bootstrapper: write host key & certificate

bootstrapper/internal/joinclient/joinclient.go

@@ -275,6 +275,14 @@ func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse,
 		return fmt.Errorf("writing ssh ca key: %w", err)
 	}
 
+	if err := c.fileHandler.Write(constants.SSHHostKeyPath, ticket.HostKey, file.OptMkdirAll); err != nil {
+		return fmt.Errorf("writing ssh host key: %w", err)
+	}
+
+	if err := c.fileHandler.Write(constants.SSHHostCertificatePath, ticket.HostCertificate, file.OptMkdirAll); err != nil {
+		return fmt.Errorf("writing ssh host certificate: %w", err)
+	}
+
 	state := nodestate.NodeState{
 		Role:            c.role,
 		MeasurementSalt: ticket.MeasurementSalt,

internal/constants/constants.go

@@ -46,6 +46,10 @@ const (
 	SSHCAKeySuffix = "ca_emergency_ssh"
 	// SSHCAKeyPath is the path to the emergency SSH CA key on the node.
 	SSHCAKeyPath = "/run/ssh/ssh_ca.pub"
+	// SSHHostKeyPath is the path to the SSH host key of the node.
+	SSHHostKeyPath = "/run/ssh/ssh_host_ecdsa_key"
+	// SSHHostCertificatePath is the path to the SSH host certificate.
+	SSHHostCertificatePath = "/run/ssh/ssh_host_cert.pub"
 
 	//
 	// Ports.

joinservice/internal/server/server.go

@@ -219,6 +219,8 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
 		ControlPlaneFiles:        controlPlaneFiles,
 		KubernetesComponents:     components,
 		AuthorizedCaPublicKey:    ssh.MarshalAuthorizedKey(ca.PublicKey()),
+		HostKey:                  ssh.MarshalAuthorizedKey(hostKeyPub),
+		HostCertificate:          ssh.MarshalAuthorizedKey(&certificate),
 	}, nil
 }