Skip to content

Commit

Permalink
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
Browse files Browse the repository at this point in the history
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
  • Loading branch information
rpardini committed Jul 24, 2024
1 parent 326c168 commit 717980a
Show file tree
Hide file tree
Showing 4 changed files with 52 additions and 46 deletions.
1 change: 1 addition & 0 deletions cmd/smee/flag.go
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,7 @@ func ipxeHTTPScriptFlags(c *config, fs *flag.FlagSet) {
fs.StringVar(&c.ipxeHTTPScript.hookURL, "osie-url", "", "[http] URL where OSIE (HookOS) images are located")
fs.StringVar(&c.ipxeHTTPScript.tinkServer, "tink-server", "", "[http] IP:Port for the Tink server")
fs.BoolVar(&c.ipxeHTTPScript.tinkServerUseTLS, "tink-server-tls", false, "[http] use TLS for Tink server")
fs.BoolVar(&c.ipxeHTTPScript.tinkServerInsecureTLS, "tink-server-insecure-tls", false, "[http] use insecure TLS for Tink server")
fs.IntVar(&c.ipxeHTTPScript.retries, "ipxe-script-retries", 0, "[http] number of retries to attempt when fetching kernel and initrd files in the iPXE script")
fs.IntVar(&c.ipxeHTTPScript.retryDelay, "ipxe-script-retry-delay", 2, "[http] delay (in seconds) between retries when fetching kernel and initrd files in the iPXE script")
}
Expand Down
20 changes: 11 additions & 9 deletions cmd/smee/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ type ipxeHTTPScript struct {
hookURL string
tinkServer string
tinkServerUseTLS bool
tinkServerInsecureTLS bool
trustedProxies string
disableDiscoverTrustedProxies bool
retries int
Expand Down Expand Up @@ -227,15 +228,16 @@ func main() {
}

jh := script.Handler{
Logger: log,
Backend: br,
OSIEURL: cfg.ipxeHTTPScript.hookURL,
ExtraKernelParams: strings.Split(cfg.ipxeHTTPScript.extraKernelArgs, " "),
PublicSyslogFQDN: cfg.dhcp.syslogIP,
TinkServerTLS: cfg.ipxeHTTPScript.tinkServerUseTLS,
TinkServerGRPCAddr: cfg.ipxeHTTPScript.tinkServer,
IPXEScriptRetries: cfg.ipxeHTTPScript.retries,
IPXEScriptRetryDelay: cfg.ipxeHTTPScript.retryDelay,
Logger: log,
Backend: br,
OSIEURL: cfg.ipxeHTTPScript.hookURL,
ExtraKernelParams: strings.Split(cfg.ipxeHTTPScript.extraKernelArgs, " "),
PublicSyslogFQDN: cfg.dhcp.syslogIP,
TinkServerTLS: cfg.ipxeHTTPScript.tinkServerUseTLS,
TinkServerInsecureTLS: cfg.ipxeHTTPScript.tinkServerInsecureTLS,
TinkServerGRPCAddr: cfg.ipxeHTTPScript.tinkServer,
IPXEScriptRetries: cfg.ipxeHTTPScript.retries,
IPXEScriptRetryDelay: cfg.ipxeHTTPScript.retryDelay,
}
// serve ipxe script from the "/" URI.
handlers["/"] = jh.HandlerFunc()
Expand Down
31 changes: 16 additions & 15 deletions internal/ipxe/script/hook.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ set retry_delay:int32 {{ .RetryDelay }}
set idx:int32 0
:retry_kernel
kernel ${download-url}/vmlinuz-${arch} {{- if ne .VLANID "" }} vlan_id={{ .VLANID }} {{- end }} {{- range .ExtraKernelParams}} {{.}} {{- end}} \
facility={{ .Facility }} syslog_host={{ .SyslogHost }} grpc_authority={{ .TinkGRPCAuthority }} tinkerbell_tls={{ .TinkerbellTLS }} worker_id={{ .WorkerID }} hw_addr={{ .HWAddr }} \
facility={{ .Facility }} syslog_host={{ .SyslogHost }} grpc_authority={{ .TinkGRPCAuthority }} tinkerbell_tls={{ .TinkerbellTLS }} tinkerbell_insecure_tls={{ .TinkerbellInsecureTLS }} worker_id={{ .WorkerID }} hw_addr={{ .HWAddr }} \
modules=loop,squashfs,sd-mod,usb-storage intel_iommu=on iommu=pt initrd=initramfs-${arch} console=tty0 console=ttyS1,115200 && goto download_initrd || iseq ${idx} ${retries} && goto kernel-error || inc idx && echo retry in ${retry_delay} seconds ; sleep ${retry_delay} ; goto retry_kernel
:download_initrd
Expand Down Expand Up @@ -47,18 +47,19 @@ exit

