smee: introduce bool tink-server-insecure-tls controlling tinkerbell_insecure_tls kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>

Author: rpardini

cmd/smee/flag.go

@@ -106,6 +106,7 @@ func ipxeHTTPScriptFlags(c *config, fs *flag.FlagSet) {
 	fs.StringVar(&c.ipxeHTTPScript.hookURL, "osie-url", "", "[http] URL where OSIE (HookOS) images are located")
 	fs.StringVar(&c.ipxeHTTPScript.tinkServer, "tink-server", "", "[http] IP:Port for the Tink server")
 	fs.BoolVar(&c.ipxeHTTPScript.tinkServerUseTLS, "tink-server-tls", false, "[http] use TLS for Tink server")
+	fs.BoolVar(&c.ipxeHTTPScript.tinkServerInsecureTLS, "tink-server-insecure-tls", false, "[http] use insecure TLS for Tink server")
 	fs.IntVar(&c.ipxeHTTPScript.retries, "ipxe-script-retries", 0, "[http] number of retries to attempt when fetching kernel and initrd files in the iPXE script")
 	fs.IntVar(&c.ipxeHTTPScript.retryDelay, "ipxe-script-retry-delay", 2, "[http] delay (in seconds) between retries when fetching kernel and initrd files in the iPXE script")
 }

cmd/smee/main.go

@@ -81,6 +81,7 @@ type ipxeHTTPScript struct {
 	hookURL                       string
 	tinkServer                    string
 	tinkServerUseTLS              bool
+	tinkServerInsecureTLS         bool
 	trustedProxies                string
 	disableDiscoverTrustedProxies bool
 	retries                       int
@@ -214,15 +215,16 @@ func main() {
 		}
 
 		jh := script.Handler{
-			Logger:               log,
-			Backend:              br,
-			OSIEURL:              cfg.ipxeHTTPScript.hookURL,
-			ExtraKernelParams:    strings.Split(cfg.ipxeHTTPScript.extraKernelArgs, " "),
-			PublicSyslogFQDN:     cfg.dhcp.syslogIP,
-			TinkServerTLS:        cfg.ipxeHTTPScript.tinkServerUseTLS,
-			TinkServerGRPCAddr:   cfg.ipxeHTTPScript.tinkServer,
-			IPXEScriptRetries:    cfg.ipxeHTTPScript.retries,
-			IPXEScriptRetryDelay: cfg.ipxeHTTPScript.retryDelay,
+			Logger:                log,
+			Backend:               br,
+			OSIEURL:               cfg.ipxeHTTPScript.hookURL,
+			ExtraKernelParams:     strings.Split(cfg.ipxeHTTPScript.extraKernelArgs, " "),
+			PublicSyslogFQDN:      cfg.dhcp.syslogIP,
+			TinkServerTLS:         cfg.ipxeHTTPScript.tinkServerUseTLS,
+			TinkServerInsecureTLS: cfg.ipxeHTTPScript.tinkServerInsecureTLS,
+			TinkServerGRPCAddr:    cfg.ipxeHTTPScript.tinkServer,
+			IPXEScriptRetries:     cfg.ipxeHTTPScript.retries,
+			IPXEScriptRetryDelay:  cfg.ipxeHTTPScript.retryDelay,
 		}
 		// serve ipxe script from the "/" URI.
 		handlers["/"] = jh.HandlerFunc()

internal/ipxe/script/hook.go

@@ -16,7 +16,7 @@ set retry_delay:int32 {{ .RetryDelay }}
 set idx:int32 0
 :retry_kernel
 kernel ${download-url}/vmlinuz-${arch} {{- if ne .VLANID "" }} vlan_id={{ .VLANID }} {{- end }} {{- range .ExtraKernelParams}} {{.}} {{- end}} \
-facility={{ .Facility }} syslog_host={{ .SyslogHost }} grpc_authority={{ .TinkGRPCAuthority }} tinkerbell_tls={{ .TinkerbellTLS }} worker_id={{ .WorkerID }} hw_addr={{ .HWAddr }} \
+facility={{ .Facility }} syslog_host={{ .SyslogHost }} grpc_authority={{ .TinkGRPCAuthority }} tinkerbell_tls={{ .TinkerbellTLS }} tinkerbell_insecure_tls={{ .TinkerbellInsecureTLS }} worker_id={{ .WorkerID }} hw_addr={{ .HWAddr }} \
 modules=loop,squashfs,sd-mod,usb-storage intel_iommu=on iommu=pt initrd=initramfs-${arch} console=tty0 console=ttyS1,115200 && goto download_initrd || iseq ${idx} ${retries} && goto kernel-error || inc idx && echo retry in ${retry_delay} seconds ; sleep ${retry_delay} ; goto retry_kernel
 
