Add tinkerbell platform

This commit adds tinkerbell as a supported platform by the Lokomotive.

The Terraform code consumes newly introduced controller and worker
Terraform modules, which reduces the amount of code required for
introducing this new platform.

The commit currently lacks several parts, which will be added at later
stage:
- Unit tests
- Configuration validation rules
- CI implementation
- Reference documentation
- Quick start guide

Closes #382.

Signed-off-by: Mateusz Gozdek <mateusz@kinvolk.io>

assets/terraform-modules/tinkerbell/controllers/bootkube.tf

@@ -4,6 +4,8 @@ module "bootkube" {
 
   cluster_name          = var.cluster_name
   api_servers           = [format("%s.%s", var.cluster_name, var.dns_zone)]
+  api_servers_external  = var.ip_addresses
+  api_servers_ips       = var.ip_addresses
   etcd_servers          = module.controller.etcd_servers
   asset_dir             = var.asset_dir
   network_mtu           = var.network_mtu

assets/terraform-modules/tinkerbell/controllers/main.tf

@@ -8,7 +8,11 @@ module "controller" {
   ssh_keys               = var.ssh_keys
   clc_snippets           = var.clc_snippets
   cluster_domain_suffix  = var.cluster_domain_suffix
-  clc_snippet_index      = <<EOF
+  host_dns_ip            = var.host_dns_ip
+  apiserver              = format("%s.%s", var.cluster_name, var.dns_zone)
+  ca_cert                = module.bootkube.ca_cert
+
+  clc_snippet_index = <<EOF
 storage:
   files:
   - path: /etc/hostname
@@ -28,7 +32,6 @@ resource "tinkerbell_template" "main" {
   content = templatefile("${path.module}/templates/flatcar-install.tmpl", {
     ignition_config          = module.controller.clc_configs[count.index]
     flatcar_install_base_url = var.flatcar_install_base_url
-    machine                  = "${var.cluster_name}_controller_${count.index}"
     os_version               = var.os_version
     os_channel               = var.os_channel
   })
@@ -38,7 +41,7 @@ resource "tinkerbell_workflow" "main" {
   count = var.node_count
 
   hardwares = <<EOF
-{"${var.cluster_name}_controller_${count.index}": "${var.ip_addresses[count.index]}"}
+{"device_1": "${var.ip_addresses[count.index]}"}
 EOF
   template  = tinkerbell_template.main[count.index].id
 }

assets/terraform-modules/tinkerbell/controllers/outputs.tf

@@ -2,6 +2,14 @@ output "kubeconfig-admin" {
   value = module.bootkube.kubeconfig-admin
 }
 
+output "ca_cert" {
+  value = module.bootkube.ca_cert
+}
+
+output "apiserver" {
+  value = format("%s.%s", var.cluster_name, var.dns_zone)
+}
+
 # values.yaml content for all deployed charts.
 output "pod-checkpointer_values" {
   value = module.bootkube.pod-checkpointer_values

assets/terraform-modules/tinkerbell/controllers/ssh.tf

@@ -10,7 +10,7 @@ resource "null_resource" "copy-controller-secrets" {
   }
 
   provisioner "file" {
-    content     = module.bootkube.kubeconfig-kubelet
+    content     = module.controller.bootstrap_kubeconfig
     destination = "$HOME/kubeconfig"
   }
 

assets/terraform-modules/tinkerbell/controllers/templates/flatcar-install.tmpl

@@ -3,7 +3,7 @@ name: flatcar-install
 global_timeout: 1800
 tasks:
 - name: "flatcar-install"
-  worker: "{{.${machine}}}"
+  worker: "{{.device_1}}"
   volumes:
   - /dev:/dev
   - /statedir:/statedir
@@ -34,7 +34,7 @@ tasks:
     - ${flatcar_install_base_url}
     %{~ endif ~}
   - name: "reboot" # This task shouldn't really be there, but there is no other way to reboot the worker into target OS in Tinkerbell for now.
-    image: alpine
+    image: flatcar-install
     command:
     - sh
     - -c

assets/terraform-modules/tinkerbell/controllers/variables.tf

@@ -99,3 +99,9 @@ variable "worker_bootstrap_tokens" {
   description = "List of token-id and token-secret of each node."
   type        = list(any)
 }
+
+variable "host_dns_ip" {
+  type        = string
+  description = "IP address of DNS server to configure on the nodes."
+  default     = "8.8.8.8"
+}

