Merge branch 'main' into dependabot/go_modules/go.opentelemetry.io/ot…

…el-1.29.0

cmd/smee/flag.go

@@ -111,6 +111,7 @@ func ipxeHTTPScriptFlags(c *config, fs *flag.FlagSet) {
 	fs.StringVar(&c.ipxeHTTPScript.hookURL, "osie-url", "", "[http] URL where OSIE (HookOS) images are located")
 	fs.StringVar(&c.ipxeHTTPScript.tinkServer, "tink-server", "", "[http] IP:Port for the Tink server")
 	fs.BoolVar(&c.ipxeHTTPScript.tinkServerUseTLS, "tink-server-tls", false, "[http] use TLS for Tink server")
+	fs.BoolVar(&c.ipxeHTTPScript.tinkServerInsecureTLS, "tink-server-insecure-tls", false, "[http] use insecure TLS for Tink server")
 	fs.IntVar(&c.ipxeHTTPScript.retries, "ipxe-script-retries", 0, "[http] number of retries to attempt when fetching kernel and initrd files in the iPXE script")
 	fs.IntVar(&c.ipxeHTTPScript.retryDelay, "ipxe-script-retry-delay", 2, "[http] delay (in seconds) between retries when fetching kernel and initrd files in the iPXE script")
 }

cmd/smee/flag_test.go

@@ -140,6 +140,7 @@ FLAGS
   -ipxe-script-retry-delay            [http] delay (in seconds) between retries when fetching kernel and initrd files in the iPXE script (default "2")
   -osie-url                           [http] URL where OSIE (HookOS) images are located
   -tink-server                        [http] IP:Port for the Tink server
+  -tink-server-insecure-tls           [http] use insecure TLS for Tink server (default "false")
   -tink-server-tls                    [http] use TLS for Tink server (default "false")
   -trusted-proxies                    [http] comma separated list of trusted proxies in CIDR notation
   -otel-endpoint                      [otel] OpenTelemetry collector endpoint

cmd/smee/main.go

@@ -82,16 +82,17 @@ type ipxeHTTPBinary struct {
 }
 
 type ipxeHTTPScript struct {
-	enabled          bool
-	bindAddr         string
-	bindPort         int
-	extraKernelArgs  string
-	hookURL          string
-	tinkServer       string
-	tinkServerUseTLS bool
-	trustedProxies   string
-	retries          int
-	retryDelay       int
+	enabled               bool
+	bindAddr              string
+	bindPort              int
+	extraKernelArgs       string
+	hookURL               string
+	tinkServer            string
+	tinkServerUseTLS      bool
+	tinkServerInsecureTLS bool
+	trustedProxies        string
+	retries               int
+	retryDelay            int
 }
 
 type dhcpMode string
@@ -221,16 +222,17 @@ func main() {
 			panic(fmt.Errorf("failed to create backend: %w", err))
 		}
 		jh := script.Handler{
-			Logger:               log,
-			Backend:              br,
-			OSIEURL:              cfg.ipxeHTTPScript.hookURL,
-			ExtraKernelParams:    strings.Split(cfg.ipxeHTTPScript.extraKernelArgs, " "),
-			PublicSyslogFQDN:     cfg.dhcp.syslogIP,
-			TinkServerTLS:        cfg.ipxeHTTPScript.tinkServerUseTLS,
-			TinkServerGRPCAddr:   cfg.ipxeHTTPScript.tinkServer,
-			IPXEScriptRetries:    cfg.ipxeHTTPScript.retries,
-			IPXEScriptRetryDelay: cfg.ipxeHTTPScript.retryDelay,
-			StaticIPXEEnabled:    (dhcpMode(cfg.dhcp.mode) == dhcpModeAutoProxy),
+			Logger:                log,
+			Backend:               br,
+			OSIEURL:               cfg.ipxeHTTPScript.hookURL,
+			ExtraKernelParams:     strings.Split(cfg.ipxeHTTPScript.extraKernelArgs, " "),
+			PublicSyslogFQDN:      cfg.dhcp.syslogIP,
+			TinkServerTLS:         cfg.ipxeHTTPScript.tinkServerUseTLS,
+			TinkServerInsecureTLS: cfg.ipxeHTTPScript.tinkServerInsecureTLS,
+			TinkServerGRPCAddr:    cfg.ipxeHTTPScript.tinkServer,
+			IPXEScriptRetries:     cfg.ipxeHTTPScript.retries,
+			IPXEScriptRetryDelay:  cfg.ipxeHTTPScript.retryDelay,
+			StaticIPXEEnabled:     (dhcpMode(cfg.dhcp.mode) == dhcpModeAutoProxy),
 		}
 
 		// serve ipxe script from the "/" URI.

