From 570611f22b4585aa79eb542ffcea662c6faae220 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Mon, 29 Aug 2022 11:10:45 -0400
Subject: [PATCH] Have osdeploy initialize skip SSH  regen

When generating new key materials, most people say 'yes' and cause problems
where they cycle valid keys without
realizing the significance.

Replace prompting with an emphasized warning instead.
---
 confluent_server/bin/osdeploy         | 10 ++++++++--
 confluent_server/confluent/sshutil.py |  8 ++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/confluent_server/bin/osdeploy b/confluent_server/bin/osdeploy
index a9bb2d2d..9d343110 100644
--- a/confluent_server/bin/osdeploy
+++ b/confluent_server/bin/osdeploy
@@ -292,11 +292,17 @@ def initialize(cmdset):
     if cmdset.s:
         didsomething = True
         init_confluent_myname()
-        sshutil.initialize_ca()
+        try:
+            sshutil.initialize_ca()
+        except sshutil.AlreadyExists:
+            emprint('Skipping generation of SSH CA, already present and would likely be more problematic to regenerate than to reuse (if absolutely sure you want to discard old CA, then delete /etc/confluent/ssh/ca*')
     if cmdset.a:
         didsomething = True
         init_confluent_myname()
-        sshutil.initialize_root_key(True, True)
+        try:
+            sshutil.initialize_root_key(True, True)
+        except sshutil.AlreadyExists:
+            emprint('Skipping generation of new automation key, already present and regeneration usually causes more problems. (If absolutely certain, delete /etc/confluent/ssh/automation*)')
     if cmdset.p:
         install_tftp_content()
     if cmdset.l:
diff --git a/confluent_server/confluent/sshutil.py b/confluent_server/confluent/sshutil.py
index da6a60f6..41b300e6 100644
--- a/confluent_server/confluent/sshutil.py
+++ b/confluent_server/confluent/sshutil.py
@@ -72,8 +72,14 @@ def get_passphrase():
         phrase = phrase.decode('utf8')
     return phrase
 
+class AlreadyExists(Exception):
+    pass
+
 def initialize_ca():
     ouid = normalize_uid()
+    # if already there, skip, make warning
+    if os.path.exists('/etc/confluent/ssh/ca.pub'):
+        raise AlreadyExists()
     try:
         os.makedirs('/etc/confluent/ssh', mode=0o700)
     except OSError as e:
@@ -162,6 +168,8 @@ def initialize_root_key(generate, automation=False):
         for currkey in glob.glob('/root/.ssh/*.pub'):
             authorized.append(currkey)
     if automation and generate:
+        if os.path.exists('/etc/confluent/ssh/automation'):
+            raise AlreadyExists()
         subprocess.check_call(
             ['ssh-keygen', '-t', 'ed25519',
             '-f','/etc/confluent/ssh/automation', '-N', get_passphrase(),