assets/terraform-modules/tinkerbell/sandbox/assets/deploy/.gitignore

@@ -0,0 +1 @@
+state

assets/terraform-modules/tinkerbell/sandbox/assets/deploy/db/tinkerbell-init.sql

@@ -0,0 +1,76 @@
+SET ROLE tinkerbell;
+
+CREATE TABLE IF NOT EXISTS hardware (
+	id UUID UNIQUE
+	, inserted_at TIMESTAMPTZ
+	, deleted_at TIMESTAMPTZ
+	, data JSONB
+);
+
+CREATE INDEX IF NOT EXISTS idx_id ON hardware (id);
+CREATE INDEX IF NOT EXISTS idx_deleted_at ON hardware (deleted_at NULLS FIRST);
+CREATE INDEX IF NOT EXISTS idxgin_type ON hardware USING GIN (data JSONB_PATH_OPS);
+
+CREATE TABLE IF NOT EXISTS template (
+        id UUID UNIQUE NOT NULL
+        , name VARCHAR(200) NOT NULL
+        , created_at TIMESTAMPTZ
+        , updated_at TIMESTAMPTZ
+        , deleted_at TIMESTAMPTZ
+        , data BYTEA
+
+        CONSTRAINT CK_name CHECK (name ~ '^[a-zA-Z0-9_-]*$')
+);
+
+CREATE INDEX IF NOT EXISTS idx_tid ON template (id);
+CREATE INDEX IF NOT EXISTS idx_tdeleted_at ON template (deleted_at NULLS FIRST);
+
+CREATE TABLE IF NOT EXISTS workflow (
+	id UUID UNIQUE NOT NULL
+	, template UUID NOT NULL
+	, devices JSONB NOT NULL
+	, created_at TIMESTAMPTZ
+	, updated_at TIMESTAMPTZ
+	, deleted_at TIMESTAMPTZ
+);
+
+CREATE INDEX IF NOT EXISTS idx_wid ON workflow (id);
+CREATE INDEX IF NOT EXISTS idx_wdeleted_at ON workflow (deleted_at NULLS FIRST);
+
+CREATE TABLE IF NOT EXISTS workflow_state (
+        workflow_id UUID UNIQUE NOT NULL
+        , current_task_name VARCHAR(200)
+        , current_action_name VARCHAR(200)
+        , current_action_state SMALLINT
+        , current_worker VARCHAR(200)
+        , action_list JSONB
+        , current_action_index int
+        , total_number_of_actions INT
+);
+
+CREATE INDEX IF NOT EXISTS idx_wfid ON workflow_state (workflow_id);
+
+CREATE TABLE IF NOT EXISTS workflow_event (
+        workflow_id UUID NOT NULL
+        , worker_id UUID  NOT NULL
+        , task_name VARCHAR(200)
+        , action_name VARCHAR(200)
+        , execution_time int
+	, message VARCHAR(200)
+	, status SMALLINT
+        , created_at TIMESTAMPTZ
+);
+
+CREATE INDEX IF NOT EXISTS idx_event ON workflow_event (created_at);
+
+CREATE TABLE IF NOT EXISTS workflow_worker_map (
+        workflow_id UUID NOT NULL
+        , worker_id UUID NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS workflow_data (
+        workflow_id UUID NOT NULL
+        , version INT
+        , metadata JSONB
+        , data JSONB
+);

