Change a cluster's additional trust bundle

# Main change

Support changing a cluster's additional trust bundle. Changes all
locations where the additional trust bundle is stored in.

If an existing trust bundle is not found, this will cause an error, as
creating the relevant resources is beyond the scope of this tool.

The trust bundle's validity will not be checked. When using a
RECERT_CONFIG file, raw PEMS can be used instead of a path to a trust
bundle file.

When using this feature it is recommended to also run the
`update-ca-trust` script after running recert to ensure that the trust
bundle is properly updated in all locations.

# Other changes

* Created `./hack/` directory to store some certs used during `./run_seed.sh`

* Deprecated --static-files and --static-dirs, which were used for both
  recert and rename. Now `--crypto-dir` and `--crypto-file` will be
  used for recert while `--cluster-customization-dir` and
  `--cluster-customization-file` will be used for rename (aka cluster
  customization). This was needed because /etc/pki is full of certs we
  discover and fail to process during recert, but we do need to process /etc/pki for
  editing the additional trust bundle cluster customization. Using
  `--additional-trust-bundle` along with `--static-*` will cause an
  error. The old behavior for `--static-files` and `--static-dirs` is
  maintained for backwards compatibility, but they cannot be used along with the new flags.

* Made ConfigPath a less leaky abstraction for ClioPath and moved its
  relevant code to its own module `path` (under `config`)

* Renamed many `cli_parse` functions to `parse` as those functions were
  used outside of CLI parsing as well (during config file parsing)

* Refactored config parsing into topical functions because that
  functions was getting a bit too long

hack/dummy_trust_bundle.pem

@@ -0,0 +1,48 @@
+# Foo
+-----BEGIN CERTIFICATE-----
+MIIDZTCCAk2gAwIBAgIUP+AxIkXJXTEhNGLH2qjmE6Gp0fowDQYJKoZIhvcNAQEL
+BQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE
+CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yNDAzMDExMDIyNTlaFw0yNTAzMDEx
+MDIyNTlaMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa
+BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC0wzg+7X2Amb5g60g0TstLgC0XnJRZq/YZUUsJMmm3qMb/+GYJ
+AJzHxiycUfbRJtYvjx0SBmAX/kDRVCEQKcN5d/y3zeq709YO40kvouScfstsxM8l
+PFLOmM8/Dqey1WblSJERBLbLherDnMwR7EMXkyZ/AfHUXmhVoIZE9ywsZpNcVW6Z
+7x/+Izbj1s305vrxEkZDw6b3oMG5uooQgP5NZFXSamzJgviP0L/usvbRMtAWphoj
+WhMeNuOdymLwRzm2l+2Qp/JDWktgHccmrbbi1c6pwhsIJBj4KOyb9zROTnYXyS/j
+0b7GzVcffveV6E58rGa2ILyIsCv6gt8LgFnxAgMBAAGjUzBRMB0GA1UdDgQWBBQ5
+nh0SeZxZ969ps+9ywPEoOVasxTAfBgNVHSMEGDAWgBQ5nh0SeZxZ969ps+9ywPEo
+OVasxTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAWxsqfdm8h
+AeNY8vPcRdtB9KYU5sZLs4NtlBFSdn+pHmeXZwwkjQDNhVcEMKdpZI4BpS11Ggwh
+1d3BCCC/5M6yVqm+EMKJvA9VCeM8d1WJ1yVyXcgGuegf8kr3v+lr7Ll59qZGP5Ir
+WwE8WRns7uFOCqYJCxo1VFXitZZuIugr3NUSimBPoJf1hDYdye3K3Q+grF2GyNII
+5Yo+/VSR4ejIvJYAFp91Ycep7S0/+qhFpsjEG0Qw3Ly6WqQoCqdmIsyqFgWHsIlY
+oJxV5wTX/c9DDZLR0VUD19aDV3B9kb7Cf+h7S4RsORWCyi7+58FKkkD6Ryc0I1K6
+xw3RWhfd9o1d
+-----END CERTIFICATE-----
+
+
+
+# All
+# the Bars
+-----BEGIN CERTIFICATE-----
+MIIDZTCCAk2gAwIBAgIULnisjJLte3Vvt4o1f+5vSQg542cwDQYJKoZIhvcNAQEL
+BQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE
+CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yNDAzMDExMDI1MDFaFw0yNTAzMDEx
+MDI1MDFaMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa
+BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC2dhK7xTnoTB3wN1l3NsLTp5YR0KFfBTjMcDgSzUy/GN79c2cF
+JzSuiYUi7SCmFjn3soNqpXHFzCox6KIs9R6PL4epaQM76EVG/Xy6mdDvFnZvqypi
+wmK6J0AGajOxItYUGb2a3Zmt/2nliW6t8sW/vhovHRu7YROo4uJygIp2UUFct2Lk
+8C7XkJX5RXW+sKTiNddIjhmDFD0vHfvNvQ6AIayJTmXy272+aqYNJWB2wS/2uD3Z
++WOpiINetCtkASoiE7nzBQw+WsTfeFJH2TnI5pnSaHdLRUQtzoLO0/FgQ5WBfJg5
+aH03DLfQ9GEdzlsOkPOEgHXqDFMjTQCwcue3AgMBAAGjUzBRMB0GA1UdDgQWBBRd
+0Zs+cm0gPHGKoQrerC18Pa3B3zAfBgNVHSMEGDAWgBRd0Zs+cm0gPHGKoQrerC18
+Pa3B3zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAepPrWqB9h
+JkqtgJrP8SkQVulTVKYj66J5JxM5vZR96Z4UnbA3WNxezev0jMCYuV0twHPN8avs
+Jern+/n7vgQ3ziiLVdtrN8PqK1X1apSurVmaiIw4tRcv5TVL5OD95sTyJh5bUBpM
+DGtCTraPZxLIDKm9byunobXtJVcutw4oHKtFy/LlFWePCnvFzvx6ZFswLAXgxhf9
+EtjDf3v0cjDn9yRzjYFrwHiQ53A75YTwFyk21q7Gh1G0yspfBeq7cej2wK1PnfiC
+42TI0UzcqRV4CWDoARMSV8yMLajZ0g1eEreUprwmFcOy17V7KCeV6E8lKb21OU8M
+Ad9q3H0iXjct
+-----END CERTIFICATE-----

