From 7e803b4eb27dff4575a905bacca879fd0fab9150 Mon Sep 17 00:00:00 2001 From: Ricardo Pardini Date: Tue, 9 Jul 2024 14:03:23 +0200 Subject: [PATCH] smee: introduce bool `tink-server-insecure-tls` controlling `tinkerbell_insecure_tls` kernel parameter - for usage with https://github.com/tinkerbell/tink/pull/960 Signed-off-by: Ricardo Pardini --- cmd/smee/flag.go | 1 + cmd/smee/flag_test.go | 1 + cmd/smee/main.go | 42 ++++++++++++++------------- internal/ipxe/script/auto_test.go | 4 +-- internal/ipxe/script/hook.go | 31 ++++++++++---------- internal/ipxe/script/ipxe.go | 48 ++++++++++++++++--------------- internal/ipxe/script/ipxe_test.go | 2 +- 7 files changed, 68 insertions(+), 61 deletions(-) diff --git a/cmd/smee/flag.go b/cmd/smee/flag.go index fe95f5ff..02dcfa2c 100644 --- a/cmd/smee/flag.go +++ b/cmd/smee/flag.go @@ -108,6 +108,7 @@ func ipxeHTTPScriptFlags(c *config, fs *flag.FlagSet) { fs.StringVar(&c.ipxeHTTPScript.hookURL, "osie-url", "", "[http] URL where OSIE (HookOS) images are located") fs.StringVar(&c.ipxeHTTPScript.tinkServer, "tink-server", "", "[http] IP:Port for the Tink server") fs.BoolVar(&c.ipxeHTTPScript.tinkServerUseTLS, "tink-server-tls", false, "[http] use TLS for Tink server") + fs.BoolVar(&c.ipxeHTTPScript.tinkServerInsecureTLS, "tink-server-insecure-tls", false, "[http] use insecure TLS for Tink server") fs.IntVar(&c.ipxeHTTPScript.retries, "ipxe-script-retries", 0, "[http] number of retries to attempt when fetching kernel and initrd files in the iPXE script") fs.IntVar(&c.ipxeHTTPScript.retryDelay, "ipxe-script-retry-delay", 2, "[http] delay (in seconds) between retries when fetching kernel and initrd files in the iPXE script") } diff --git a/cmd/smee/flag_test.go b/cmd/smee/flag_test.go index 7cbaac70..29235f12 100644 --- a/cmd/smee/flag_test.go +++ b/cmd/smee/flag_test.go @@ -140,6 +140,7 @@ FLAGS -ipxe-script-retry-delay [http] delay (in seconds) between retries when fetching kernel and initrd files in the iPXE script (default "2") -osie-url [http] URL where OSIE (HookOS) images are located -tink-server [http] IP:Port for the Tink server + -tink-server-insecure-tls [http] use insecure TLS for Tink server (default "false") -tink-server-tls [http] use TLS for Tink server (default "false") -trusted-proxies [http] comma separated list of trusted proxies in CIDR notation -otel-endpoint [otel] OpenTelemetry collector endpoint diff --git a/cmd/smee/main.go b/cmd/smee/main.go index f6eb647b..6a502125 100644 --- a/cmd/smee/main.go +++ b/cmd/smee/main.go @@ -82,16 +82,17 @@ type ipxeHTTPBinary struct { } type ipxeHTTPScript struct { - enabled bool - bindAddr string - bindPort int - extraKernelArgs string - hookURL string - tinkServer string - tinkServerUseTLS bool - trustedProxies string - retries int - retryDelay int + enabled bool + bindAddr string + bindPort int + extraKernelArgs string + hookURL string + tinkServer string + tinkServerUseTLS bool + tinkServerInsecureTLS bool + trustedProxies string + retries int + retryDelay int } type dhcpMode string @@ -221,16 +222,17 @@ func main() { panic(fmt.Errorf("failed to create backend: %w", err)) } jh := script.Handler{ - Logger: log, - Backend: br, - OSIEURL: cfg.ipxeHTTPScript.hookURL, - ExtraKernelParams: strings.Split(cfg.ipxeHTTPScript.extraKernelArgs, " "), - PublicSyslogFQDN: cfg.dhcp.syslogIP, - TinkServerTLS: cfg.ipxeHTTPScript.tinkServerUseTLS, - TinkServerGRPCAddr: cfg.ipxeHTTPScript.tinkServer, - IPXEScriptRetries: cfg.ipxeHTTPScript.retries, - IPXEScriptRetryDelay: cfg.ipxeHTTPScript.retryDelay, - StaticIPXEEnabled: (dhcpMode(cfg.dhcp.mode) == dhcpModeAutoProxy), + Logger: log, + Backend: br, + OSIEURL: cfg.ipxeHTTPScript.hookURL, + ExtraKernelParams: strings.Split(cfg.ipxeHTTPScript.extraKernelArgs, " "), + PublicSyslogFQDN: