Configure separate SSH key for Windows instances in staging (#9592)

oswcab · gbenhaim · web-flow · commit 8223a0ad5736 · 2025-12-10T20:19:19.000-05:00
- Add aws-win-ssh-key ExternalSecret in staging-downstream/external-secrets.yaml
- Set ssh-secret: "aws-win-ssh-key" in archDefaults.windows-amd64 for staging
- Update host-config template to use archDefaults for Windows ssh-secret

This allows Windows instances to use a dedicated SSH key (aws-win-ssh-key)
instead of the default Linux SSH key (aws-ssh-key) in staging environment.

The idea is to avoid the error:

  "Error allocating host: failed to launch EC2 instance for
   podman-desktop-on-pull-request-lppsx-build-windows-native:
    operation error EC2: RunInstances, https response error
    StatusCode: 400,
    RequestID: 077f7a6e-a980-454b-80dd-78bc28f4ac71,
    api error Unsupported: ED25519 key pairs are not supported
    with Windows AMIs. Choose a different key pair type and try again."

Co-authored-by: Gal Ben Haim &lt;gbenhaim@redhat.com&gt;
diff --git a/components/multi-platform-controller/base/host-config-chart/templates/host-config.yaml b/components/multi-platform-controller/base/host-config-chart/templates/host-config.yaml
@@ -1128,7 +1128,7 @@ data:
   dynamic.windows-4xlarge-amd64.instance-tag: {{ (index $config "instance-tag") | default (printf "%s-amd64-4xlarge" $environment) | quote }}
   dynamic.windows-4xlarge-amd64.key-name: {{ default (index $windows "key-name") ((index $config "key-name")) | quote }}
   dynamic.windows-4xlarge-amd64.aws-secret: {{ (index $config "aws-secret") | default "aws-account" | quote }}
-  dynamic.windows-4xlarge-amd64.ssh-secret: {{ (index $config "ssh-secret") | default "aws-ssh-key" | quote }}
+  dynamic.windows-4xlarge-amd64.ssh-secret: {{ default (index $windows "ssh-secret") ((index $config "ssh-secret")) | default "aws-ssh-key" | quote }}
   dynamic.windows-4xlarge-amd64.security-group-id: {{ default (index $windows "security-group-id") ((index $config "security-group-id")) | quote }}
   dynamic.windows-4xlarge-amd64.max-instances: {{ (index $config "max-instances") | default "5" | quote }}
   dynamic.windows-4xlarge-amd64.subnet-id: {{ default (index $windows "subnet-id") ((index $config "subnet-id")) | quote }}
diff --git a/components/multi-platform-controller/staging-downstream/external-secrets.yaml b/components/multi-platform-controller/staging-downstream/external-secrets.yaml
@@ -44,6 +44,29 @@ spec:
     deletionPolicy: Delete
     name: aws-ssh-key
 ---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: aws-win-ssh-key
+  namespace: multi-platform-controller
+  labels:
+    build.appstudio.redhat.com/multi-platform-secret: "true"
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  dataFrom:
+    - extract:
+        key: staging/infrastructure/multi-platform-controller/stone-stage-p01/aws-win-ssh-key
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: appsre-stonesoup-vault
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Delete
+    name: aws-win-ssh-key
+---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
diff --git a/components/multi-platform-controller/staging-downstream/host-values.yaml b/components/multi-platform-controller/staging-downstream/host-values.yaml
@@ -27,6 +27,7 @@ archDefaults:
     key-name: "konflux-stage-int-mab01"
     security-group-id: "sg-0482e8ccae008b240"
     subnet-id: "subnet-07597d1edafa2b9d3"
+    ssh-secret: "aws-win-ssh-key"
 
 dynamicConfigs:
   linux-arm64:
