish scripts

2) Many clients want a STANDARD that works on ALL public clouds - Users should NOT have to treat EC2 ANY different that their VMware/RHV image builds as in mine and MANY other cases THE RHV BUILD IMAGE IS WHAT I UPLOADED TO/CONVERTED IN AWS to use as my AWS AMI   *** READ AS:  GET DOCS WRITTEN FOR NON-REDHAT/BYOL PROVIDED IMAGES ***

3) I do not want to use cloud init as it does NOT support all the functionality I can get right now out of an SSH finish script.

4) Why should I have to write and maintain ANOTHER script template set when I already have exactly what I need in the SSH finish templates - I shouldn't HAVE to.  It's GREAT to have the option but BOTH should be (and after figuring it out ARE) able to work.

5) Why would I want yet another pkg/service (cloud-init) to worry about/secure on EVERY system?  Some may want it but NOT all just like for RHV/VMware.

When I use the AWS web console to provision a VM I get to pick the key and AWS puts that in *ROOT'S* authorized_keys file.  WHY CAN'T SAT6 DO THE SAME by putting the foreman-GUID key in root's auth_keys file ***WHICH IS WHERE THE SSH FINISH SCRIPT NEEDS IT - NOT IN ec2-user (which it doesn't even do anyway as neither that user or cloud-init is present/running) ***  I don't understand WHY you would add that key ANYWHERE else for images with no cloud-init box checked in the CR.

Once I figured out what was going on and MANUALLY:
1) pulled foreman-GUID priv key out of Sat6
2) generated pub key for foreman-GUID
3) added the pub key to root auth_keys in my image


The *REAL* solution is ALLOW ssh password access as root just like kickstarts/RHV but at the very least either:

1) put the key in roots auth_keys like the AWS web console
2) DOC the fact that this is on the user and here is the steps to do it.

I and *MANY* others just take the on-prem standard OS image for VMware/RHV and upload and convert it right into an AMI so that the SAME puppet/apps/etc code just works on AWS SAME AS RHV/VMWARE.

Comment 5 Bryan Kearney 2019-11-04 14:03:00 UTC
Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Red Hat Technical Support. Thank you.