Exclude private certificate and key files from collect

Collecting private keys and certificates is objectionable.

This update adds /etc/kubernetes/pki to the collect
exclude list so that its private keys and certificate
files are not collected.

This update then enhances collect's mask passwords
plugin to pull in the public certificate files which
do not pose a security risk and are useful during debug.

Test Plan:

PASS: Verify only the .crt files from the newly excluded
      dir are collected.

Change-Id: Ia9e3e132d10fd31486b92742fb17147b36aa98c9
Closes-Bug: 1952676
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>

tools/collector/scripts/collect_mask_passwords

@@ -66,6 +66,13 @@ rm -rf ${COLLECT_NAME_DIR}/var/extra/platform/config/*/ssh_config
 rm -f ${COLLECT_NAME_DIR}/var/extra/platform/puppet/*/hieradata/secure*.yaml
 rm -f ${COLLECT_NAME_DIR}/etc/puppet/cache/hieradata/secure*.yaml
 
+# dir /etc/kubernetes/pki was etc.excluded
+if [ -d "/etc/kubernetes/pki" ] ; then
+    # grab the public certificates if /etc/kubernetes/pki exists
+    mkdir -p ${COLLECT_NAME_DIR}/etc/kubernetes/pki
+    cp -a /etc/kubernetes/pki/*.crt ${COLLECT_NAME_DIR}/etc/kubernetes/pki 2>/dev/null 1>/dev/null
+fi
+
 # Mask user passwords in sysinv db dump
 if [ -f ${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt ]; then
     sed -i -r '/COPY i_user/, /^--/ s/^(([^\t]*\t){10})[^\t]*(\t.*)/\1xxxxxx\3/;

tools/collector/scripts/etc.exclude

@@ -38,3 +38,4 @@
 /etc/systemd/system/ctrl-alt-del.target
 /etc/ssl
 /etc/mtc/tmp
+/etc/kubernetes/pki