cmd/tailscale,ipn: implement lock sign command

Signed-off-by: Tom DNetto <tom@tailscale.com>

cmd/tailscale/cli/network-lock.go

@@ -26,6 +26,7 @@ var netlockCmd = &ffcli.Command{
 		nlStatusCmd,
 		nlAddCmd,
 		nlRemoveCmd,
+		nlSignCmd,
 	},
 	Exec: runNetworkLockStatus,
 }
@@ -163,3 +164,27 @@ func runNetworkLockModify(ctx context.Context, addArgs, removeArgs []string) err
 	fmt.Printf("Status: %+v\n\n", status)
 	return nil
 }
+
+var nlSignCmd = &ffcli.Command{
+	Name:       "sign",
+	ShortUsage: "sign <node-key>",
+	ShortHelp:  "Signs a node-key and transmits that signature to the control plane",
+	Exec:       runNetworkLockSign,
+}
+
+// TODO(tom): Implement specifying the rotation key for the signature.
+func runNetworkLockSign(ctx context.Context, args []string) error {
+	switch len(args) {
+	case 0:
+		return errors.New("expected node-key as second argument")
+	case 1:
+		var nodeKey key.NodePublic
+		if err := nodeKey.UnmarshalText([]byte(args[0])); err != nil {
+			return fmt.Errorf("decoding node-key: %w", err)
+		}
+
+		return localClient.NetworkLockSign(ctx, nodeKey, nil)
+	default:
+		return errors.New("expected a single node-key as only argument")
+	}
+}