From 150c3eea7bae8148128f43166fdee0090e5c44c4 Mon Sep 17 00:00:00 2001
From: miampf <miampf@proton.me>
Date: Thu, 3 Apr 2025 17:18:56 +0200
Subject: [PATCH] bootstrapper: write host key & certificate

---
 bootstrapper/internal/joinclient/joinclient.go | 8 ++++++++
 internal/constants/constants.go                | 4 ++++
 joinservice/internal/server/server.go          | 2 ++
 3 files changed, 14 insertions(+)

diff --git a/bootstrapper/internal/joinclient/joinclient.go b/bootstrapper/internal/joinclient/joinclient.go
index 536906988..f51cc2328 100644
--- a/bootstrapper/internal/joinclient/joinclient.go
+++ b/bootstrapper/internal/joinclient/joinclient.go
@@ -275,6 +275,14 @@ func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse,
 		return fmt.Errorf("writing ssh ca key: %w", err)
 	}
 
+	if err := c.fileHandler.Write(constants.SSHHostKeyPath, ticket.HostKey, file.OptMkdirAll); err != nil {
+		return fmt.Errorf("writing ssh host key: %w", err)
+	}
+
+	if err := c.fileHandler.Write(constants.SSHHostCertificatePath, ticket.HostCertificate, file.OptMkdirAll); err != nil {
+		return fmt.Errorf("writing ssh host certificate: %w", err)
+	}
+
 	state := nodestate.NodeState{
 		Role:            c.role,
 		MeasurementSalt: ticket.MeasurementSalt,
diff --git a/internal/constants/constants.go b/internal/constants/constants.go
index aecef23c8..35abcb637 100644
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@@ -46,6 +46,10 @@ const (
 	SSHCAKeySuffix = "ca_emergency_ssh"
 	// SSHCAKeyPath is the path to the emergency SSH CA key on the node.
 	SSHCAKeyPath = "/run/ssh/ssh_ca.pub"
+	// SSHHostKeyPath is the path to the SSH host key of the node.
+	SSHHostKeyPath = "/run/ssh/ssh_host_ecdsa_key"
+	// SSHHostCertificatePath is the path to the SSH host certificate.
+	SSHHostCertificatePath = "/run/ssh/ssh_host_cert.pub"
 
 	//
 	// Ports.
diff --git a/joinservice/internal/server/server.go b/joinservice/internal/server/server.go
index e81d49bd5..1ab2856d9 100644
--- a/joinservice/internal/server/server.go
+++ b/joinservice/internal/server/server.go
@@ -219,6 +219,8 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
 		ControlPlaneFiles:        controlPlaneFiles,
 		KubernetesComponents:     components,
 		AuthorizedCaPublicKey:    ssh.MarshalAuthorizedKey(ca.PublicKey()),
+		HostKey:                  ssh.MarshalAuthorizedKey(hostKeyPub),
+		HostCertificate:          ssh.MarshalAuthorizedKey(&certificate),
 	}, nil
 }