From c87e465a01dd7c3425a57c1bd4dc227afbaabd40 Mon Sep 17 00:00:00 2001
From: Li Zhou <li.zhou@windriver.com>
Date: Mon, 6 Feb 2023 16:57:01 +0800
Subject: [PATCH] tools: add command 'stx control keys-add'

From https://review.opendev.org/c/starlingx/root/+/868920,
build process for signed image is as below:
(1) Prepare keys on dockers and signing server to setup access
to signing server without password:
Use "ssh-keygen -t rsa" to create a ssh key pair, e.g.
    id_rsa.pub and id_rsa.
Prepare on lat docker (default user is root):
    mkdir ~/.ssh
    copy id_rsa to ~/.ssh directory
Prepare on builder docker:
    mkdir ~/.ssh
    copy id_rsa to ~/.ssh directory
    sudo mkdir /root/.ssh
    sudo copy id_rsa to /root/.ssh directory
Prepare on signing server:
    append id_rsa.pub to the file on signing server:
    /home/${signing_user}/.ssh/authorized_keys

(2) Run on builder docker:
export SIGNING_SERVER="signing_user@signing_server_ip"
<PATH>/sign-secure-boot_debian
build-image

The <PATH> is:
/localdisk/designer/${USER}/stx/cgcs-root/build-tools

An extension to the 'stx' tool to inject keys into the
relevant containers is added as
'stx control keys-add --key-type=signing-server --key=[key file]'
which can replace all the work on dockers in (1).

Test plan:
 - PASS: run 'stx control keys-add --key-type=signing-server --key=[key
         file]' after containers start up,
         and check the keys mentioned above are right in containers.
 - PASS: run the complete build process as below and get a bootable iso
         with secure boot enabled:
         stx control keys-add --key-type=signing-server --key=[key file]
         stx shell
         export SIGNING_SERVER="signing_user@signing_server_ip"
         <PATH>/sign-secure-boot_debian
         build-image

Story: 2009221
Task: 47097

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Id84c5d96b8565a7c7d8da018730f2591d86e2d24
---
 stx/lib/stx/stx_control.py | 67 ++++++++++++++++++++++++++++++++++++++
 stx/lib/stx/stx_main.py    | 16 +++++++--
 2 files changed, 80 insertions(+), 3 deletions(-)

diff --git a/stx/lib/stx/stx_control.py b/stx/lib/stx/stx_control.py
index c5a755239..a5b9cb261 100644
--- a/stx/lib/stx/stx_control.py
+++ b/stx/lib/stx/stx_control.py
@@ -267,6 +267,70 @@ stx-pkgbuilder/configmap/')
     def handleEnterTask(self, args):
         self.shell.cmd_control_enter(args)
 