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2
 	github.com/packethost/xff v0.0.0-20190305172552-d3e9190c41b3
 	github.com/peterbourgon/ff/v3 v3.4.0
-	github.com/prometheus/client_golang v1.20.0
+	github.com/prometheus/client_golang v1.20.2
 	github.com/tinkerbell/ipxedust v0.0.0-20240726225714-c9bd1dd89cc3
 	github.com/tinkerbell/tink v0.10.0
 	github.com/vishvananda/netlink v1.1.0

go.sum

@@ -144,8 +144,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.20.0 h1:jBzTZ7B099Rg24tny+qngoynol8LtVYlA2bqx3vEloI=
-github.com/prometheus/client_golang v1.20.0/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
+github.com/prometheus/client_golang v1.20.2 h1:5ctymQzZlyOON1666svgwn3s6IKWgfbjsejTMiXIyjg=
+github.com/prometheus/client_golang v1.20.2/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
 github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc=

internal/ipxe/script/auto_test.go

@@ -40,7 +40,7 @@ set retry_delay:int32 3
 set idx:int32 0
 :retry_kernel
 kernel ${download-url}/vmlinuz-${arch} tink_worker_image=quay.io/tinkerbell/tink-worker:v0.8.0 tinkerbell=packet \
-facility=onprem syslog_host=1.2.3.4 grpc_authority=1.2.3.4:42113 tinkerbell_tls=false worker_id=3c:ec:ef:4c:4f:54 hw_addr=3c:ec:ef:4c:4f:54 \
+facility=onprem syslog_host=1.2.3.4 grpc_authority=1.2.3.4:42113 tinkerbell_tls=false tinkerbell_insecure_tls=false worker_id=3c:ec:ef:4c:4f:54 hw_addr=3c:ec:ef:4c:4f:54 \
 modules=loop,squashfs,sd-mod,usb-storage intel_iommu=on iommu=pt initrd=initramfs-${arch} console=tty0 console=ttyS1,115200 && goto download_initrd || iseq ${idx} ${retries} && goto kernel-error || inc idx && echo retry in ${retry_delay} seconds ; sleep ${retry_delay} ; goto retry_kernel
 
 :download_initrd
@@ -97,7 +97,7 @@ set retry_delay:int32 3
 set idx:int32 0
 :retry_kernel
 kernel ${download-url}/vmlinuz-${arch} vlan_id=16 tink_worker_image=quay.io/tinkerbell/tink-worker:v0.8.0 tinkerbell=packet \
-facility=onprem syslog_host=1.2.3.4 grpc_authority=1.2.3.4:42113 tinkerbell_tls=false worker_id=3c:ec:ef:4c:4f:54 hw_addr=3c:ec:ef:4c:4f:54 \
+facility=onprem syslog_host=1.2.3.4 grpc_authority=1.2.3.4:42113 tinkerbell_tls=false tinkerbell_insecure_tls=false worker_id=3c:ec:ef:4c:4f:54 hw_addr=3c:ec:ef:4c:4f:54 \
 modules=loop,squashfs,sd-mod,usb-storage intel_iommu=on iommu=pt initrd=initramfs-${arch} console=tty0 console=ttyS1,115200 && goto download_initrd || iseq ${idx} ${retries} && goto kernel-error || inc idx && echo retry in ${retry_delay} seconds ; sleep ${retry_delay} ; goto retry_kernel
 
 :download_initrd

internal/ipxe/script/hook.go

@@ -16,7 +16,7 @@ set retry_delay:int32 {{ .RetryDelay }}
 set idx:int32 0
 :retry_kernel
 kernel ${download-url}/vmlinuz-${arch} {{- if ne .VLANID "" }} vlan_id={{ .VLANID }} {{- end }} {{- range .ExtraKernelParams}} {{.}} {{- end}} \
-facility={{ .Facility }} syslog_host={{ .SyslogHost }} grpc_authority={{ .TinkGRPCAuthority }} tinkerbell_tls={{ .TinkerbellTLS }} worker_id={{ .WorkerID }} hw_addr={{ .HWAddr }} \
+facility={{ .Facility }} syslog_host={{ .SyslogHost }} grpc_authority={{ .TinkGRPCAuthority }} tinkerbell_tls={{ .TinkerbellTLS }} tinkerbell_insecure_tls={{ .TinkerbellInsecureTLS }} worker_id={{ .WorkerID }} hw_addr={{ .HWAddr }} \
 modules=loop,squashfs,sd-mod,usb-storage intel_iommu=on iommu=pt initrd=initramfs-${arch} console=tty0 console=ttyS1,115200 && goto download_initrd || iseq ${idx} ${retries} && goto kernel-error || inc idx && echo retry in ${retry_delay} seconds ; sleep ${retry_delay} ; goto retry_kernel
 
