From e38dbc447053679062ebcf884c0441581050be4f Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Tue, 9 Mar 2021 15:45:40 -0500
Subject: [PATCH] Pull in the automation key into default profiles

---
 .../usr/lib/dracut/hooks/pre-pivot/01-confluent.sh        | 2 +-
 .../usr/lib/dracut/hooks/pre-pivot/01-confluent.sh        | 2 +-
 .../genesis/initramfs/opt/confluent/bin/rungenesis        | 2 +-
 .../usr/lib/dracut/hooks/pre-pivot/01-confluent.sh        | 2 +-
 .../suse15/initramfs/opt/confluent/bin/suseagent          | 2 +-
 confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh     | 3 ++-
 .../ubuntu20.04/profiles/default/scripts/pre.sh           | 2 +-
 confluent_server/confluent/sshutil.py                     | 8 +++++---
 .../usr/lib/dracut/hooks/pre-pivot/01-confluent.sh        | 2 +-
 9 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/confluent_osdeploy/el7/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh b/confluent_osdeploy/el7/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
index 19a75384..3b3e98da 100644
--- a/confluent_osdeploy/el7/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
+++ b/confluent_osdeploy/el7/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
@@ -12,7 +12,7 @@ sed -i 's/install::/install:*:/' /sysroot/etc/shadow
 sed -i 's/root::/root:*:/' /sysroot/etc/shadow
 mkdir -p /sysroot/root/.ssh
 #chmod 700 /sysroot/root/.ssh
-cat /ssh/*.rootpubkey > /sysroot/root/.ssh/authorized_keys
+cat /ssh/*pubkey > /sysroot/root/.ssh/authorized_keys
 #chmod 600 /sysroot/root/.ssh/authorized_keys
 mkdir -p /sysroot/etc/ssh/
 for i in /ssh/*.ca; do
diff --git a/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh b/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
index c828926b..e62eb313 100644
--- a/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
+++ b/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
@@ -13,7 +13,7 @@ sed -i 's/install::/install:*:/' /sysroot/etc/shadow
 sed -i 's/root::/root:*:/' /sysroot/etc/shadow
 mkdir -p /sysroot/root/.ssh
 chmod 700 /sysroot/root/.ssh
-cat /ssh/*.rootpubkey > /sysroot/root/.ssh/authorized_keys
+cat /ssh/*pubkey > /sysroot/root/.ssh/authorized_keys
 chmod 600 /sysroot/root/.ssh/authorized_keys
 mkdir -p /sysroot/etc/ssh/
 for i in /ssh/*.ca; do
diff --git a/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis b/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis
index ebdeb1bb..cd75bcfc 100644
--- a/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis
+++ b/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis
@@ -35,7 +35,7 @@ PermitRootLogin yes
 AuthorizedKeysFile      .ssh/authorized_keys
 EOF
 mkdir ~/.ssh
-cat /ssh/*.rootpubkey > ~/.ssh/authorized_keys
+cat /ssh/*pubkey > ~/.ssh/authorized_keys 2>/dev/null
 cat /tls/*.pem > /etc/confluent/ca.pem
 mkdir -p /etc/pki/tls/certs
 cat /tls/*.pem > /etc/pki/tls/certs/ca-bundle.crt
diff --git a/confluent_osdeploy/rhvh4/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh b/confluent_osdeploy/rhvh4/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
index 19a75384..3b3e98da 100644
--- a/confluent_osdeploy/rhvh4/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
+++ b/confluent_osdeploy/rhvh4/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
@@ -12,7 +12,7 @@ sed -i 's/install::/install:*:/' /sysroot/etc/shadow
 sed -i 's/root::/root:*:/' /sysroot/etc/shadow
 mkdir -p /sysroot/root/.ssh
 #chmod 700 /sysroot/root/.ssh
-cat /ssh/*.rootpubkey > /sysroot/root/.ssh/authorized_keys
+cat /ssh/*pubkey > /sysroot/root/.ssh/authorized_keys
 #chmod 600 /sysroot/root/.ssh/authorized_keys
 mkdir -p /sysroot/etc/ssh/
 for i in /ssh/*.ca; do
diff --git a/confluent_osdeploy/suse15/initramfs/opt/confluent/bin/suseagent b/confluent_osdeploy/suse15/initramfs/opt/confluent/bin/suseagent
index d42dd373..49b72fd7 100755
--- a/confluent_osdeploy/suse15/initramfs/opt/confluent/bin/suseagent
+++ b/confluent_osdeploy/suse15/initramfs/opt/confluent/bin/suseagent
@@ -1,7 +1,7 @@
 #!/bin/bash
 echo "Installing certificates"
 echo '<authorized_keys xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns" config:type="list">' > /tmp/rootkeys.xml
-for pub in /ssh/*.rootpubkey; do
+for pub in /ssh/*pubkey; do
     echo '<listentry>'$(cat $pub)'</listentry>' >> /tmp/rootkeys.xml
 done
 echo '</authorized_keys>' >> /tmp/rootkeys.xml
diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh
index 11afd411..d6232a09 100644
--- a/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh
+++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh
@@ -16,7 +16,8 @@ if [ "$cryptboot" != "" ]  && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "n
 fi
 
