tinkerbell · mergify · Jun 15, 2020 · Jun 2, 2020 · Jun 2, 2020 · Jun 2, 2020
diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
@@ -1,10 +1,5 @@
 version: "2.1"
 services:
-  certs:
-    build: tls
-    volumes:
-      - ./certs:/certs
-
   tink-server:
     image: quay.io/tinkerbell/tink:latest
     restart: unless-stopped
@@ -31,7 +26,7 @@ services:
       timeout: 2s
       retries: 30
     volumes:
-      - ./certs:/certs/${FACILITY}
+      - ./state/certs:/certs/${FACILITY}
     logging:
       driver: fluentd
       options:
@@ -84,6 +79,11 @@ services:
         REGISTRY_USERNAME: $TINKERBELL_REGISTRY_USERNAME
         REGISTRY_PASSWORD: $TINKERBELL_REGISTRY_PASSWORD
     restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "curl --cacert /certs/ca.pem https://127.0.0.1"]
+      interval: 5s
+      timeout: 1s
+      retries: 5
     environment:
       REGISTRY_HTTP_ADDR: 0.0.0.0:443
       REGISTRY_HTTP_TLS_CERTIFICATE: /certs/server.pem
@@ -92,8 +92,8 @@ services:
       REGISTRY_AUTH_HTPASSWD_REALM: "Registry Realm"
       REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
     volumes:
-      - ./certs:/certs
-      - /var/tinkerbell/registry:/var/lib/registry
+      - ./state/certs:/certs
+      - ./state/registry:/var/lib/registry
     depends_on:
       fluentbit:
         condition: service_started
@@ -152,7 +152,7 @@ services:
     ports:
       - $TINKERBELL_NGINX_IP:80:80/tcp
     volumes:
-      - /var/tinkerbell/nginx/:/usr/share/nginx/html/
+      - ./state/webroot:/usr/share/nginx/html/
     logging:
       driver: fluentd
       options:
@@ -187,7 +187,7 @@ services:
     depends_on:
       - elasticsearch
     volumes:
-      - ./fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf
+      - ./fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf:ro
 
   cacher:
     image: quay.io/packet/cacher:workflow
@@ -207,7 +207,7 @@ services:
       PGUSER: tinkerbell
       ROLLBAR_TOKEN: ${ROLLBAR_TOKEN-ignored}
     volumes:
-      - ./certs:/certs/${FACILITY}
+      - ./state/certs:/certs/${FACILITY}
     logging:
       driver: fluentd
       options:

diff --git a/deploy/registry/Dockerfile b/deploy/registry/Dockerfile
@@ -1,6 +1,7 @@
 FROM registry:2
+RUN apk add --no-cache --update curl
 ARG REGISTRY_USERNAME
 ARG REGISTRY_PASSWORD
 RUN mkdir -p /certs /auth
 RUN htpasswd -Bbn ${REGISTRY_USERNAME} ${REGISTRY_PASSWORD} > /auth/htpasswd
-EXPOSE 443
+EXPOSE 443
diff --git a/deploy/tls/entrypoint.sh b/deploy/tls/entrypoint.sh
@@ -4,12 +4,9 @@
 
 if [ -z "${TINKERBELL_TLS_CERT:-}" ]; then
 	(
-		FACILITY=$(echo "$FACILITY" | tr '[:upper:]' '[:lower:]')
 		echo "creating directory"
 		mkdir -p "certs"
-		FACILITY=$FACILITY sh gencerts.sh
-		rm server.csr server-csr.json
-		rm ca.csr ca.json
+		./gencerts.sh
 	)
 fi
 

diff --git a/deploy/tls/gencerts.sh b/deploy/tls/gencerts.sh
@@ -1,29 +1,30 @@
-#!/usr/bin/env bash
+#!/usr/bin/env sh
 
