Skip to content

Commit

Permalink
feat: add secure boot support to non-metal image factory urls
Browse files Browse the repository at this point in the history
Adds checks for SecureBootSupported flag in Platforms meta-data and
populates relevant Secure Boot urls if set.

Signed-off-by: Matt Willsher <[email protected]>
Signed-off-by: Noel Georgi <[email protected]>
  • Loading branch information
mattwillsher authored and frezbo committed Jan 8, 2025
1 parent a0aaf5f commit 5c0ff77
Show file tree
Hide file tree
Showing 6 changed files with 34 additions and 13 deletions.
12 changes: 6 additions & 6 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,10 @@ require (
github.com/siderolabs/crypto v0.5.1
github.com/siderolabs/gen v0.8.0
github.com/siderolabs/go-blockdevice v0.4.8
github.com/siderolabs/image-factory v0.6.4
github.com/siderolabs/image-factory v0.6.6-0.20241227134227-3b302c6a4ca1
github.com/siderolabs/net v0.4.0
github.com/siderolabs/talos v1.9.0
github.com/siderolabs/talos/pkg/machinery v1.9.0
github.com/siderolabs/talos v1.10.0-alpha.0
github.com/siderolabs/talos/pkg/machinery v1.10.0-alpha.0
github.com/stretchr/testify v1.10.0
golang.org/x/mod v0.22.0
google.golang.org/grpc v1.69.0
Expand Down Expand Up @@ -174,7 +174,7 @@ require (
github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/shopspring/decimal v1.3.1 // indirect
github.com/siderolabs/go-blockdevice/v2 v2.0.7 // indirect
github.com/siderolabs/go-blockdevice/v2 v2.0.8 // indirect
github.com/siderolabs/go-circular v0.2.1 // indirect
github.com/siderolabs/go-kubernetes v0.2.17 // indirect
github.com/siderolabs/go-pointer v1.0.0 // indirect
Expand Down Expand Up @@ -212,9 +212,9 @@ require (
go.opentelemetry.io/otel v1.31.0 // indirect
go.opentelemetry.io/otel/metric v1.31.0 // indirect
go.opentelemetry.io/otel/trace v1.31.0 // indirect
golang.org/x/crypto v0.30.0 // indirect
golang.org/x/crypto v0.31.0 // indirect
golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect
golang.org/x/net v0.32.0 // indirect
golang.org/x/net v0.33.0 // indirect
golang.org/x/oauth2 v0.24.0 // indirect
golang.org/x/sync v0.10.0 // indirect
golang.org/x/sys v0.28.0 // indirect
Expand Down
12 changes: 12 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -657,6 +657,8 @@ github.com/siderolabs/go-blockdevice v0.4.8 h1:KfdWvIx0Jft5YVuCsFIJFwjWEF1oqtzkg
github.com/siderolabs/go-blockdevice v0.4.8/go.mod h1:4PeOuk71pReJj1JQEXDE7kIIQJPVe8a+HZQa+qjxSEA=
github.com/siderolabs/go-blockdevice/v2 v2.0.7 h1:OCxxA7W1xVqbEP3MrCttqhKpuV4t1KkBTzNeboYDTmc=
github.com/siderolabs/go-blockdevice/v2 v2.0.7/go.mod h1:74htzCV913UzaLZ4H+NBXkwWlYnBJIq5m/379ZEcu8w=
github.com/siderolabs/go-blockdevice/v2 v2.0.8 h1:bAJQby5YF98eNOG6WyuLtXQu7eXiwKC3KJEH/Fb3HOo=
github.com/siderolabs/go-blockdevice/v2 v2.0.8/go.mod h1:74htzCV913UzaLZ4H+NBXkwWlYnBJIq5m/379ZEcu8w=
github.com/siderolabs/go-circular v0.2.1 h1:a++iVCn9jyhICX3POQZZX8n72p2h5JGdGU6w1ulmpcA=
github.com/siderolabs/go-circular v0.2.1/go.mod h1:ZDItzVyXK+B/XuqTBV5MtQtSv06VI+oCmWGRnNCATo8=
github.com/siderolabs/go-kubernetes v0.2.17 h1:xxwDtoPQx032Ot6zAhDyOssfMazZG57gjzDGkpaVJuE=