cfg.dhcp.syslogIP, + TinkServerTLS: cfg.ipxeHTTPScript.tinkServerUseTLS, + TinkServerInsecureTLS: cfg.ipxeHTTPScript.tinkServerInsecureTLS, + TinkServerGRPCAddr: cfg.ipxeHTTPScript.tinkServer, + IPXEScriptRetries: cfg.ipxeHTTPScript.retries, + IPXEScriptRetryDelay: cfg.ipxeHTTPScript.retryDelay, + StaticIPXEEnabled: (dhcpMode(cfg.dhcp.mode) == dhcpModeAutoProxy), } // serve ipxe script from the "/" URI. diff --git a/internal/ipxe/script/auto_test.go b/internal/ipxe/script/auto_test.go index 3588f51f..a5a43435 100644 --- a/internal/ipxe/script/auto_test.go +++ b/internal/ipxe/script/auto_test.go @@ -40,7 +40,7 @@ set retry_delay:int32 3 set idx:int32 0 :retry_kernel kernel ${download-url}/vmlinuz-${arch} tink_worker_image=quay.io/tinkerbell/tink-worker:v0.8.0 tinkerbell=packet \ -facility=onprem syslog_host=1.2.3.4 grpc_authority=1.2.3.4:42113 tinkerbell_tls=false worker_id=3c:ec:ef:4c:4f:54 hw_addr=3c:ec:ef:4c:4f:54 \ +facility=onprem syslog_host=1.2.3.4 grpc_authority=1.2.3.4:42113 tinkerbell_tls=false tinkerbell_insecure_tls=false worker_id=3c:ec:ef:4c:4f:54 hw_addr=3c:ec:ef:4c:4f:54 \ modules=loop,squashfs,sd-mod,usb-storage intel_iommu=on iommu=pt initrd=initramfs-${arch} console=tty0 console=ttyS1,115200 && goto download_initrd || iseq ${idx} ${retries} && goto kernel-error || inc idx && echo retry in ${retry_delay} seconds ; sleep ${retry_delay} ; goto retry_kernel :download_initrd @@ -97,7 +97,7 @@ set retry_delay:int32 3 set idx:int32 0 :retry_kernel kernel ${download-url}/vmlinuz-${arch} vlan_id=16 tink_worker_image=quay.io/tinkerbell/tink-worker:v0.8.0 tinkerbell=packet \ -facility=onprem syslog_host=1.2.3.4 grpc_authority=1.2.3.4:42113 tinkerbell_tls=false worker_id=3c:ec:ef:4c:4f:54 hw_addr=3c:ec:ef:4c:4f:54 \ +facility=onprem syslog_host=1.2.3.4 grpc_authority=1.2.3.4:42113 tinkerbell_tls=false tinkerbell_insecure_tls=false worker_id=3c:ec:ef:4c:4f:54 hw_addr=3c:ec:ef:4c:4f:54 \ modules=loop,squashfs,sd-mod,usb-storage intel_iommu=on iommu=pt initrd=initramfs-${arch} console=tty0 console=ttyS1,115200 && goto download_initrd || iseq ${idx} ${retries} && goto kernel-error || inc idx && echo retry in ${retry_delay} seconds ; sleep ${retry_delay} ; goto retry_kernel :download_initrd diff --git a/internal/ipxe/script/hook.go b/internal/ipxe/script/hook.go index b4018fc0..e9280713 100644 --- a/internal/ipxe/script/hook.go +++ b/internal/ipxe/script/hook.go @@ -16,7 +16,7 @@ set retry_delay:int32 {{ .RetryDelay }} set idx:int32 0 :retry_kernel kernel ${download-url}/vmlinuz-${arch} {{- if ne .VLANID "" }} vlan_id={{ .VLANID }} {{- end }} {{- range .ExtraKernelParams}} {{.}} {{- end}} \ -facility={{ .Facility }} syslog_host={{ .SyslogHost }} grpc_authority={{ .TinkGRPCAuthority }} tinkerbell_tls={{ .TinkerbellTLS }} worker_id={{ .WorkerID }} hw_addr={{ .HWAddr }} \ +facility={{ .Facility }} syslog_host={{ .SyslogHost }} grpc_authority={{ .TinkGRPCAuthority }} tinkerbell_tls={{ .TinkerbellTLS }} tinkerbell_insecure_tls={{ .TinkerbellInsecureTLS }} worker_id={{ .WorkerID }} hw_addr={{ .HWAddr }} \ modules=loop,squashfs,sd-mod,usb-storage intel_iommu=on iommu=pt initrd=initramfs-${arch} console=tty0 console=ttyS1,115200 && goto download_initrd || iseq ${idx} ${retries} && goto kernel-error || inc idx && echo retry in ${retry_delay} seconds ; sleep ${retry_delay} ; goto retry_kernel :download_initrd @@ -47,18 +47,19 @@ exit // Hook holds the values used to generate the iPXE script that loads the Hook OS. type Hook struct { - Arch string // example x86_64 - Console string // example ttyS1,115200 - DownloadURL string // example https://location:8080/to/kernel/and/initrd - ExtraKernelParams []string // example tink_worker_image=quay.io/tinkerbell/tink-worker:v0.8.0 - Facility string - HWAddr