Pull in the automation key into default profiles

2024-11-21 17:11:58 +00:00 · 2021-03-09 15:45:40 -05:00 · 2021-03-09 15:45:40 -05:00 · e38dbc4470
commit e38dbc4470
parent a26624a614
9 changed files with 14 additions and 11 deletions
--- a/confluent_osdeploy/el7/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
+++ b/confluent_osdeploy/el7/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
@ -12,7 +12,7 @@ sed -i 's/install::/install:*:/' /sysroot/etc/shadow
 sed -i 's/root::/root:*:/' /sysroot/etc/shadow
 mkdir -p /sysroot/root/.ssh
 #chmod 700 /sysroot/root/.ssh
-cat /ssh/*.rootpubkey > /sysroot/root/.ssh/authorized_keys
+cat /ssh/*pubkey > /sysroot/root/.ssh/authorized_keys
 #chmod 600 /sysroot/root/.ssh/authorized_keys
 mkdir -p /sysroot/etc/ssh/
 for i in /ssh/*.ca; do
--- a/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
+++ b/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
@ -13,7 +13,7 @@ sed -i 's/install::/install:*:/' /sysroot/etc/shadow
 sed -i 's/root::/root:*:/' /sysroot/etc/shadow
 mkdir -p /sysroot/root/.ssh
 chmod 700 /sysroot/root/.ssh
-cat /ssh/*.rootpubkey > /sysroot/root/.ssh/authorized_keys
+cat /ssh/*pubkey > /sysroot/root/.ssh/authorized_keys
 chmod 600 /sysroot/root/.ssh/authorized_keys
 mkdir -p /sysroot/etc/ssh/
 for i in /ssh/*.ca; do
--- a/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis
+++ b/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis
@ -35,7 +35,7 @@ PermitRootLogin yes
 AuthorizedKeysFile      .ssh/authorized_keys
 EOF
 mkdir ~/.ssh
-cat /ssh/*.rootpubkey > ~/.ssh/authorized_keys
+cat /ssh/*pubkey > ~/.ssh/authorized_keys 2>/dev/null
 cat /tls/*.pem > /etc/confluent/ca.pem
 mkdir -p /etc/pki/tls/certs
 cat /tls/*.pem > /etc/pki/tls/certs/ca-bundle.crt
--- a/confluent_osdeploy/rhvh4/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
+++ b/confluent_osdeploy/rhvh4/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
@ -12,7 +12,7 @@ sed -i 's/install::/install:*:/' /sysroot/etc/shadow
 sed -i 's/root::/root:*:/' /sysroot/etc/shadow
 mkdir -p /sysroot/root/.ssh
 #chmod 700 /sysroot/root/.ssh
-cat /ssh/*.rootpubkey > /sysroot/root/.ssh/authorized_keys
+cat /ssh/*pubkey > /sysroot/root/.ssh/authorized_keys
 #chmod 600 /sysroot/root/.ssh/authorized_keys
 mkdir -p /sysroot/etc/ssh/
 for i in /ssh/*.ca; do
--- a/confluent_osdeploy/suse15/initramfs/opt/confluent/bin/suseagent
+++ b/confluent_osdeploy/suse15/initramfs/opt/confluent/bin/suseagent
@ -1,7 +1,7 @@
 #!/bin/bash
 echo "Installing certificates"
 echo '<authorized_keys xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns" config:type="list">' > /tmp/rootkeys.xml
-for pub in /ssh/*.rootpubkey; do
+for pub in /ssh/*pubkey; do
    echo '<listentry>'$(cat $pub)'</listentry>' >> /tmp/rootkeys.xml
 done
 echo '</authorized_keys>' >> /tmp/rootkeys.xml
--- a/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh
+++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh
@ -16,7 +16,8 @@ if [ "$cryptboot" != "" ]  && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "n
 fi

 mkdir ~/.ssh
-cat /ssh/*.rootpubkey > ~/.ssh/authorized_keys
+cat /ssh/*pubkey > ~/.ssh/authorized_keys 2>/dev/null
+
 ssh-keygen -A
 for i in  /etc/ssh/ssh_host*key.pub; do
    certname=${i/.pub/-cert.pub}
--- a/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/pre.sh
+++ b/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/pre.sh
@ -9,7 +9,7 @@ if [ "$cryptboot" != "" ]  && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "n
 fi


-cat /custom-installation/ssh/*.rootpubkey > /root/.ssh/authorized_keys
+cat /custom-installation/ssh/*pubkey > /root/.ssh/authorized_keys
 nodename=$(grep ^NODENAME: /custom-installation/confluent/confluent.info|awk '{print $2}')
 apikey=$(cat /custom-installation/confluent/confluent.apikey)
 for pubkey in /etc/ssh/ssh_host*key.pub; do
--- a/confluent_server/confluent/sshutil.py
+++ b/confluent_server/confluent/sshutil.py
@ -77,6 +77,8 @@ def initialize_ca():

 def prep_ssh_key(keyname):
    assure_agent()
+    if keyname in ready_keys:
+        return
    tmpdir = tempfile.mkdtemp()
    try:
        askpass = os.path.join(tmpdir, 'askpass.sh')
@ -89,15 +91,15 @@ def prep_ssh_key(keyname):
        with open(os.devnull, 'wb') as devnull:
            subprocess.check_call(['ssh-add', keyname], stdin=devnull)
        del os.environ['CONFLUENT_SSH_PASSPHRASE']
+        ready_keys[keyname] = 1
    finally:
        shutil.rmtree(tmpdir)

 def sign_host_key(pubkey, nodename, principals=()):
    tmpdir = tempfile.mkdtemp()
    try:
-        if 'ca.pub' not in ready_keys:
-            prep_ssh_key('/etc/confluent/ssh/ca')
-            ready_keys['ca.pub'] = 1
+        prep_ssh_key('/etc/confluent/ssh/ca')
+        ready_keys['ca.pub'] = 1
        pkeyname = os.path.join(tmpdir, 'hostkey.pub')
        with open(pkeyname, 'wb') as pubfile:
            pubfile.write(pubkey)
--- a/misc/xcatstateless/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
+++ b/misc/xcatstateless/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
@ -15,7 +15,7 @@ fi
 sed -i "s!root:[^:]*:!root:$rootpw:!" /sysroot/etc/shadow
 mkdir -p /sysroot/root/.ssh
 chmod 700 /sysroot/root/.ssh
-cat /ssh/*.rootpubkey > /sysroot/root/.ssh/authorized_keys
+cat /ssh/*pubkey > /sysroot/root/.ssh/authorized_keys
 chmod 600 /sysroot/root/.ssh/authorized_keys
 mkdir -p /sysroot/etc/ssh/
 for i in /ssh/*.ca; do