Support multi-master

Read an optional configuration file to accept keys on a secondary
master.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
This commit is contained in:
Georg Pfuetzenreuter 2023-06-01 14:40:08 +02:00
parent a2dc671441
commit 0b644b6f7b
Signed by: Georg
GPG Key ID: 1ED2F138E7E6FF57

View File

@ -12,9 +12,12 @@
set -Ceu set -Ceu
config='/etc/salt-scriptconfig'
partner='null'
minion="${1:-null}" minion="${1:-null}"
key_user="${2:-null}" key_user="${2:-null}"
NOCOLOR="$(tput sgr0)" NOCOLOR="$(tput sgr0)"
exco=0
if ! command -v jq >/dev/null || ! command -v salt-key >/dev/null if ! command -v jq >/dev/null || ! command -v salt-key >/dev/null
then then
@ -22,6 +25,16 @@ then
exit 1 exit 1
fi fi
if [ -f "$config" ]
then
# shellcheck source=/dev/null
. "$config"
if [ ! "$partner" = 'null' ]
then
ssh_key="${ssh_key:?Configuration option 'partner' requires 'ssh_key'}"
fi
fi
if [ "$minion" = 'null' ] if [ "$minion" = 'null' ]
then then
printf 'Please specify the minion to diff against.\n' printf 'Please specify the minion to diff against.\n'
@ -36,8 +49,20 @@ then
exit 2 exit 2
fi fi
if [ ! "$partner" = 'null' ]
then
key_salt_remote="$(ssh -qi "$ssh_key" "$partner" salt-key --out json -f "$minion" | jq --arg minion "$minion" -r '.minions_pre[$minion]')"
if [ ! "$key_salt" = "$key_salt_remote" ]
then
printf 'Local and remote keys do not match, bailing out.\n'
exit 2
fi
fi
if [ "$key_user" = 'null' ] if [ "$key_user" = 'null' ]
then then
# shellcheck disable=SC2016
printf 'Enter fingerprint to diff against (run `salt-call --local key.finger` on the minion)\n' printf 'Enter fingerprint to diff against (run `salt-call --local key.finger` on the minion)\n'
read -r key_user read -r key_user
fi fi
@ -46,10 +71,37 @@ if [ "$key_salt" = "$key_user" ]
then then
GREEN="$(tput setaf 2)" GREEN="$(tput setaf 2)"
printf '%sMatches%s\n' "$GREEN" "$NOCOLOR" printf '%sMatches%s\n' "$GREEN" "$NOCOLOR"
salt-key --out=yaml -a "$minion" printf 'Accept? (y/n)\n'
read -r answer
if [ "$answer" = 'y' ]
then
if salt-key --out=quiet -yqa "$minion" >/dev/null
then
printf 'Accepted on local master\n'
else
printf 'Failed to accept key on local master\n'
exco=1
fi
if [ ! "$partner" = 'null' ]
then
if ssh -qi "$ssh_key" "$partner" salt-key --out=quiet -yqa "$minion" >/dev/null
then
printf 'Accepted on remote master\n'
else
printf 'Failed to accept key on remote master\n'
exco=1
fi
fi
else
printf 'Bye\n'
exco=2
fi
elif [ ! "$key_salt" = "$key_user" ] elif [ ! "$key_salt" = "$key_user" ]
then then
RED="$(tput setaf 1)" RED="$(tput setaf 1)"
printf '%sMismatch%s\n' "$RED" "$NOCOLOR" printf '%sMismatch%s\n' "$RED" "$NOCOLOR"
exit 2 exco=2
fi fi
exit "$exco"