// Hook holds the values used to generate the iPXE script that loads the Hook OS.
type Hook struct {
Arch string // example x86_64
Console string // example ttyS1,115200
DownloadURL string // example https://location:8080/to/kernel/and/initrd
ExtraKernelParams []string // example tink_worker_image=quay.io/tinkerbell/tink-worker:v0.8.0
Facility string
HWAddr string // example 3c:ec:ef:4c:4f:54
SyslogHost string
TinkerbellTLS bool
TinkGRPCAuthority string // example 192.168.2.111:42113
TraceID string
VLANID string // string number between 1-4095
WorkerID string // example 3c:ec:ef:4c:4f:54 or worker1
Retries int // number of retries to attempt when fetching kernel and initrd files
RetryDelay int // number of seconds to wait between retries
Arch string // example x86_64
Console string // example ttyS1,115200
DownloadURL string // example https://location:8080/to/kernel/and/initrd
ExtraKernelParams []string // example tink_worker_image=quay.io/tinkerbell/tink-worker:v0.8.0
Facility string
HWAddr string // example 3c:ec:ef:4c:4f:54
SyslogHost string
TinkerbellTLS bool
TinkerbellInsecureTLS bool
TinkGRPCAuthority string // example 192.168.2.111:42113
TraceID string
VLANID string // string number between 1-4095
WorkerID string // example 3c:ec:ef:4c:4f:54 or worker1
Retries int // number of retries to attempt when fetching kernel and initrd files
RetryDelay int // number of seconds to wait between retries
}
46 changes: 24 additions & 22 deletions internal/ipxe/script/ipxe.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,15 +19,16 @@ import (
)

type Handler struct {
Logger logr.Logger
Backend handler.BackendReader
OSIEURL string
ExtraKernelParams []string
PublicSyslogFQDN string
TinkServerTLS bool
TinkServerGRPCAddr string
IPXEScriptRetries int
IPXEScriptRetryDelay int
Logger logr.Logger
Backend handler.BackendReader
OSIEURL string
ExtraKernelParams []string
PublicSyslogFQDN string
TinkServerTLS bool
TinkServerInsecureTLS bool
TinkServerGRPCAddr string
IPXEScriptRetries int
IPXEScriptRetryDelay int
}

type data struct {
Expand Down Expand Up @@ -218,19 +219,20 @@ func (h *Handler) defaultScript(span trace.Span, hw data) (string, error) {
}

auto := Hook{
Arch: arch,
Console: "",
DownloadURL: h.OSIEURL,
ExtraKernelParams: h.ExtraKernelParams,
Facility: hw.Facility,
HWAddr: mac.String(),
SyslogHost: h.PublicSyslogFQDN,
TinkerbellTLS: h.TinkServerTLS,
TinkGRPCAuthority: h.TinkServerGRPCAddr,
VLANID: hw.VLANID,
WorkerID: wID,
Retries: h.IPXEScriptRetries,
RetryDelay: h.IPXEScriptRetryDelay,
Arch: arch,
Console: "",
DownloadURL: h.OSIEURL,
ExtraKernelParams: h.ExtraKernelParams,
Facility: hw.Facility,
HWAddr: mac.String(),
SyslogHost: h.PublicSyslogFQDN,
TinkerbellTLS: h.TinkServerTLS,
TinkerbellInsecureTLS: h.TinkServerInsecureTLS,
TinkGRPCAuthority: h.TinkServerGRPCAddr,
VLANID: hw.VLANID,
WorkerID: wID,
Retries: h.IPXEScriptRetries,
RetryDelay: h.IPXEScriptRetryDelay,
}
if sc := span.SpanContext(); sc.IsSampled() {
auto.TraceID = sc.TraceID().String()
Expand Down

0 comments on commit 717980a

Please sign in to comment.