assets/terraform-modules/tinkerbell/sandbox/assets/deploy/docker-compose.yml

@@ -0,0 +1,155 @@
+version: "2.1"
+services:
+  tink-server:
+    image: ${TINKERBELL_TINK_SERVER_IMAGE}
+    restart: unless-stopped
+    environment:
+      FACILITY: ${FACILITY:-onprem}
+      PACKET_ENV: ${PACKET_ENV:-testing}
+      PACKET_VERSION: ${PACKET_VERSION:-ignored}
+      ROLLBAR_TOKEN: ${ROLLBAR_TOKEN:-ignored}
+      ROLLBAR_DISABLE: ${ROLLBAR_DISABLE:-1}
+      PGDATABASE: tinkerbell
+      PGHOST: db
+      PGPASSWORD: tinkerbell
+      PGPORT: 5432
+      PGSSLMODE: disable
+      PGUSER: tinkerbell
+      TINKERBELL_GRPC_AUTHORITY: :42113
+      TINKERBELL_HTTP_AUTHORITY: :42114
+      TINK_AUTH_USERNAME: ${TINKERBELL_TINK_USERNAME}
+      TINK_AUTH_PASSWORD: ${TINKERBELL_TINK_PASSWORD}
+    depends_on:
+      db:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- 127.0.0.1:42114/cert"] # port needs to match TINKERBELL_HTTP_AUTHORITY
+      interval: 5s
+      timeout: 2s
+      retries: 30
+    volumes:
+      - ./state/certs:/certs/${FACILITY:-onprem}
+    ports:
+      - 42113:42113/tcp
+      - 42114:42114/tcp
+
+  db:
+    image: postgres:10-alpine
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: tinkerbell
+      POSTGRES_PASSWORD: tinkerbell
+      POSTGRES_USER: tinkerbell
+    volumes:
+      - ./db/tinkerbell-init.sql:/docker-entrypoint-initdb.d/tinkerbell-init.sql:ro
+      - postgres_data:/var/lib/postgresql/data:rw
+    ports:
+      - 5432:5432
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U tinkerbell"]
+      interval: 1s
+      timeout: 1s
+      retries: 30
+
+  tink-cli:
+    image: ${TINKERBELL_TINK_CLI_IMAGE}
+    restart: unless-stopped
+    environment:
+      TINKERBELL_GRPC_AUTHORITY: 127.0.0.1:42113
+      TINKERBELL_CERT_URL: http://127.0.0.1:42114/cert
+    depends_on:
+      tink-server:
+        condition: service_healthy
+      db:
+        condition: service_healthy
+    network_mode: host
+
+  registry:
+    build:
+      context: registry
+      args:
+        REGISTRY_USERNAME: $TINKERBELL_REGISTRY_USERNAME
+        REGISTRY_PASSWORD: $TINKERBELL_REGISTRY_PASSWORD
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "curl --cacert /certs/ca.pem https://127.0.0.1"]
+      interval: 5s
+      timeout: 1s
+      retries: 5
+    environment:
+      REGISTRY_HTTP_ADDR: 0.0.0.0:443
+      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/server.pem
+      REGISTRY_HTTP_TLS_KEY: /certs/server-key.pem
+      REGISTRY_AUTH: htpasswd
+      REGISTRY_AUTH_HTPASSWD_REALM: "Registry Realm"
+      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
+    volumes:
+      - ./state/certs:/certs
+      - ./state/registry:/var/lib/registry
+    network_mode: host
+
+  boots:
+    image: ${TINKERBELL_TINK_BOOTS_IMAGE}
+    restart: unless-stopped
+    network_mode: host
+    command: -dhcp-addr 0.0.0.0:67 -tftp-addr $TINKERBELL_HOST_IP:69 -http-addr $TINKERBELL_HOST_IP:80 -log-level DEBUG
+    environment:
+      API_AUTH_TOKEN: ${PACKET_API_AUTH_TOKEN:-ignored}
+      API_CONSUMER_TOKEN: ${PACKET_CONSUMER_TOKEN:-ignored}
+      FACILITY_CODE: ${FACILITY:-onprem}
+      PACKET_ENV: ${PACKET_ENV:-testing}
+      PACKET_VERSION: ${PACKET_VERSION:-ignored}
+      ROLLBAR_TOKEN: ${ROLLBAR_TOKEN:-ignored}
+      ROLLBAR_DISABLE: ${ROLLBAR_DISABLE:-1}
+      MIRROR_HOST: ${TINKERBELL_NGINX_IP:-127.0.0.1}
+      DNS_SERVERS: 8.8.8.8
+      PUBLIC_IP: $TINKERBELL_HOST_IP
+      BOOTP_BIND: $TINKERBELL_HOST_IP:67
+      HTTP_BIND: $TINKERBELL_HOST_IP:80
+      SYSLOG_BIND: $TINKERBELL_HOST_IP:514
+      TFTP_BIND: $TINKERBELL_HOST_IP:69
+      DOCKER_REGISTRY: $TINKERBELL_HOST_IP
+      REGISTRY_USERNAME: $TINKERBELL_REGISTRY_USERNAME
+      REGISTRY_PASSWORD: $TINKERBELL_REGISTRY_PASSWORD
+      TINKERBELL_GRPC_AUTHORITY: $TINKERBELL_HOST_IP:42113
+      TINKERBELL_CERT_URL: http://$TINKERBELL_HOST_IP:42114/cert
+      ELASTIC_SEARCH_URL: $TINKERBELL_HOST_IP:9200
+      DATA_MODEL_VERSION: 1
+    depends_on:
+      db:
+        condition: service_healthy
+    ports:
+      - $TINKERBELL_HOST_IP:80:80/tcp
+      - 67:67/udp
+      - 69:69/udp
+
+  nginx:
+    image: nginx:alpine
+    restart: unless-stopped
+    tty: true
+    ports:
+      - $TINKERBELL_NGINX_IP:80:80/tcp
+    volumes:
+      - ./state/webroot:/usr/share/nginx/html/
+
+  hegel:
+    image: ${TINKERBELL_TINK_HEGEL_IMAGE}
+    restart: unless-stopped
+    network_mode: host
+    environment:
+      ROLLBAR_TOKEN: ${ROLLBAR_TOKEN-ignored}
+      ROLLBAR_DISABLE: 1
+      PACKET_ENV: testing
+      PACKET_VERSION: ${PACKET_VERSION:-ignored}
+      GRPC_PORT: 42115
+      HEGEL_FACILITY: ${FACILITY:-onprem}
+      HEGEL_USE_TLS: 0
+      TINKERBELL_GRPC_AUTHORITY: 127.0.0.1:42113
+      TINKERBELL_CERT_URL: http://127.0.0.1:42114/cert
+      DATA_MODEL_VERSION: 1
+    depends_on:
+      db:
+        condition: service_healthy
+
+volumes:
+  postgres_data:

