Skip to content

Commit 6e912d3

Browse files
mergify[bot]mergify[bot]
authored
smee: introduce bool tink-server-insecure-tls controlling tinkerbell_insecure_tls kernel parameter (#479)
#### smee: introduce bool `tink-server-insecure-tls` controlling `tinkerbell_insecure_tls` kernel parameter - for usage with `tink-worker`'s tinkerbell/tink#960 Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
2 parents db21d79 + 43f2e4a commit 6e912d3

File tree

7 files changed

+68
-61
lines changed

7 files changed

+68
-61
lines changed

cmd/smee/flag.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,7 @@ func ipxeHTTPScriptFlags(c *config, fs *flag.FlagSet) {
111111
fs.StringVar(&c.ipxeHTTPScript.hookURL, "osie-url", "", "[http] URL where OSIE (HookOS) images are located")
112112
fs.StringVar(&c.ipxeHTTPScript.tinkServer, "tink-server", "", "[http] IP:Port for the Tink server")
113113
fs.BoolVar(&c.ipxeHTTPScript.tinkServerUseTLS, "tink-server-tls", false, "[http] use TLS for Tink server")
114+
fs.BoolVar(&c.ipxeHTTPScript.tinkServerInsecureTLS, "tink-server-insecure-tls", false, "[http] use insecure TLS for Tink server")
114115
fs.IntVar(&c.ipxeHTTPScript.retries, "ipxe-script-retries", 0, "[http] number of retries to attempt when fetching kernel and initrd files in the iPXE script")
115116
fs.IntVar(&c.ipxeHTTPScript.retryDelay, "ipxe-script-retry-delay", 2, "[http] delay (in seconds) between retries when fetching kernel and initrd files in the iPXE script")
116117
}

cmd/smee/flag_test.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -140,6 +140,7 @@ FLAGS
140140
-ipxe-script-retry-delay [http] delay (in seconds) between retries when fetching kernel and initrd files in the iPXE script (default "2")
141141
-osie-url [http] URL where OSIE (HookOS) images are located
142142
-tink-server [http] IP:Port for the Tink server
143+
-tink-server-insecure-tls [http] use insecure TLS for Tink server (default "false")
143144
-tink-server-tls [http] use TLS for Tink server (default "false")
144145
-trusted-proxies [http] comma separated list of trusted proxies in CIDR notation
145146
-otel-endpoint [otel] OpenTelemetry collector endpoint

cmd/smee/main.go

Lines changed: 22 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -82,16 +82,17 @@ type ipxeHTTPBinary struct {
8282
}
8383

8484
type ipxeHTTPScript struct {
85-
enabled bool
86-
bindAddr string
87-
bindPort int
88-
extraKernelArgs string
89-
hookURL string
90-
tinkServer string
91-
tinkServerUseTLS bool
92-
trustedProxies string
93-
retries int
94-
retryDelay int
85+
enabled bool
86+
bindAddr string
87+
bindPort int
88+
extraKernelArgs string
89+
hookURL string
90+
tinkServer string
91+
tinkServerUseTLS bool
92+
tinkServerInsecureTLS bool
93+
trustedProxies string
94+
retries int
95+
retryDelay int
9596
}
9697

9798
type dhcpMode string
@@ -221,16 +222,17 @@ func main() {
221222
panic(fmt.Errorf("failed to create backend: %w", err))
222223
}
223224
jh := script.Handler{
224-
Logger: log,
225-
Backend: br,
226-
OSIEURL: cfg.ipxeHTTPScript.hookURL,
227-
ExtraKernelParams: strings.Split(cfg.ipxeHTTPScript.extraKernelArgs, " "),
228-
PublicSyslogFQDN: cfg.dhcp.syslogIP,
229-
TinkServerTLS: cfg.ipxeHTTPScript.tinkServerUseTLS,
230-
TinkServerGRPCAddr: cfg.ipxeHTTPScript.tinkServer,
231-
IPXEScriptRetries: cfg.ipxeHTTPScript.retries,
232-
IPXEScriptRetryDelay: cfg.ipxeHTTPScript.retryDelay,
233-
StaticIPXEEnabled: (dhcpMode(cfg.dhcp.mode) == dhcpModeAutoProxy),
225+
Logger: log,
226+
Backend: br,
227+
OSIEURL: cfg.ipxeHTTPScript.hookURL,
228+
ExtraKernelParams: strings.Split(cfg.ipxeHTTPScript.extraKernelArgs, " "),
229+
PublicSyslogFQDN: cfg.dhcp.syslogIP,
230+
TinkServerTLS: cfg.ipxeHTTPScript.tinkServerUseTLS,
231+
TinkServerInsecureTLS: cfg.ipxeHTTPScript.tinkServerInsecureTLS,
232+
TinkServerGRPCAddr: cfg.ipxeHTTPScript.tinkServer,
233+
IPXEScriptRetries: cfg.ipxeHTTPScript.retries,
234+
IPXEScriptRetryDelay: cfg.ipxeHTTPScript.retryDelay,
235+
StaticIPXEEnabled: (dhcpMode(cfg.dhcp.mode) == dhcpModeAutoProxy),
234236
}
235237