 :download_initrd
@@ -47,18 +47,19 @@ exit
 
 // Hook holds the values used to generate the iPXE script that loads the Hook OS.
 type Hook struct {
-	Arch              string   // example x86_64
-	Console           string   // example ttyS1,115200
-	DownloadURL       string   // example https://location:8080/to/kernel/and/initrd
-	ExtraKernelParams []string // example tink_worker_image=quay.io/tinkerbell/tink-worker:v0.8.0
-	Facility          string
-	HWAddr            string // example 3c:ec:ef:4c:4f:54
-	SyslogHost        string
-	TinkerbellTLS     bool
-	TinkGRPCAuthority string // example 192.168.2.111:42113
-	TraceID           string
-	VLANID            string // string number between 1-4095
-	WorkerID          string // example 3c:ec:ef:4c:4f:54 or worker1
-	Retries           int    // number of retries to attempt when fetching kernel and initrd files
-	RetryDelay        int    // number of seconds to wait between retries
+	Arch                  string   // example x86_64
+	Console               string   // example ttyS1,115200
+	DownloadURL           string   // example https://location:8080/to/kernel/and/initrd
+	ExtraKernelParams     []string // example tink_worker_image=quay.io/tinkerbell/tink-worker:v0.8.0
+	Facility              string
+	HWAddr                string // example 3c:ec:ef:4c:4f:54
+	SyslogHost            string
+	TinkerbellTLS         bool
+	TinkerbellInsecureTLS bool
+	TinkGRPCAuthority     string // example 192.168.2.111:42113
+	TraceID               string
+	VLANID                string // string number between 1-4095
+	WorkerID              string // example 3c:ec:ef:4c:4f:54 or worker1
+	Retries               int    // number of retries to attempt when fetching kernel and initrd files
+	RetryDelay            int    // number of seconds to wait between retries
 }

internal/ipxe/script/ipxe.go

@@ -19,16 +19,17 @@ import (
 )
 
 type Handler struct {
-	Logger               logr.Logger
-	Backend              handler.BackendReader
-	OSIEURL              string
-	ExtraKernelParams    []string
-	PublicSyslogFQDN     string
-	TinkServerTLS        bool
-	TinkServerGRPCAddr   string
-	IPXEScriptRetries    int
-	IPXEScriptRetryDelay int
-	StaticIPXEEnabled    bool
+	Logger                logr.Logger
+	Backend               handler.BackendReader
+	OSIEURL               string
+	ExtraKernelParams     []string
+	PublicSyslogFQDN      string
+	TinkServerTLS         bool
+	TinkServerInsecureTLS bool
+	TinkServerGRPCAddr    string
+	IPXEScriptRetries     int
+	IPXEScriptRetryDelay  int
+	StaticIPXEEnabled     bool
 }
 
 type data struct {
@@ -258,19 +259,20 @@ func (h *Handler) defaultScript(span trace.Span, hw data) (string, error) {
 	}
 
 	auto := Hook{
-		Arch:              arch,
-		Console:           "",
-		DownloadURL:       h.OSIEURL,
-		ExtraKernelParams: h.ExtraKernelParams,
-		Facility:          hw.Facility,
-		HWAddr:            mac.String(),
-		SyslogHost:        h.PublicSyslogFQDN,
-		TinkerbellTLS:     h.TinkServerTLS,
-		TinkGRPCAuthority: h.TinkServerGRPCAddr,
-		VLANID:            hw.VLANID,
-		WorkerID:          wID,
-		Retries:           h.IPXEScriptRetries,
-		RetryDelay:        h.IPXEScriptRetryDelay,
+		Arch:                  arch,
+		Console:               "",
+		DownloadURL:           h.OSIEURL,
+		ExtraKernelParams:     h.ExtraKernelParams,
+		Facility:              hw.Facility,
+		HWAddr:                mac.String(),
+		SyslogHost:            h.PublicSyslogFQDN,
+		TinkerbellTLS:         h.TinkServerTLS,
+		TinkerbellInsecureTLS: h.TinkServerInsecureTLS,
+		TinkGRPCAuthority:     h.TinkServerGRPCAddr,
+		VLANID:                hw.VLANID,
+		WorkerID:              wID,
+		Retries:               h.IPXEScriptRetries,
+		RetryDelay:            h.IPXEScriptRetryDelay,
 	}
 	if sc := span.SpanContext(); sc.IsSampled() {
 		auto.TraceID = sc.TraceID().String()

internal/ipxe/script/ipxe_test.go

@@ -58,7 +58,7 @@ set retry_delay:int32 3
 set idx:int32 0
 :retry_kernel
 kernel ${download-url}/vmlinuz-${arch} vlan_id=1234 \
-facility=onprem syslog_host= grpc_authority= tinkerbell_tls=false worker_id=00:01:02:03:04:05 hw_addr=00:01:02:03:04:05 \
+facility=onprem syslog_host= grpc_authority= tinkerbell_tls=false tinkerbell_insecure_tls=false worker_id=00:01:02:03:04:05 hw_addr=00:01:02:03:04:05 \
 modules=loop,squashfs,sd-mod,usb-storage intel_iommu=on iommu=pt initrd=initramfs-${arch} console=tty0 console=ttyS1,115200 && goto download_initrd || iseq ${idx} ${retries} && goto kernel-error || inc idx && echo retry in ${retry_delay} seconds ; sleep ${retry_delay} ; goto retry_kernel
 
 :download_initrd