Expand All @@ -671,14 +673,20 @@ github.com/siderolabs/go-talos-support v0.1.1 h1:g51J0WQssQAycU/0cDliC2l4uX2H02y
github.com/siderolabs/go-talos-support v0.1.1/go.mod h1:o4woiYS+2J3djCQgyHZRVZQm8XpazQr+XPcTXAZvamo=
github.com/siderolabs/image-factory v0.6.4 h1:BMirVs99OODjjzjfMyGblvF/OrXqOwAACfp++ipfriM=
github.com/siderolabs/image-factory v0.6.4/go.mod h1:KY9UkMRqzC+dVVy3z8sWpN/Jg6Ce+I8cVJb97SR32SI=
github.com/siderolabs/image-factory v0.6.6-0.20241227134227-3b302c6a4ca1 h1:QIzpOKGHaKYgfPpT+VrFwQkEevhNSTHV3T3qocNcPCg=
github.com/siderolabs/image-factory v0.6.6-0.20241227134227-3b302c6a4ca1/go.mod h1:CucCuWZLJsXXXqDhdJN/cPejapeJYQIOIbhIGKBs14c=
github.com/siderolabs/net v0.4.0 h1:1bOgVay/ijPkJz4qct98nHsiB/ysLQU0KLoBC4qLm7I=
github.com/siderolabs/net v0.4.0/go.mod h1:/ibG+Hm9HU27agp5r9Q3eZicEfjquzNzQNux5uEk0kM=
github.com/siderolabs/protoenc v0.2.1 h1:BqxEmeWQeMpNP3R6WrPqDatX8sM/r4t97OP8mFmg6GA=
github.com/siderolabs/protoenc v0.2.1/go.mod h1:StTHxjet1g11GpNAWiATgc8K0HMKiFSEVVFOa/H0otc=
github.com/siderolabs/talos v1.9.0 h1:hfQA/YKgT7zUvEsHfxNaOmWtl3kaXfogdjLdUQyEkTE=
github.com/siderolabs/talos v1.9.0/go.mod h1:tfpH28CTBURTF68lf97xUEFZt/p4TKzCMzhd7JgU054=
github.com/siderolabs/talos v1.10.0-alpha.0 h1:ZinJs1C0EuZw0YQXSLV0Dli46PqXAqr+7FhkI0iGdZI=
github.com/siderolabs/talos v1.10.0-alpha.0/go.mod h1:LVuvAZiMsZqRf22VnVStbuw4gl+c/DaNcu9P5XiLdLg=
github.com/siderolabs/talos/pkg/machinery v1.9.0 h1:9WWhu6yOlnbGousV6E8StwSntI3+JJf0debXEJZCAkg=
github.com/siderolabs/talos/pkg/machinery v1.9.0/go.mod h1:0EnV+wg+qr86sR+riUgutxaOZqWFSnrC/mx52TpNyIQ=
github.com/siderolabs/talos/pkg/machinery v1.10.0-alpha.0 h1:ik7cXQu7YqkV/Ryd8yU+xlckn0csmpQwV1KZEeCINdw=
github.com/siderolabs/talos/pkg/machinery v1.10.0-alpha.0/go.mod h1:gFqGUE60R9EdIkNCzxcJ55Y6bv2d4i5+KLbou3rzpQ0=
github.com/sigstore/cosign/v2 v2.4.1 h1:b8UXEfJFks3hmTwyxrRNrn6racpmccUycBHxDMkEPvU=
github.com/sigstore/cosign/v2 v2.4.1/go.mod h1:GvzjBeUKigI+XYnsoVQDmMAsMMc6engxztRSuxE+x9I=
github.com/sigstore/fulcio v1.6.3 h1:Mvm/bP6ELHgazqZehL8TANS1maAkRoM23CRAdkM4xQI=
Expand Down Expand Up @@ -829,6 +837,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY=
golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f h1:XdNn9LlyWAhLVp6P/i8QYBW+hlyhrhei9uErw2B5GJo=
golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f/go.mod h1:D5SMRVC3C2/4+F/DB1wZsLRnSNimn2Sp/NPsCrsv8ak=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
Expand All @@ -852,6 +862,8 @@ golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
Expand Down
9 changes: 9 additions & 0 deletions pkg/talos/talos_image_factory_urls_data_source.go
Original file line number Diff line number Diff line change
Expand Up @@ -294,15 +294,24 @@ func (d *talosImageFactoryURLSDataSource) Read(ctx context.Context, req datasour
urlsData.DiskImage = basetypes.NewStringValue(fmt.Sprintf("%s/image/%s/%s/metal-arm64.raw.xz", d.imageFactoryClient.BaseURL(), schematicID, talosVersion))
default:
platformData := xslices.Filter(metadata.Platforms(), func(p metadata.Platform) bool { return p.Name == platform })
if platformData[0].SecureBootSupported {