+    def run_pod_cmd(self, podname, maincmd, remotecmd):
+        # Run command on pod in this format: kubectl+maincmd+podname+remotecmd
+        cmd = self.config.kubectl() + maincmd + podname + remotecmd
+        self.logger.info('run pod cmd: %s', cmd)
+        subprocess.call(cmd, shell=True)
+
+    def add_keys_for_signing_server(self, args):
+        self.logger.info('Prepare keys for accessing signing server!')
+        buildername = 'builder'
+        latname = 'lat'
+        username = getpass.getuser()
+        if not args.key:
+            args.key = '~/.ssh/id_rsa'
+        if not os.path.exists(os.path.expanduser(args.key)):
+            self.logger.error("The key file doesn't exist!")
+            sys.exit(1)
+
+        pod_name = self.k8s.get_pod_name(buildername)
+        if pod_name:
+            # Prepare and run commands:
+            #  kubectl exec -ti [pod_name_builder] -- mkdir /home/[user_name]/.ssh
+            #  kubectl exec -ti [pod_name_builder] -- mkdir /root/.ssh
+            #  kubectl cp [key] [pod_name_builder]:/home/[user_name]/.ssh
+            #  kubectl cp [key] [pod_name_builder]:/root/.ssh
+            main_cmd = ' exec -ti '
+            remote_cmd = ' -- mkdir /home/' + username + '/.ssh'
+            self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
+            remote_cmd = ' -- mkdir /root/.ssh'
+            self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
+            main_cmd = ' cp ' + args.key + ' '
+            remote_cmd = ':/home/' + username + '/.ssh'
+            self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
+            remote_cmd = ':/root/.ssh'
+            self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
+        else:
+            self.logger.error('Failed to prepare for signing builds because \
+no builder container is available!')
+            sys.exit(1)
+
+        pod_name = self.k8s.get_pod_name(latname)
+        if pod_name:
+            # Prepare and run commands:
+            #  kubectl exec -ti [pod_name_lat] -- mkdir /root/.ssh
+            #  kubectl cp [key] [pod_name_lat]:/root/.ssh
+            main_cmd = ' exec -ti '
+            remote_cmd = ' -- mkdir /root/.ssh'
+            self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
+            main_cmd = ' cp ' + args.key + ' '
+            remote_cmd = ':/root/.ssh'
+            self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
+        else:
+            self.logger.error('Failed to prepare for signing builds because \
+no lat container is available!')
+            sys.exit(1)
+
+    def handleKeysTask(self, args):
+        if not args.key_type:
+            args.key_type = 'signing-server'
+        if args.key_type == 'signing-server':
+            self.add_keys_for_signing_server(args)
+        else:
+            self.logger.error('Unsupported key-type!')
+            sys.exit(1)
+
     def handleControl(self, args):
 
         self.logger.setLevel(args.loglevel)
@@ -286,6 +350,9 @@ stx-pkgbuilder/configmap/')
         elif args.ctl_task == 'enter':
             self.handleEnterTask(args)
 
+        elif args.ctl_task == 'keys-add':
+            self.handleKeysTask(args)
+
         elif args.ctl_task == 'status':
             self.k8s.get_helm_info()
             self.k8s.get_deployment_info()
diff --git a/stx/lib/stx/stx_main.py b/stx/lib/stx/stx_main.py
index 2f0ffcd75..9b25946f4 100644
--- a/stx/lib/stx/stx_main.py
+++ b/stx/lib/stx/stx_main.py
@@ -56,11 +56,12 @@ Use %(prog)s --help to get help for all of parameters\n\n''')
 
         control_subparser = subparsers.add_parser('control',
                                                   help='Execute the control \
-task.\t\teg: [start|enter|stop|status|upgrade]')
+task.\t\teg: [start|enter|stop|status|upgrade|keys-add]')
         control_subparser.add_argument('ctl_task',
                                        help='[ start|stop|enter|status|upgrade\
-                                       ]: Create or Stop or Enter or List or \
-                                       Upgrade the stx-builder/obs/lat/pulp \
+                                       |keys-add ]: Create or Stop or Enter or \
+                                       List or Upgrade or Add keys on \
+                                       the stx-builder/obs/lat/pulp \
                                        containers.\n\n')
         control_subparser.add_argument('--dockername',
                                        help='[ builder|pkgbuilder|repomgr|' +
@@ -68,6 +69,15 @@ task.\t\teg: [start|enter|stop|status|upgrade]')
                                        'container name to enter, ' +
                                        'default: builder\n\n',
                                        required=False)
+        control_subparser.add_argument('--key-type',
+                                       help='[ signing-server ]: ' +
+                                       'key-type name to enter, ' +
+                                       'default: signing-server\n\n',
+                                       required=False)
+        control_subparser.add_argument('--key',
+                                       help='key file to enter, ' +
+                                       'default: ~/.ssh/id_rsa\n\n',
+                                       required=False)
         control_subparser.set_defaults(handle=self.handlecontrol.handleControl)
 
         config_subparser = subparsers.add_parser('config',