make ssh private key optional

[lanchongyizu]

Fix ODR-972:
Since we use public key as privateKey to ssh into node, which makes ssh client throw
Error: privateKey value does not contain a (valid) private key
So it doesn't use user/password at all.

The solution is making ssh private key optional.

@RackHD/corecommitters @panpan0000 @benbp @iceiilin

[JenkinsRHD]

BUILD on-tasks #1729 : FAILURE

• ** BUILD build-config-setup #145266: SUCCESS
• ** BUILD unit-tests #9984: SUCCESS
• ** BUILD on-taskgraph #1689: SUCCESS
  • ** BUILD build-config-setup #145284: SUCCESS
  • ** BUILD unit-tests #9986: SUCCESS
• ** BUILD on-http #2787: FAILURE

[iceiilin]

👍

[lanchongyizu]

test this please

[JenkinsRHD]

BUILD on-tasks #1730 : FAILURE

• ** BUILD build-config-setup #145300: SUCCESS
• ** BUILD unit-tests #9987: SUCCESS
• ** BUILD on-taskgraph #1690: SUCCESS
  • ** BUILD build-config-setup #145301: SUCCESS
  • ** BUILD unit-tests #9988: SUCCESS
• ** BUILD on-http #2788: FAILURE

[lanchongyizu]

test this please

[keedya]

@lanchongyizu , how can the user upload the private keys?

[amymullins]

@lanchongyizu as discussed in the email thread, we should be removing ssh validation instead of making it optional in the workflow. There is still a large security concern passing the private key in the payload.

[lanchongyizu]

@keedya @amymullins Do you agree with removing private key from RackHD?

[lanchongyizu]

The comments from @johren in ODR-972:

This is my viewpoint on dealing with the SSH keys (both public and private):

1. SSH PUBLIC keys should remain in the OS install payload. This option is to allow the client to specify a public key that they want installed on the compute node such that the client (not RackHD) can use their private key to access the node.
2. RackHD does not need to have (and should not have) the client's private key.
3. If RackHD needs to access the node with an SSH key pair (for inband management/ansible) we should generate a separate key pair for RackHD. RackHD will keep that private key and install
   the corresponding public key on the node.
   So, coming from this viewpoint, I'm fine with make ssh private key optional #369 and Add ssh public key for Inband management. on-http#520 (other than not needing to encrypt/redact the public key) as long as we are not asking the client to upload their own private keys. These private keys should be ones generated by RackHD.

[panpan0000]

@lanchongyizu , so the title should be changed to "make ssh public key optional in bootstrap payload" ?

[lanchongyizu]

@panpan0000 No, the Public Key has already been optional, this PR is to make the Private Key optional so that RackHD works fine no matter whether Private Key exists or not.