236238
// serve ipxe script from the "/" URI.

internal/ipxe/script/auto_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ set retry_delay:int32 3
4040
set idx:int32 0
4141
:retry_kernel
4242
kernel ${download-url}/vmlinuz-${arch} tink_worker_image=quay.io/tinkerbell/tink-worker:v0.8.0 tinkerbell=packet \
43-
facility=onprem syslog_host=1.2.3.4 grpc_authority=1.2.3.4:42113 tinkerbell_tls=false worker_id=3c:ec:ef:4c:4f:54 hw_addr=3c:ec:ef:4c:4f:54 \
43+
facility=onprem syslog_host=1.2.3.4 grpc_authority=1.2.3.4:42113 tinkerbell_tls=false tinkerbell_insecure_tls=false worker_id=3c:ec:ef:4c:4f:54 hw_addr=3c:ec:ef:4c:4f:54 \
4444
modules=loop,squashfs,sd-mod,usb-storage intel_iommu=on iommu=pt initrd=initramfs-${arch} console=tty0 console=ttyS1,115200 && goto download_initrd || iseq ${idx} ${retries} && goto kernel-error || inc idx && echo retry in ${retry_delay} seconds ; sleep ${retry_delay} ; goto retry_kernel
4545
4646
:download_initrd
@@ -97,7 +97,7 @@ set retry_delay:int32 3
9797
set idx:int32 0
9898
:retry_kernel
9999
kernel ${download-url}/vmlinuz-${arch} vlan_id=16 tink_worker_image=quay.io/tinkerbell/tink-worker:v0.8.0 tinkerbell=packet \
100-
facility=onprem syslog_host=1.2.3.4 grpc_authority=1.2.3.4:42113 tinkerbell_tls=false worker_id=3c:ec:ef:4c:4f:54 hw_addr=3c:ec:ef:4c:4f:54 \
100+
facility=onprem syslog_host=1.2.3.4 grpc_authority=1.2.3.4:42113 tinkerbell_tls=false tinkerbell_insecure_tls=false worker_id=3c:ec:ef:4c:4f:54 hw_addr=3c:ec:ef:4c:4f:54 \
101101
modules=loop,squashfs,sd-mod,usb-storage intel_iommu=on iommu=pt initrd=initramfs-${arch} console=tty0 console=ttyS1,115200 && goto download_initrd || iseq ${idx} ${retries} && goto kernel-error || inc idx && echo retry in ${retry_delay} seconds ; sleep ${retry_delay} ; goto retry_kernel
102102
103103
:download_initrd

internal/ipxe/script/hook.go

Lines changed: 16 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ set retry_delay:int32 {{ .RetryDelay }}
1616
set idx:int32 0
1717
:retry_kernel
1818
kernel ${download-url}/vmlinuz-${arch} {{- if ne .VLANID "" }} vlan_id={{ .VLANID }} {{- end }} {{- range .ExtraKernelParams}} {{.}} {{- end}} \
19-
facility={{ .Facility }} syslog_host={{ .SyslogHost }} grpc_authority={{ .TinkGRPCAuthority }} tinkerbell_tls={{ .TinkerbellTLS }} worker_id={{ .WorkerID }} hw_addr={{ .HWAddr }} \
19+
facility={{ .Facility }} syslog_host={{ .SyslogHost }} grpc_authority={{ .TinkGRPCAuthority }} tinkerbell_tls={{ .TinkerbellTLS }} tinkerbell_insecure_tls={{ .TinkerbellInsecureTLS }} worker_id={{ .WorkerID }} hw_addr={{ .HWAddr }} \
2020
modules=loop,squashfs,sd-mod,usb-storage intel_iommu=on iommu=pt initrd=initramfs-${arch} console=tty0 console=ttyS1,115200 && goto download_initrd || iseq ${idx} ${retries} && goto kernel-error || inc idx && echo retry in ${retry_delay} seconds ; sleep ${retry_delay} ; goto retry_kernel
2121
2222
:download_initrd
@@ -47,18 +47,19 @@ exit
4747