 mkdir ~/.ssh
-cat /ssh/*.rootpubkey > ~/.ssh/authorized_keys
+cat /ssh/*pubkey > ~/.ssh/authorized_keys 2>/dev/null
+
 ssh-keygen -A
 for i in  /etc/ssh/ssh_host*key.pub; do
     certname=${i/.pub/-cert.pub}
diff --git a/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/pre.sh b/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/pre.sh
index e4a1e8a3..49b86651 100755
--- a/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/pre.sh
+++ b/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/pre.sh
@@ -9,7 +9,7 @@ if [ "$cryptboot" != "" ]  && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "n
 fi
 
 
-cat /custom-installation/ssh/*.rootpubkey > /root/.ssh/authorized_keys
+cat /custom-installation/ssh/*pubkey > /root/.ssh/authorized_keys
 nodename=$(grep ^NODENAME: /custom-installation/confluent/confluent.info|awk '{print $2}')
 apikey=$(cat /custom-installation/confluent/confluent.apikey)
 for pubkey in /etc/ssh/ssh_host*key.pub; do
diff --git a/confluent_server/confluent/sshutil.py b/confluent_server/confluent/sshutil.py
index 9002009b..c77f08f1 100644
--- a/confluent_server/confluent/sshutil.py
+++ b/confluent_server/confluent/sshutil.py
@@ -77,6 +77,8 @@ def initialize_ca():
 
 def prep_ssh_key(keyname):
     assure_agent()
+    if keyname in ready_keys:
+        return
     tmpdir = tempfile.mkdtemp()
     try:
         askpass = os.path.join(tmpdir, 'askpass.sh')
@@ -89,15 +91,15 @@ def prep_ssh_key(keyname):
         with open(os.devnull, 'wb') as devnull:
             subprocess.check_call(['ssh-add', keyname], stdin=devnull)
         del os.environ['CONFLUENT_SSH_PASSPHRASE']
+        ready_keys[keyname] = 1
     finally:
         shutil.rmtree(tmpdir)
 
 def sign_host_key(pubkey, nodename, principals=()):
     tmpdir = tempfile.mkdtemp()
     try:
-        if 'ca.pub' not in ready_keys:
-            prep_ssh_key('/etc/confluent/ssh/ca')
-            ready_keys['ca.pub'] = 1
+        prep_ssh_key('/etc/confluent/ssh/ca')
+        ready_keys['ca.pub'] = 1
         pkeyname = os.path.join(tmpdir, 'hostkey.pub')
         with open(pkeyname, 'wb') as pubfile:
             pubfile.write(pubkey)
diff --git a/misc/xcatstateless/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh b/misc/xcatstateless/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
index 59ce44eb..57da9311 100644
--- a/misc/xcatstateless/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
+++ b/misc/xcatstateless/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
@@ -15,7 +15,7 @@ fi
 sed -i "s!root:[^:]*:!root:$rootpw:!" /sysroot/etc/shadow
 mkdir -p /sysroot/root/.ssh
 chmod 700 /sysroot/root/.ssh
-cat /ssh/*.rootpubkey > /sysroot/root/.ssh/authorized_keys
+cat /ssh/*pubkey > /sysroot/root/.ssh/authorized_keys
 chmod 600 /sysroot/root/.ssh/authorized_keys
 mkdir -p /sysroot/etc/ssh/
 for i in /ssh/*.ca; do