assets/terraform-modules/tinkerbell/sandbox/assets/deploy/flatcar-install/Dockerfile

@@ -0,0 +1,7 @@
+FROM ubuntu
+
+RUN apt update && \
+		apt install -y udev gpg wget
+
+RUN wget https://raw.githubusercontent.com/flatcar-linux/init/flatcar-master/bin/flatcar-install -O /usr/local/bin/flatcar-install && \
+    chmod +x /usr/local/bin/flatcar-install

assets/terraform-modules/tinkerbell/sandbox/assets/deploy/registry/Dockerfile

@@ -0,0 +1,7 @@
+FROM registry:2.7.1
+RUN apk add --no-cache --update curl apache2-utils
+ARG REGISTRY_USERNAME
+ARG REGISTRY_PASSWORD
+RUN mkdir -p /certs /auth
+RUN htpasswd -Bbn ${REGISTRY_USERNAME} ${REGISTRY_PASSWORD} > /auth/htpasswd
+EXPOSE 443

assets/terraform-modules/tinkerbell/sandbox/assets/deploy/tls/.gitignore

@@ -0,0 +1 @@
+*/

assets/terraform-modules/tinkerbell/sandbox/assets/deploy/tls/Dockerfile

@@ -0,0 +1,7 @@
+FROM alpine:3.11
+ENTRYPOINT [ "/entrypoint.sh" ]
+
+RUN apk add --no-cache --update --upgrade ca-certificates postgresql-client
+RUN apk add --no-cache --update --upgrade --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing cfssl
+
+COPY . .

assets/terraform-modules/tinkerbell/sandbox/assets/deploy/tls/ca-config.json

@@ -0,0 +1,17 @@
+{
+  "signing": {
+    "default": {
+      "expiry": "168h"
+    },
+    "profiles": {
+      "server": {
+        "expiry": "8760h",
+        "usages": ["signing", "key encipherment", "server auth"]
+      },
+      "signing": {
+        "expiry": "8760h",
+        "usages": ["signing", "key encipherment"]
+      }
+    }
+  }
+}

assets/terraform-modules/tinkerbell/sandbox/assets/deploy/tls/ca.in.json

@@ -0,0 +1,12 @@
+{
+  "CN": "Autogenerated CA",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "L": "@FACILITY@"
+    }
+  ]
+}

assets/terraform-modules/tinkerbell/sandbox/assets/deploy/tls/entrypoint.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env sh
+
+# set -o errexit -o nounset -o pipefail
+
+if [ -z "${TINKERBELL_TLS_CERT:-}" ]; then
+	(
+		echo "creating directory"
+		mkdir -p "certs"
+		./gencerts.sh
+	)
+fi
+
+"$@"