string // example 3c:ec:ef:4c:4f:54 - SyslogHost string - TinkerbellTLS bool - TinkGRPCAuthority string // example 192.168.2.111:42113 - TraceID string - VLANID string // string number between 1-4095 - WorkerID string // example 3c:ec:ef:4c:4f:54 or worker1 - Retries int // number of retries to attempt when fetching kernel and initrd files - RetryDelay int // number of seconds to wait between retries + Arch string // example x86_64 + Console string // example ttyS1,115200 + DownloadURL string // example https://location:8080/to/kernel/and/initrd + ExtraKernelParams []string // example tink_worker_image=quay.io/tinkerbell/tink-worker:v0.8.0 + Facility string + HWAddr string // example 3c:ec:ef:4c:4f:54 + SyslogHost string + TinkerbellTLS bool + TinkerbellInsecureTLS bool + TinkGRPCAuthority string // example 192.168.2.111:42113 + TraceID string + VLANID string // string number between 1-4095 + WorkerID string // example 3c:ec:ef:4c:4f:54 or worker1 + Retries int // number of retries to attempt when fetching kernel and initrd files + RetryDelay int // number of seconds to wait between retries } diff --git a/internal/ipxe/script/ipxe.go b/internal/ipxe/script/ipxe.go index a6c9195a..ae8c87f6 100644 --- a/internal/ipxe/script/ipxe.go +++ b/internal/ipxe/script/ipxe.go @@ -19,16 +19,17 @@ import ( ) type Handler struct { - Logger logr.Logger - Backend handler.BackendReader - OSIEURL string - ExtraKernelParams []string - PublicSyslogFQDN string - TinkServerTLS bool - TinkServerGRPCAddr string - IPXEScriptRetries int - IPXEScriptRetryDelay int - StaticIPXEEnabled bool + Logger logr.Logger + Backend handler.BackendReader + OSIEURL string + ExtraKernelParams []string + PublicSyslogFQDN string + TinkServerTLS bool + TinkServerInsecureTLS bool + TinkServerGRPCAddr string + IPXEScriptRetries int + IPXEScriptRetryDelay int + StaticIPXEEnabled bool } type data struct { @@ -258,19 +259,20 @@ func (h *Handler) defaultScript(span trace.Span, hw data) (string, error) { } auto := Hook{ - Arch: arch, - Console: "", - DownloadURL: h.OSIEURL, - ExtraKernelParams: h.ExtraKernelParams, - Facility: hw.Facility, - HWAddr: mac.String(), - SyslogHost: h.PublicSyslogFQDN, - TinkerbellTLS: h.TinkServerTLS, - TinkGRPCAuthority: h.TinkServerGRPCAddr, - VLANID: hw.VLANID, - WorkerID: wID, - Retries: h.IPXEScriptRetries, - RetryDelay: h.IPXEScriptRetryDelay, + Arch: arch, + Console: "", + DownloadURL: h.OSIEURL, + ExtraKernelParams: h.ExtraKernelParams, + Facility: hw.Facility, + HWAddr: mac.String(), + SyslogHost: h.PublicSyslogFQDN, + TinkerbellTLS: h.TinkServerTLS, + TinkerbellInsecureTLS: h.TinkServerInsecureTLS, + TinkGRPCAuthority: h.TinkServerGRPCAddr, + VLANID: hw.VLANID, + WorkerID: wID, + Retries: h.IPXEScriptRetries, + RetryDelay: h.IPXEScriptRetryDelay, } if sc := span.SpanContext(); sc.IsSampled() { auto.TraceID = sc.TraceID().String() diff --git a/internal/ipxe/script/ipxe_test.go b/internal/ipxe/script/ipxe_test.go index 4d2a8e5a..f209c47c 100644 --- a/internal/ipxe/script/ipxe_test.go +++ b/internal/ipxe/script/ipxe_test.go @@ -58,7 +58,7 @@ set retry_delay:int32 3 set idx:int32 0 :retry_kernel kernel ${download-url}/vmlinuz-${arch} vlan_id=1234 \ -facility=onprem syslog_host= grpc_authority= tinkerbell_tls=false worker_id=00:01:02:03:04:05 hw_addr=00:01:02:03:04:05 \ +facility=onprem syslog_host= grpc_authority= tinkerbell_tls=false tinkerbell_insecure_tls=false worker_id=00:01:02:03:04:05 hw_addr=00:01:02:03:04:05 \ modules=loop,squashfs,sd-mod,usb-storage intel_iommu=on iommu=pt initrd=initramfs-${arch} console=tty0 console=ttyS1,115200 && goto download_initrd || iseq ${idx} ${retries} && goto kernel-error || inc idx && echo retry in ${retry_delay} seconds ; sleep ${retry_delay} ; goto retry_kernel :download_initrd