urlsData.InstallerSecureboot = basetypes.NewStringValue(fmt.Sprintf("%s/installer-secureboot/%s:%s", uri.Host, schematicID, talosVersion))
}

for _, bootMethod := range platformData[0].BootMethods {
switch bootMethod {
case "disk-image":
urlsData.DiskImage = basetypes.NewStringValue(fmt.Sprintf("%s/image/%s/%s/%s-%s.%s", d.imageFactoryClient.BaseURL(), schematicID, talosVersion, platform, architecture, platformData[0].DiskImageSuffix)) //nolint:lll
if platformData[0].SecureBootSupported {
urlsData.DiskImageSecureboot = basetypes.NewStringValue(fmt.Sprintf("%s/image/%s/%s/%s-%s-secureboot.%s", d.imageFactoryClient.BaseURL(), schematicID, talosVersion, platform, architecture, platformData[0].DiskImageSuffix)) //nolint:lll
}
case "pxe":
urlsData.PXE = basetypes.NewStringValue(fmt.Sprintf("%s://pxe.%s/pxe/%s/%s/%s-%s", uri.Scheme, uri.Host, schematicID, talosVersion, platform, architecture))
case "iso":
urlsData.ISO = basetypes.NewStringValue(fmt.Sprintf("%s/image/%s/%s/%s-%s.iso", d.imageFactoryClient.BaseURL(), schematicID, talosVersion, platform, architecture))
if platformData[0].SecureBootSupported {
urlsData.ISOSecureboot = basetypes.NewStringValue(fmt.Sprintf("%s/image/%s/%s/%s-%s-secureboot.iso", d.imageFactoryClient.BaseURL(), schematicID, talosVersion, platform, architecture)) //nolint:lll
}
}
}
}
Expand Down
6 changes: 3 additions & 3 deletions pkg/talos/talos_image_factory_urls_data_source_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,11 +105,11 @@ func TestAccTalosImageFactoryURLsDataSource(t *testing.T) {
Config: testAccTalosImageFactoryURLsNoCloudPlatformConfig(),
Check: resource.ComposeAggregateTestCheckFunc(
resource.TestCheckResourceAttr("data.talos_image_factory_urls.this", "urls.installer", "factory.talos.dev/installer/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba:v1.7.5"),
resource.TestCheckNoResourceAttr("data.talos_image_factory_urls.this", "urls.installer_secureboot"),
resource.TestCheckResourceAttr("data.talos_image_factory_urls.this", "urls.installer_secureboot", "factory.talos.dev/installer-secureboot/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba:v1.7.5"),
resource.TestCheckResourceAttr("data.talos_image_factory_urls.this", "urls.iso", "https://factory.talos.dev/image/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba/v1.7.5/nocloud-amd64.iso"),
resource.TestCheckNoResourceAttr("data.talos_image_factory_urls.this", "urls.iso_secureboot"),
resource.TestCheckResourceAttr("data.talos_image_factory_urls.this", "urls.iso_secureboot", "https://factory.talos.dev/image/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba/v1.7.5/nocloud-amd64-secureboot.iso"),
resource.TestCheckResourceAttr("data.talos_image_factory_urls.this", "urls.disk_image", "https://factory.talos.dev/image/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba/v1.7.5/nocloud-amd64.raw.xz"),
resource.TestCheckNoResourceAttr("data.talos_image_factory_urls.this", "urls.disk_image_secureboot"),
resource.TestCheckResourceAttr("data.talos_image_factory_urls.this", "urls.disk_image_secureboot", "https://factory.talos.dev/image/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba/v1.7.5/nocloud-amd64-secureboot.raw.xz"),