4848
// Hook holds the values used to generate the iPXE script that loads the Hook OS.
4949
type Hook struct {
50-
Arch string // example x86_64
51-
Console string // example ttyS1,115200
52-
DownloadURL string // example https://location:8080/to/kernel/and/initrd
53-
ExtraKernelParams []string // example tink_worker_image=quay.io/tinkerbell/tink-worker:v0.8.0
54-
Facility string
55-
HWAddr string // example 3c:ec:ef:4c:4f:54
56-
SyslogHost string
57-
TinkerbellTLS bool
58-
TinkGRPCAuthority string // example 192.168.2.111:42113
59-
TraceID string
60-
VLANID string // string number between 1-4095
61-
WorkerID string // example 3c:ec:ef:4c:4f:54 or worker1
62-
Retries int // number of retries to attempt when fetching kernel and initrd files
63-
RetryDelay int // number of seconds to wait between retries
50+
Arch string // example x86_64
51+
Console string // example ttyS1,115200
52+
DownloadURL string // example https://location:8080/to/kernel/and/initrd
53+
ExtraKernelParams []string // example tink_worker_image=quay.io/tinkerbell/tink-worker:v0.8.0
54+
Facility string
55+
HWAddr string // example 3c:ec:ef:4c:4f:54
56+
SyslogHost string
57+
TinkerbellTLS bool
58+
TinkerbellInsecureTLS bool
59+
TinkGRPCAuthority string // example 192.168.2.111:42113
60+
TraceID string
61+
VLANID string // string number between 1-4095
62+
WorkerID string // example 3c:ec:ef:4c:4f:54 or worker1
63+
Retries int // number of retries to attempt when fetching kernel and initrd files
64+
RetryDelay int // number of seconds to wait between retries
6465
}

internal/ipxe/script/ipxe.go

Lines changed: 25 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -19,16 +19,17 @@ import (
1919
)
2020

2121
type Handler struct {
22-
Logger logr.Logger
23-
Backend handler.BackendReader
24-
OSIEURL string
25-
ExtraKernelParams []string
26-
PublicSyslogFQDN string
27-
TinkServerTLS bool
28-
TinkServerGRPCAddr string
29-
IPXEScriptRetries int
30-
IPXEScriptRetryDelay int
31-
StaticIPXEEnabled bool
22+
Logger logr.Logger
23+
Backend handler.BackendReader
24+
OSIEURL string
25+
ExtraKernelParams []string
26+
PublicSyslogFQDN string
27+
TinkServerTLS bool
28+
TinkServerInsecureTLS bool
29+
TinkServerGRPCAddr string
30+
IPXEScriptRetries int
31+
IPXEScriptRetryDelay int
32+
StaticIPXEEnabled bool
3233
}
3334

3435
type data struct {
@@ -258,19 +259,20 @@ func (h *Handler) defaultScript(span trace.Span, hw data) (string, error) {
258259
}
259260

260261
auto := Hook{
261-
Arch: arch,
262-
Console: "",
263-
DownloadURL: h.OSIEURL,
264-
ExtraKernelParams: h.ExtraKernelParams,
265-
Facility: hw.Facility,
266-
HWAddr: mac.String(),
267-
SyslogHost: h.PublicSyslogFQDN,
268-
TinkerbellTLS: h.TinkServerTLS,
269-
TinkGRPCAuthority: h.TinkServerGRPCAddr,
270-
VLANID: hw.VLANID,
271-
WorkerID: wID,
272-
Retries: h.IPXEScriptRetries,
273-
RetryDelay: h.IPXEScriptRetryDelay,
262+
Arch: arch,
263+
Console: "",
264+
DownloadURL: h.OSIEURL,
265+
ExtraKernelParams: h.ExtraKernelParams,
266+
Facility: hw.Facility,
267+
HWAddr: mac.String(),
268+
SyslogHost: h.PublicSyslogFQDN,
269+
TinkerbellTLS: h.TinkServerTLS,
270+
TinkerbellInsecureTLS: h.TinkServerInsecureTLS,
271+
TinkGRPCAuthority: h.TinkServerGRPCAddr,
272+
VLANID: hw.VLANID,
273+
WorkerID: wID,
274+
Retries: h.IPXEScriptRetries,
275+
RetryDelay: h.IPXEScriptRetryDelay,
274276
}
275277
if sc := span.SpanContext(); sc.IsSampled() {
276278
auto.TraceID = sc.TraceID().String()

internal/ipxe/script/ipxe_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,7 @@ set retry_delay:int32 3
5858
set idx:int32 0
5959
:retry_kernel
6060
kernel ${download-url}/vmlinuz-${arch} vlan_id=1234 \
61-
facility=onprem syslog_host= grpc_authority= tinkerbell_tls=false worker_id=00:01:02:03:04:05 hw_addr=00:01:02:03:04:05 \
61+
facility=onprem syslog_host= grpc_authority= tinkerbell_tls=false tinkerbell_insecure_tls=false worker_id=00:01:02:03:04:05 hw_addr=00:01:02:03:04:05 \
6262
modules=loop,squashfs,sd-mod,usb-storage intel_iommu=on iommu=pt initrd=initramfs-${arch} console=tty0 console=ttyS1,115200 && goto download_initrd || iseq ${idx} ${retries} && goto kernel-error || inc idx && echo retry in ${retry_delay} seconds ; sleep ${retry_delay} ; goto retry_kernel
6363
6464
:download_initrd

0 commit comments

Comments
 (0)