Rework Ubuntu addcrypt support

The comment based hook is destroyed during early install process.

Use python to manipulate the autoinstall file in a more sophisticated way.

Also refactor the initramfs hook material to be standalone files.

confluent_osdeploy/ubuntu22.04/profiles/default/autoinstall/user-data

@@ -10,7 +10,6 @@ autoinstall:
   storage:
     layout:
       name: lvm
-#CRYPTBOOT      password: %%CRYPTPASS%%
       match:
         path: "%%INSTALLDISK%%"
   user-data:

confluent_osdeploy/ubuntu22.04/profiles/default/scripts/addcrypt

@@ -0,0 +1,12 @@
+import yaml
+import sys
+
+ainst = {}
+with open('/autoinstall.yaml', 'r') as allin:
+    ainst = yaml.safe_load(allin)
+
+ainst['storage']['layout']['password'] = sys.argv[1]
+
+with open('/autoinstall.yaml', 'w') as allout:
+    yaml.safe_dump(ainst, allout)
+

confluent_osdeploy/ubuntu22.04/profiles/default/scripts/post.sh

@@ -108,50 +108,11 @@ if [ -f /etc/confluent_lukspass ]; then
     $lukspass=$(cat /etc/confluent_lukspass)
     chroot /target apt install libtss2-rc0
     PASSWORD=$(lukspass) chroot /target  systemd-cryptenroll --tpm2-device=auto $CRYPTTAB_SOURCE
-    cat >/target/etc/initramfs-tools/scripts/local-top/systemdecrypt << EOS
-#!/bin/sh
-case \$1 in
-prereqs)
-        echo
-        exit 0
-        ;;
-esac
-
-systemdecryptnow() {
-. /usr/lib/cryptsetup/functions
-local CRYPTTAB_SOURCE=\$(awk '{print \$2}' /systemdecrypt/crypttab)
-local CRYPTTAB_NAME=\$(awk '{print \$1}' /systemdecrypt/crypttab)
-crypttab_resolve_source
-/lib/systemd/systemd-cryptsetup attach "\${CRYPTTAB_NAME}" "\${CRYPTTAB_SOURCE}" none tpm2-device=auto
-}
-
-systemdecryptnow
-EOS
-    chmod 755 /target/etc/initramfs-tools/scripts/local-top/systemdecrypt
-    cat > /target/etc/initramfs-tools/hooks/systemdecrypt <<EOF
-#!/bin/sh
-case "\$1" in
-    prereqs)
-        echo
-        exit 0
-        ;;
-esac
-
-. /usr/share/initramfs-tools/hook-functions
-mkdir -p \$DESTDIR/systemdecrypt
-copy_exec /lib/systemd/systemd-cryptsetup /lib/systemd
-for i in /lib/x86_64-linux-gnu/libtss2*
-do
-        copy_exec \${i} /lib/x86_64-linux-gnu
-done
-mkdir -p \$DESTDIR/scripts/local-top
-
-echo /scripts/local-top/systemdecrypt >> \$DESTDIR/scripts/local-top/ORDER
-
-if [ -f \$DESTDIR/cryptroot/crypttab ]; then
-    mv \$DESTDIR/cryptroot/crypttab \$DESTDIR/systemdecrypt/crypttab
-fi
-EOF
+    fetch_remote  systemdecrypt
+    mv systemdecrypt /target/etc/initramfs-tools/scripts/local-top/systemdecrypt
+    fetch_remote systemdecrypt-hook
+    mv systemdecrypt-hook /target/etc/initramfs-tools/hooks/systemdecrypt
+    chmod 755 /target/etc/initramfs-tools/scripts/local-top/systemdecrypt /target/etc/initramfs-tools/hooks/systemdecrypt
     chroot /target update-initramfs -u
 fi
 python3 /opt/confluent/bin/apiclient /confluent-api/self/updatestatus  -d 'status: staged'

confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh

@@ -41,12 +41,13 @@ if [ ! -e /tmp/installdisk ]; then
 fi
 sed -i s!%%INSTALLDISK%%!/dev/$(cat /tmp/installdisk)! /autoinstall.yaml
 if [ "$cryptboot" != "" ]  && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "null" ]; then
+    lukspass=$(head -c 66 < /dev/urandom |base64 -w0)
+    run_remote_python addcrypt
     if ! grep '#CRYPTBOOT' /autoinstall.yaml > /dev/null; then
         echo "****Encrypted boot requested, but the user-data does not have a hook to enable,halting install" > /dev/console
         [ -f '/tmp/autoconsdev' ] && (echo "****Encryptod boot requested, but the user-data does not have a hook to enable,halting install" >> $(cat /tmp/autoconsdev))
         while :; do sleep 86400; done
     fi
-    lukspass=$(head -c 66 < /dev/urandom |base64 -w0)
     sed -i s!%%CRYPTPASS%%!$lukspass! /autoinstall.yaml
     sed -i s!'#CRYPTBOOT'!! /autoinstall.yaml
     echo -n $lukspass > /etc/confluent_lukspass

confluent_osdeploy/ubuntu22.04/profiles/default/scripts/systemdecrypt

@@ -0,0 +1,17 @@
+#!/bin/sh
+case $1 in
+prereqs)
+        echo
+        exit 0
+        ;;
+esac
+
+systemdecryptnow() {
+. /usr/lib/cryptsetup/functions
+local CRYPTTAB_SOURCE=$(awk '{print $2}' /systemdecrypt/crypttab)
+local CRYPTTAB_NAME=$(awk '{print $1}' /systemdecrypt/crypttab)
+crypttab_resolve_source
+/lib/systemd/systemd-cryptsetup attach "${CRYPTTAB_NAME}" "${CRYPTTAB_SOURCE}" none tpm2-device=auto
+}
+
+systemdecryptnow

confluent_osdeploy/ubuntu22.04/profiles/default/scripts/systemdecrypt-hook

@@ -0,0 +1,22 @@
+#!/bin/sh
+case "$1" in
+    prereqs)
+        echo
+        exit 0
+        ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+mkdir -p $DESTDIR/systemdecrypt
+copy_exec /lib/systemd/systemd-cryptsetup /lib/systemd
+for i in /lib/x86_64-linux-gnu/libtss2*
+do
+        copy_exec ${i} /lib/x86_64-linux-gnu
+done
+mkdir -p $DESTDIR/scripts/local-top
+
+echo /scripts/local-top/systemdecrypt >> $DESTDIR/scripts/local-top/ORDER
+
+if [ -f $DESTDIR/cryptroot/crypttab ]; then
+    mv $DESTDIR/cryptroot/crypttab $DESTDIR/systemdecrypt/crypttab
+fi