hack/dummy_use_cert.crt

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyzCCAbMCFAoie5EUqnUAHimqxbJBHV0MGVbwMA0GCSqGSIb3DQEBCwUAMCIx
+IDAeBgNVBAMMF2FkbWluLWt1YmVjb25maWctc2lnbmVyMB4XDTI0MDEwOTEzMTky
+NVoXDTI0MDIwODEzMTkyNVowIjEgMB4GA1UEAwwXYWRtaW4ta3ViZWNvbmZpZy1z
+aWduZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2fz96uc8fDoNV
+RaBB9iQ+i5Y76IZf0XOdGID8WVaqPlqH+NgLUaFa39T+78FhZW3794Lbeyu/PnYT
+ufMyKnJEulVO7W7gPHaqWyuN08/m6SH5ycTEgUAXK1q1yVR/vM6HnV/UPUCfbDaW
+RFOrUgGNwNywhEjqyzyUxJFixxS6Rk7JmouROD2ciNhBn6wNFByVHN9j4nQUOhXC
+A0JjuiPH7ybvcHjmg3mKDJusyVq4pl0faahOxn0doILfXaHHwRxyEnP3V3arpPer
+FvwlHh2Cfat+ijFPSD9pN3KmoeAviOHZVLQ/jKzkQvzlvva3mhEpLE5Zje1lMpvq
+fjDheW9bAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAC7oi/Ht0lidcx6XvOBz6W1m
+LU02e2yHuDzw6E3WuNoqAdPpleFRV4mLDnv8mEavH5sje0L5veHtOq3Ny4pc06B+
+ETB2aCW4GQ4mPvN9Jyi6sxLQQaVLpFrtPPB08NawNbbcYWUrAihO1uIXLhaCYZWw
+H3aWlqRvGECazYZIPcFoV20jygrcwMhixSZjYyHhJN0LYO5sjiKcMnI8EkHuqE17
+7CPogicZte+m49Mo+f7b8asmKBSafdTUSVAt9Q3Fc3PTJSMW5lxfx1vIR/og33WJ
+BgIejfD1dYW2Fp02z5sF6Pw6vhobpfDYgsTAKNonh5P6NxMiD14eQxYrNJ6DAF0=
+-----END CERTIFICATE-----