 :download_initrd
@@ -47,18 +47,19 @@ exit
 
 // Hook holds the values used to generate the iPXE script that loads the Hook OS.
 type Hook struct {
-	Arch              string   // example x86_64
-	Console           string   // example ttyS1,115200
-	DownloadURL       string   // example https://location:8080/to/kernel/and/initrd
-	ExtraKernelParams []string // example tink_worker_image=quay.io/tinkerbell/tink-worker:v0.8.0
-	Facility          string
-	HWAddr            string // example 3c:ec:ef:4c:4f:54
-	SyslogHost        string
-	TinkerbellTLS     bool
-	TinkGRPCAuthority string // example 192.168.2.111:42113
-	TraceID           string
-	VLANID            string // string number between 1-4095
-	WorkerID          string // example 3c:ec:ef:4c:4f:54 or worker1
-	Retries           int    // number of retries to attempt when fetching kernel and initrd files
-	RetryDelay        int    // number of seconds to wait between retries
+	Arch                  string   // example x86_64
+	Console               string   // example ttyS1,115200
+	DownloadURL           string   // example https://location:8080/to/kernel/and/initrd
+	ExtraKernelParams     []string // example tink_worker_image=quay.io/tinkerbell/tink-worker:v0.8.0
+	Facility              string
+	HWAddr                string // example 3c:ec:ef:4c:4f:54
+	SyslogHost            string
+	TinkerbellTLS         bool
+	TinkerbellInsecureTLS bool
+	TinkGRPCAuthority     string // example 192.168.2.111:42113
+	TraceID               string
+	VLANID                string // string number between 1-4095
+	WorkerID              string // example 3c:ec:ef:4c:4f:54 or worker1
+	Retries               int    // number of retries to attempt when fetching kernel and initrd files
+	RetryDelay            int    // number of seconds to wait between retries
 }

internal/ipxe/script/ipxe.go

@@ -19,15 +19,16 @@ import (
 )
 
 type Handler struct {
-	Logger               logr.Logger
-	Backend              handler.BackendReader
-	OSIEURL              string
-	ExtraKernelParams    []string
-	PublicSyslogFQDN     string
-	TinkServerTLS        bool
-	TinkServerGRPCAddr   string
-	IPXEScriptRetries    int
-	IPXEScriptRetryDelay int
+	Logger                logr.Logger
+	Backend               handler.BackendReader
+	OSIEURL               string
+	ExtraKernelParams     []string
+	PublicSyslogFQDN      string
+	TinkServerTLS         bool
+	TinkServerInsecureTLS bool
+	TinkServerGRPCAddr    string
+	IPXEScriptRetries     int
+	IPXEScriptRetryDelay  int
 }
 
 type data struct {
@@ -218,19 +219,20 @@ func (h *Handler) defaultScript(span trace.Span, hw data) (string, error) {
 	}
 
 	auto := Hook{
-		Arch:              arch,
-		Console:           "",
-		DownloadURL:       h.OSIEURL,
-		ExtraKernelParams: h.ExtraKernelParams,
-		Facility:          hw.Facility,
-		HWAddr:            mac.String(),
-		SyslogHost:        h.PublicSyslogFQDN,
-		TinkerbellTLS:     h.TinkServerTLS,
-		TinkGRPCAuthority: h.TinkServerGRPCAddr,
-		VLANID:            hw.VLANID,
-		WorkerID:          wID,
-		Retries:           h.IPXEScriptRetries,
-		RetryDelay:        h.IPXEScriptRetryDelay,
+		Arch:                  arch,
+		Console:               "",
+		DownloadURL:           h.OSIEURL,
+		ExtraKernelParams:     h.ExtraKernelParams,
+		Facility:              hw.Facility,
+		HWAddr:                mac.String(),
+		SyslogHost:            h.PublicSyslogFQDN,
+		TinkerbellTLS:         h.TinkServerTLS,
+		TinkerbellInsecureTLS: h.TinkServerInsecureTLS,
+		TinkGRPCAuthority:     h.TinkServerGRPCAddr,
+		VLANID:                hw.VLANID,
+		WorkerID:              wID,
+		Retries:               h.IPXEScriptRetries,
+		RetryDelay:            h.IPXEScriptRetryDelay,
 	}
 	if sc := span.SpanContext(); sc.IsSampled() {
 		auto.TraceID = sc.TraceID().String()