2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-24 18:41:55 +00:00

Pull in the automation key into default profiles

This commit is contained in:
Jarrod Johnson 2021-03-09 15:45:40 -05:00
parent a26624a614
commit e38dbc4470
9 changed files with 14 additions and 11 deletions

View File

@ -12,7 +12,7 @@ sed -i 's/install::/install:*:/' /sysroot/etc/shadow
sed -i 's/root::/root:*:/' /sysroot/etc/shadow
mkdir -p /sysroot/root/.ssh
#chmod 700 /sysroot/root/.ssh
cat /ssh/*.rootpubkey > /sysroot/root/.ssh/authorized_keys
cat /ssh/*pubkey > /sysroot/root/.ssh/authorized_keys
#chmod 600 /sysroot/root/.ssh/authorized_keys
mkdir -p /sysroot/etc/ssh/
for i in /ssh/*.ca; do

View File

@ -13,7 +13,7 @@ sed -i 's/install::/install:*:/' /sysroot/etc/shadow
sed -i 's/root::/root:*:/' /sysroot/etc/shadow
mkdir -p /sysroot/root/.ssh
chmod 700 /sysroot/root/.ssh
cat /ssh/*.rootpubkey > /sysroot/root/.ssh/authorized_keys
cat /ssh/*pubkey > /sysroot/root/.ssh/authorized_keys
chmod 600 /sysroot/root/.ssh/authorized_keys
mkdir -p /sysroot/etc/ssh/
for i in /ssh/*.ca; do

View File

@ -35,7 +35,7 @@ PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
EOF
mkdir ~/.ssh
cat /ssh/*.rootpubkey > ~/.ssh/authorized_keys
cat /ssh/*pubkey > ~/.ssh/authorized_keys 2>/dev/null
cat /tls/*.pem > /etc/confluent/ca.pem
mkdir -p /etc/pki/tls/certs
cat /tls/*.pem > /etc/pki/tls/certs/ca-bundle.crt

View File

@ -12,7 +12,7 @@ sed -i 's/install::/install:*:/' /sysroot/etc/shadow
sed -i 's/root::/root:*:/' /sysroot/etc/shadow
mkdir -p /sysroot/root/.ssh
#chmod 700 /sysroot/root/.ssh
cat /ssh/*.rootpubkey > /sysroot/root/.ssh/authorized_keys
cat /ssh/*pubkey > /sysroot/root/.ssh/authorized_keys
#chmod 600 /sysroot/root/.ssh/authorized_keys
mkdir -p /sysroot/etc/ssh/
for i in /ssh/*.ca; do

View File

@ -1,7 +1,7 @@
#!/bin/bash
echo "Installing certificates"
echo '<authorized_keys xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns" config:type="list">' > /tmp/rootkeys.xml
for pub in /ssh/*.rootpubkey; do
for pub in /ssh/*pubkey; do
echo '<listentry>'$(cat $pub)'</listentry>' >> /tmp/rootkeys.xml
done
echo '</authorized_keys>' >> /tmp/rootkeys.xml

View File

@ -16,7 +16,8 @@ if [ "$cryptboot" != "" ] && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "n
fi
mkdir ~/.ssh
cat /ssh/*.rootpubkey > ~/.ssh/authorized_keys
cat /ssh/*pubkey > ~/.ssh/authorized_keys 2>/dev/null
ssh-keygen -A
for i in /etc/ssh/ssh_host*key.pub; do
certname=${i/.pub/-cert.pub}

View File

@ -9,7 +9,7 @@ if [ "$cryptboot" != "" ] && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "n
fi
cat /custom-installation/ssh/*.rootpubkey > /root/.ssh/authorized_keys
cat /custom-installation/ssh/*pubkey > /root/.ssh/authorized_keys
nodename=$(grep ^NODENAME: /custom-installation/confluent/confluent.info|awk '{print $2}')
apikey=$(cat /custom-installation/confluent/confluent.apikey)
for pubkey in /etc/ssh/ssh_host*key.pub; do

View File

@ -77,6 +77,8 @@ def initialize_ca():
def prep_ssh_key(keyname):
assure_agent()
if keyname in ready_keys:
return
tmpdir = tempfile.mkdtemp()
try:
askpass = os.path.join(tmpdir, 'askpass.sh')
@ -89,15 +91,15 @@ def prep_ssh_key(keyname):
with open(os.devnull, 'wb') as devnull:
subprocess.check_call(['ssh-add', keyname], stdin=devnull)
del os.environ['CONFLUENT_SSH_PASSPHRASE']
ready_keys[keyname] = 1
finally:
shutil.rmtree(tmpdir)
def sign_host_key(pubkey, nodename, principals=()):
tmpdir = tempfile.mkdtemp()
try:
if 'ca.pub' not in ready_keys:
prep_ssh_key('/etc/confluent/ssh/ca')
ready_keys['ca.pub'] = 1
prep_ssh_key('/etc/confluent/ssh/ca')
ready_keys['ca.pub'] = 1
pkeyname = os.path.join(tmpdir, 'hostkey.pub')
with open(pkeyname, 'wb') as pubfile:
pubfile.write(pubkey)

View File

@ -15,7 +15,7 @@ fi
sed -i "s!root:[^:]*:!root:$rootpw:!" /sysroot/etc/shadow
mkdir -p /sysroot/root/.ssh
chmod 700 /sysroot/root/.ssh
cat /ssh/*.rootpubkey > /sysroot/root/.ssh/authorized_keys
cat /ssh/*pubkey > /sysroot/root/.ssh/authorized_keys
chmod 600 /sysroot/root/.ssh/authorized_keys
mkdir -p /sysroot/etc/ssh/
for i in /ssh/*.ca; do