run_seed.sh

@@ -70,11 +70,18 @@ if [[ -n "$WITH_CONFIG" ]]; then
 	RECERT_CONFIG=<(echo '
 dry_run: false
 etcd_endpoint: localhost:2379
-static_dirs:
+crypto_dirs:
 - backup/etc/kubernetes
 - backup/var/lib/kubelet
 - backup/etc/machine-config-daemon
-static_files:
+crypto_files:
+- backup/etc/mcs-machine-config-content.json
+cluster_customization_dirs:
+- backup/etc/kubernetes
+- backup/var/lib/kubelet
+- backup/etc/machine-config-daemon
+- backup/etc/pki/ca-trust
+cluster_customization_files:
 - backup/etc/mcs-machine-config-content.json
 cn_san_replace_rules:
 - api-int.seed.redhat.com:api-int.new-name.foo.com
@@ -104,6 +111,55 @@ cluster_rename: new-name:foo.com:some-random-infra-id
 hostname: test.hostname
 ip: 192.168.126.99
 kubeadmin_password_hash: "$2a$10$20Q4iRLy7cWZkjn/D07bF.RZQZonKwstyRGH0qiYbYRkx5Pe4Ztyi"
+additional_trust_bundle: |
+    # Foo
+    -----BEGIN CERTIFICATE-----
+    MIIDZTCCAk2gAwIBAgIUP+AxIkXJXTEhNGLH2qjmE6Gp0fowDQYJKoZIhvcNAQEL
+    BQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE
+    CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yNDAzMDExMDIyNTlaFw0yNTAzMDEx
+    MDIyNTlaMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa
+    BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+    DwAwggEKAoIBAQC0wzg+7X2Amb5g60g0TstLgC0XnJRZq/YZUUsJMmm3qMb/+GYJ
+    AJzHxiycUfbRJtYvjx0SBmAX/kDRVCEQKcN5d/y3zeq709YO40kvouScfstsxM8l
+    PFLOmM8/Dqey1WblSJERBLbLherDnMwR7EMXkyZ/AfHUXmhVoIZE9ywsZpNcVW6Z
+    7x/+Izbj1s305vrxEkZDw6b3oMG5uooQgP5NZFXSamzJgviP0L/usvbRMtAWphoj
+    WhMeNuOdymLwRzm2l+2Qp/JDWktgHccmrbbi1c6pwhsIJBj4KOyb9zROTnYXyS/j
+    0b7GzVcffveV6E58rGa2ILyIsCv6gt8LgFnxAgMBAAGjUzBRMB0GA1UdDgQWBBQ5
+    nh0SeZxZ969ps+9ywPEoOVasxTAfBgNVHSMEGDAWgBQ5nh0SeZxZ969ps+9ywPEo
+    OVasxTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAWxsqfdm8h
+    AeNY8vPcRdtB9KYU5sZLs4NtlBFSdn+pHmeXZwwkjQDNhVcEMKdpZI4BpS11Ggwh
+    1d3BCCC/5M6yVqm+EMKJvA9VCeM8d1WJ1yVyXcgGuegf8kr3v+lr7Ll59qZGP5Ir
+    WwE8WRns7uFOCqYJCxo1VFXitZZuIugr3NUSimBPoJf1hDYdye3K3Q+grF2GyNII
+    5Yo+/VSR4ejIvJYAFp91Ycep7S0/+qhFpsjEG0Qw3Ly6WqQoCqdmIsyqFgWHsIlY
+    oJxV5wTX/c9DDZLR0VUD19aDV3B9kb7Cf+h7S4RsORWCyi7+58FKkkD6Ryc0I1K6
+    xw3RWhfd9o1d
+    -----END CERTIFICATE-----
+
+
+
+    # All
+    # the Bars
+    -----BEGIN CERTIFICATE-----
+    MIIDZTCCAk2gAwIBAgIULnisjJLte3Vvt4o1f+5vSQg542cwDQYJKoZIhvcNAQEL
+    BQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE
+    CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yNDAzMDExMDI1MDFaFw0yNTAzMDEx
+    MDI1MDFaMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa
+    BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+    DwAwggEKAoIBAQC2dhK7xTnoTB3wN1l3NsLTp5YR0KFfBTjMcDgSzUy/GN79c2cF
+    JzSuiYUi7SCmFjn3soNqpXHFzCox6KIs9R6PL4epaQM76EVG/Xy6mdDvFnZvqypi
+    wmK6J0AGajOxItYUGb2a3Zmt/2nliW6t8sW/vhovHRu7YROo4uJygIp2UUFct2Lk
+    8C7XkJX5RXW+sKTiNddIjhmDFD0vHfvNvQ6AIayJTmXy272+aqYNJWB2wS/2uD3Z
+    +WOpiINetCtkASoiE7nzBQw+WsTfeFJH2TnI5pnSaHdLRUQtzoLO0/FgQ5WBfJg5
+    aH03DLfQ9GEdzlsOkPOEgHXqDFMjTQCwcue3AgMBAAGjUzBRMB0GA1UdDgQWBBRd
+    0Zs+cm0gPHGKoQrerC18Pa3B3zAfBgNVHSMEGDAWgBRd0Zs+cm0gPHGKoQrerC18