resource.TestCheckResourceAttr("data.talos_image_factory_urls.this", "urls.pxe", "https://pxe.factory.talos.dev/pxe/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba/v1.7.5/nocloud-amd64"),
resource.TestCheckNoResourceAttr("data.talos_image_factory_urls.this", "urls.kernel"),
resource.TestCheckNoResourceAttr("data.talos_image_factory_urls.this", "urls.kernel_command_line"),
Expand Down
2 changes: 1 addition & 1 deletion pkg/talos/talos_image_factory_versions_data_source_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ func TestAccTalosImageFactoryVersionsDataSource(t *testing.T) {
{
Config: testAccTalosImageFactoryVersionsDataSourceWithFilterConfig(),
ConfigStateChecks: []statecheck.StateCheck{
statecheck.ExpectKnownOutputValue("talos_version", knownvalue.StringExact("v1.9.0")),
statecheck.ExpectKnownOutputValue("talos_version", knownvalue.StringExact("v1.9.1")),
},
},
},
Expand Down
6 changes: 3 additions & 3 deletions pkg/talos/talos_machine_configuration_data_source_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ func TestAccTalosMachineConfigurationDataSource(t *testing.T) {
},
// test data source with custom values
{
Config: testAccTalosMachineConfigurationDataSourceConfig("", "example-cluster-1", "controlplane", "https://cluster-1.local:6443", "v1.27.0", true, false, false, false),
Config: testAccTalosMachineConfigurationDataSourceConfig("", "example-cluster-1", "controlplane", "https://cluster-1.local:6443", "v1.28.0", true, false, false, false),
Check: resource.ComposeAggregateTestCheckFunc(
resource.TestCheckResourceAttr("data.talos_machine_configuration.this", "id", "example-cluster-1"),
resource.TestCheckResourceAttr("data.talos_machine_configuration.this", "cluster_name", "example-cluster-1"),
Expand All @@ -75,7 +75,7 @@ func TestAccTalosMachineConfigurationDataSource(t *testing.T) {
resource.TestCheckResourceAttr("data.talos_machine_configuration.this", "machine_type", "controlplane"),
resource.TestCheckResourceAttr("data.talos_machine_configuration.this", "config_patches.#", "4"),
resource.TestCheckResourceAttr("data.talos_machine_configuration.this", "config_patches.0", "\"machine\":\n \"install\":\n \"disk\": \"/dev/sdd\"\n"),
resource.TestCheckResourceAttr("data.talos_machine_configuration.this", "kubernetes_version", "v1.27.0"),
resource.TestCheckResourceAttr("data.talos_machine_configuration.this", "kubernetes_version", "v1.28.0"),
resource.TestCheckResourceAttr("data.talos_machine_configuration.this", "talos_version", semver.MajorMinor(gendata.VersionTag)),
resource.TestCheckResourceAttr("data.talos_machine_configuration.this", "docs", "false"),
resource.TestCheckResourceAttr("data.talos_machine_configuration.this", "examples", "false"),
Expand All @@ -85,7 +85,7 @@ func TestAccTalosMachineConfigurationDataSource(t *testing.T) {
"example-cluster-1",
"https://cluster-1.local:6443",
"/dev/sdd",
"1.27.0",
"1.28.0",
"controlplane",
value,
false,
Expand Down

0 comments on commit 5c0ff77

Please sign in to comment.