From 4f75d4942bc012982e1be67578d38b9f2881ba51 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Thu, 20 Nov 2025 16:05:22 -0500 Subject: [PATCH] Modify adoption process: Restore useinsecureprotocols if set directly on node Switch from pxe-style to identity-file based node api token for hardened node authentication --- misc/adoptnode.sh | 12 ++++++++---- misc/prepadopt.sh | 7 +++++-- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/misc/adoptnode.sh b/misc/adoptnode.sh index 5d74d521..887ddf4b 100755 --- a/misc/adoptnode.sh +++ b/misc/adoptnode.sh @@ -9,9 +9,13 @@ if [ -z "$TARGPROF" ]; then echo "Target profile must be specified" exit 1 fi -OLDINSECURE=$(nodeattrib TARGNODE deployment.useinsecureprotocols -b 2> /dev/null |grep -v inherited|awk '{print $3}') -nodeattrib $TARGNODE deployment.useinsecureprotocols -nodedefine $TARGNODE deployment.apiarmed=once deployment.profile=$TARGPROF deployment.useinsecureprotocols= deployment.pendingprofile=$TARGPROF +OLDINSECURE=$(nodeattrib $TARGNODE deployment.useinsecureprotocols -b 2> /dev/null |grep -v inherited|awk '{print $3}') +nodedefine $TARGNODE deployment.profile=$TARGPROF deployment.useinsecureprotocols= deployment.pendingprofile=$TARGPROF +confetty set /nodes/$TARGNODE/deployment/ident_image=create +REMTMP=$(ssh $TARGNODE $(mktemp -d)) +scp /var/lib/confluent/private/identity_files/$TARGNODE.json $TARGNODE:$REMTMP +rm /var/lib/confluent/private/identity_files/$TARGNODE.* +rm /var/lib/confluent/private/identity_images/$TARGNODE.* cat /var/lib/confluent/public/site/ssh/*pubkey | ssh $TARGNODE "mkdir -p /root/.ssh/; cat - >> /root/.ssh/authorized_keys" ssh $TARGNODE mkdir -p /etc/confluent /opt/confluent/bin cat /var/lib/confluent/public/site/tls/*.pem | ssh $TARGNODE "cat - >> /etc/confluent/ca.pem" @@ -19,7 +23,7 @@ cat /var/lib/confluent/public/site/tls/*.pem | ssh $TARGNODE "cat - >> /etc/pki/ nodeattrib $TARGNODE id.uuid=$(ssh $TARGNODE cat /sys/devices/virtual/dmi/id/product_uuid) scp prepadopt.sh $TARGNODE:/tmp/ scp finalizeadopt.sh $TARGNODE:/tmp/ -ssh $TARGNODE bash /tmp/prepadopt.sh $TARGNODE $TARGPROF +ssh $TARGNODE bash /tmp/prepadopt.sh $TARGNODE $TARGPROF $REMTMP/$TARGNODE.json nodeattrib $TARGNODE deployment.pendingprofile= nodeattrib $TARGNODE -c deployment.useinsecureprotocols if [ ! -z "$OLDINSECURE" ]; then diff --git a/misc/prepadopt.sh b/misc/prepadopt.sh index b47602d8..19046d3e 100644 --- a/misc/prepadopt.sh +++ b/misc/prepadopt.sh @@ -1,6 +1,7 @@ #!/bin/bash TARGNODE=$1 TARGPROF=$2 +TARGIDENT=$3 TMPDIR=$(mktemp -d) cd $TMPDIR DEPLOYSRV=$(echo $SSH_CLIENT|awk '{print $1}') @@ -16,10 +17,12 @@ cpio -dumi < addons.cpio systemctl status firewalld >& /dev/null && FWACTIVE=1 if [ "$FWACTIVE" == 1 ]; then systemctl stop firewalld; fi opt/confluent/bin/copernicus > /etc/confluent/confluent.info -opt/confluent/bin/clortho $TARGNODE $DEPLOYSRV > /etc/confluent/confluent.apikey +#opt/confluent/bin/clortho $TARGNODE $DEPLOYSRV > /etc/confluent/confluent.apikey +. /etc/confluent/functions +confluentpython opt/confluent/bin/apiclient -i $TAGRIDENT /confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg if [ "$FWACTIVE" == 1 ]; then systemctl start firewalld; fi cp opt/confluent/bin/apiclient /opt/confluent/bin -curl -sg -H "CONFLUENT_APIKEY: $(cat /etc/confluent/confluent.apikey)" -H "CONFLUENT_NODENAME: $TARGNODE" https://$UDEPLOYSRV/confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg +#curl -sg -H "CONFLUENT_APIKEY: $(cat /etc/confluent/confluent.apikey)" -H "CONFLUENT_NODENAME: $TARGNODE" https://$UDEPLOYSRV/confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg # python3 /opt/confluent/bin/apiclient /confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg cd - echo rm -rf $TMPDIR