Modify adoption process:

Restore useinsecureprotocols if set directly on node

Switch from pxe-style to identity-file based node api token for hardened node authentication

misc/adoptnode.sh

@@ -9,9 +9,13 @@ if [ -z "$TARGPROF" ]; then
 	echo "Target profile must be specified"
 	exit 1
 fi
-OLDINSECURE=$(nodeattrib TARGNODE deployment.useinsecureprotocols -b 2> /dev/null |grep -v inherited|awk '{print $3}')
-nodeattrib $TARGNODE deployment.useinsecureprotocols
-nodedefine $TARGNODE deployment.apiarmed=once deployment.profile=$TARGPROF deployment.useinsecureprotocols= deployment.pendingprofile=$TARGPROF
+OLDINSECURE=$(nodeattrib $TARGNODE deployment.useinsecureprotocols -b 2> /dev/null |grep -v inherited|awk '{print $3}')
+nodedefine $TARGNODE deployment.profile=$TARGPROF deployment.useinsecureprotocols= deployment.pendingprofile=$TARGPROF
+confetty set /nodes/$TARGNODE/deployment/ident_image=create
+REMTMP=$(ssh $TARGNODE $(mktemp -d))
+scp /var/lib/confluent/private/identity_files/$TARGNODE.json $TARGNODE:$REMTMP
+rm /var/lib/confluent/private/identity_files/$TARGNODE.*
+rm /var/lib/confluent/private/identity_images/$TARGNODE.*
 cat /var/lib/confluent/public/site/ssh/*pubkey | ssh $TARGNODE "mkdir -p /root/.ssh/; cat - >> /root/.ssh/authorized_keys"
 ssh $TARGNODE mkdir -p /etc/confluent /opt/confluent/bin
 cat /var/lib/confluent/public/site/tls/*.pem | ssh $TARGNODE "cat - >> /etc/confluent/ca.pem"
@@ -19,7 +23,7 @@ cat /var/lib/confluent/public/site/tls/*.pem | ssh $TARGNODE "cat - >> /etc/pki/
 nodeattrib $TARGNODE id.uuid=$(ssh $TARGNODE cat /sys/devices/virtual/dmi/id/product_uuid)
 scp prepadopt.sh $TARGNODE:/tmp/
 scp finalizeadopt.sh $TARGNODE:/tmp/
-ssh $TARGNODE bash /tmp/prepadopt.sh $TARGNODE $TARGPROF
+ssh $TARGNODE bash /tmp/prepadopt.sh $TARGNODE $TARGPROF $REMTMP/$TARGNODE.json
 nodeattrib $TARGNODE deployment.pendingprofile=
 nodeattrib $TARGNODE -c deployment.useinsecureprotocols
 if [ ! -z "$OLDINSECURE" ]; then

misc/prepadopt.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 TARGNODE=$1
 TARGPROF=$2
+TARGIDENT=$3
 TMPDIR=$(mktemp -d)
 cd $TMPDIR
 DEPLOYSRV=$(echo $SSH_CLIENT|awk '{print $1}')
@@ -16,10 +17,12 @@ cpio -dumi < addons.cpio
 systemctl status firewalld >& /dev/null && FWACTIVE=1
 if [ "$FWACTIVE" == 1 ]; then systemctl stop firewalld; fi
 opt/confluent/bin/copernicus  > /etc/confluent/confluent.info
-opt/confluent/bin/clortho $TARGNODE $DEPLOYSRV > /etc/confluent/confluent.apikey
+#opt/confluent/bin/clortho $TARGNODE $DEPLOYSRV > /etc/confluent/confluent.apikey
+. /etc/confluent/functions
+confluentpython opt/confluent/bin/apiclient -i $TAGRIDENT /confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg
 if [ "$FWACTIVE" == 1 ]; then systemctl start firewalld; fi
 cp opt/confluent/bin/apiclient /opt/confluent/bin
-curl -sg -H "CONFLUENT_APIKEY: $(cat /etc/confluent/confluent.apikey)" -H "CONFLUENT_NODENAME: $TARGNODE" https://$UDEPLOYSRV/confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg
+#curl -sg -H "CONFLUENT_APIKEY: $(cat /etc/confluent/confluent.apikey)" -H "CONFLUENT_NODENAME: $TARGNODE" https://$UDEPLOYSRV/confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg
 # python3 /opt/confluent/bin/apiclient /confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg
 cd -
 echo rm -rf $TMPDIR