-if ! { [[ -r ca.json ]] && [[ -r ca.pem ]] && [[ -r ca-key.pem ]]; }; then
-	sed "s|@FACILITY@|$FACILITY|g" <ca.in.json >ca.json
+set -eux
+
+cd /certs
+
+if [ ! -f ca-key.pem ]; then
 	cfssl gencert \
 		-initca ca.json | cfssljson -bare ca
-	rm -f server-csr.json server-*.pem
 fi
-if ! { [[ -r server-csr.json ]] && [[ -r server.pem ]] && [[ -r server-key.pem ]]; }; then
-	sed "s|@FACILITY@|$FACILITY|g" <server-csr.in.json >server-csr.json
+
+if [ ! -f server.pem ]; then
 	cfssl gencert \
 		-ca=ca.pem \
 		-ca-key=ca-key.pem \
-		-config=ca-config.json \
+		-config=/ca-config.json \
 		-profile=server \
-		server-csr.json | cfssljson -bare server
-	cat server.pem ca.pem | tee bundle.pem
+		server-csr.json |
+		cfssljson -bare server
 fi
 
+cat server.pem ca.pem >bundle.pem.tmp
+
 # only "modify" the file if truly necessary since workflow will serve it with
 # modtime info for client caching purposes
-cat server.pem ca.pem >bundle.pem.tmp
 if ! cmp -s bundle.pem.tmp bundle.pem; then
 	mv bundle.pem.tmp bundle.pem
 else
 	rm bundle.pem.tmp
 fi
-
-mv *.pem certs/
diff --git a/deploy/tls/server-csr.in.json b/deploy/tls/server-csr.in.json
@@ -1,7 +1,6 @@
 {
   "CN": "tinkerbell",
   "hosts": [
-    "tinkerbell.@[email protected]",
     "tinkerbell.registry",
     "tinkerbell.tinkerbell",
     "tinkerbell",

diff --git a/generate-envrc.sh b/generate-envrc.sh
@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+
+# stops the execution if a command or pipeline has an error
+set -eu
+
+if command -v tput >/dev/null && tput setaf 1 >/dev/null 2>&1; then
+	# color codes
+	RED="$(tput setaf 1)"
+	RESET="$(tput sgr0)"
+fi
+
+ERR="${RED:-}ERROR:${RESET:-}"
+
+err() (
+	if [ -z "${1:-}" ]; then
+		cat >&2
+	else
+		echo "$ERR " "$@" >&2
+	fi
+)
+
+candidate_interfaces() (
+	ip -o link show |
+		awk -F': ' '{print $2}' |
+		sed 's/[ \t].*//;/^\(lo\|bond0\|\|\)$/d' |
+		sort
+)
+
+validate_tinkerbell_network_interface() (
+	local tink_interface=$1
+
+	if ! candidate_interfaces | grep -q "^$tink_interface$"; then
+		err "Invalid interface ($tink_interface) selected, must be one of:"
+		candidate_interfaces | err
+		return 1
+	else
+		return 0
+	fi
+)
+
+generate_password() (
+	head -c 12 /dev/urandom | sha256sum | cut -d' ' -f1
+)
+
+generate_envrc() (
+	local tink_interface=$1
+
+	validate_tinkerbell_network_interface "$tink_interface"
+
+	local registry_password
+	registry_password=$(generate_password)
+	cat <<EOF
+# Network interface for Tinkerbell's network
+export TINKERBELL_NETWORK_INTERFACE="$tink_interface"
+
+# Decide on a subnet for provisioning. Tinkerbell should "own" this
+# network space. Its subnet should be just large enough to be able
+# to provision your hardware.
+export TINKERBELL_CIDR=29
+
+# Host IP is used by provisioner to expose different services such as
+# tink, boots, etc.
+#
+# The host IP should the first IP in the range, and the Nginx IP
+# should be the second address.
+export TINKERBELL_HOST_IP=192.168.1.1
+
+# NGINX IP is used by provisioner to serve files required for iPXE boot
+export TINKERBELL_NGINX_IP=192.168.1.2
+
+# Docker Registry's username and password
+export TINKERBELL_REGISTRY_USERNAME=admin
+export TINKERBELL_REGISTRY_PASSWORD="$registry_password"
+
+# Legacy options, to be deleted:
+export FACILITY=onprem
+export ROLLBAR_TOKEN=ignored
+export ROLLBAR_DISABLE=1
+EOF
+)
+
+main() (
+	if [ -z "${1:-}" ]; then
+		err "Usage: $0 network-interface-name > envrc"
+		exit 1
+	fi
+
+	generate_envrc "$1"
+)
+
+main "$@"