+    Pa3B3zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAepPrWqB9h
+    JkqtgJrP8SkQVulTVKYj66J5JxM5vZR96Z4UnbA3WNxezev0jMCYuV0twHPN8avs
+    Jern+/n7vgQ3ziiLVdtrN8PqK1X1apSurVmaiIw4tRcv5TVL5OD95sTyJh5bUBpM
+    DGtCTraPZxLIDKm9byunobXtJVcutw4oHKtFy/LlFWePCnvFzvx6ZFswLAXgxhf9
+    EtjDf3v0cjDn9yRzjYFrwHiQ53A75YTwFyk21q7Gh1G0yspfBeq7cej2wK1PnfiC
+    42TI0UzcqRV4CWDoARMSV8yMLajZ0g1eEreUprwmFcOy17V7KCeV6E8lKb21OU8M
+    Ad9q3H0iXjct
+    -----END CERTIFICATE-----
 summary_file: summary.yaml
 summary_file_clean: summary_redacted.yaml
 extend_expiration: true
@@ -113,23 +169,36 @@ threads: 1
 ') cargo run --release
 else
 	# shellcheck disable=2016
-	cargo run --release -- \
+	cargo run -- \
 		--etcd-endpoint localhost:2379 \
-		--static-dir backup/etc/kubernetes \
-		--static-dir backup/var/lib/kubelet \
-		--static-dir backup/etc/machine-config-daemon \
-		--static-file backup/etc/mcs-machine-config-content.json \
+        \
+		--crypto-dir backup/etc/kubernetes \
+		--crypto-dir backup/var/lib/kubelet \
+		--crypto-dir backup/etc/machine-config-daemon \
+		--crypto-file backup/etc/mcs-machine-config-content.json \
+        \
+		--cluster-customization-dir backup/etc/kubernetes \
+		--cluster-customization-dir backup/var/lib/kubelet \
+		--cluster-customization-dir backup/etc/machine-config-daemon \
+		--cluster-customization-dir backup/etc/pki/ca-trust \
+		--cluster-customization-file backup/etc/mcs-machine-config-content.json \
+        \
 		--cn-san-replace api-int.seed.redhat.com:api-int.new-name.foo.com \
 		--cn-san-replace api.seed.redhat.com:api.new-name.foo.com \
 		--cn-san-replace *.apps.seed.redhat.com:*.apps.new-name.foo.com \
 		--cn-san-replace 192.168.126.10:192.168.127.11 \
+		--use-cert ./hack/dummy_use_cert.crt \
+        \
 		--cluster-rename new-name:foo.com:some-random-infra-id \
 		--hostname test.hostname \
 		--ip 192.168.126.99 \
 		--kubeadmin-password-hash '$2a$10$20Q4iRLy7cWZkjn/D07bF.RZQZonKwstyRGH0qiYbYRkx5Pe4Ztyi' \
+		--additional-trust-bundle ./hack/dummy_trust_bundle.pem \
+		--pull-secret '{"auths":{"empty_registry":{"username":"empty","password":"empty","auth":"ZW1wdHk6ZW1wdHk=","email":""}}}' \
+        \
 		--summary-file summary.yaml \
 		--summary-file-clean summary_redacted.yaml \
-		--pull-secret '{"auths":{"empty_registry":{"username":"empty","password":"empty","auth":"ZW1wdHk6ZW1wdHk=","email":""}}}' \
+        \
 		--extend-expiration
 	# --regenerate-server-ssh-keys backup/etc/ssh/ \
 fi

src/cluster_crypto/scanning.rs

@@ -5,7 +5,7 @@ use super::{
 };
 use crate::{
     cluster_crypto::{crypto_objects::process_unknown_value, json_crawl},
-    config::ConfigPath,
+    config::path::ConfigPath,
     file_utils::{self, read_file_to_string},
     k8s_etcd::InMemoryK8sEtcd,
     recert::timing::RunTime,

src/cnsanreplace.rs

@@ -16,7 +16,7 @@ impl std::fmt::Display for CnSanReplace {
 }
 
 impl CnSanReplace {
-    pub(crate) fn cli_parse(value: &str) -> Result<Self> {
+    pub(crate) fn parse(value: &str) -> Result<Self> {
         // Also allow comma separation to support IPv6
         let split = if value.contains(',') { value.split(',') } else { value.split(':') }.collect::<Vec<_>>();