Add OCI-based default UKI Configuration for HTTPBoot

Author: hardikdr

cmd/main.go

@@ -63,7 +63,6 @@ func init() {
 
 func main() {
 	ctx := ctrl.LoggerInto(ctrl.SetupSignalHandler(), setupLog)
-	defaultHttpUKIURL := NewDefaultHTTPBootData()
 	skipControllerNameValidation := true
 
 	var metricsAddr string
@@ -79,12 +78,16 @@ func main() {
 	var ipxeServicePort int
 	var imageServerURL string
 	var architecture string
+	var defaultHTTPBootOCIImage string
+	var defaultHTTPBootUKIURL string
 
 	flag.StringVar(&architecture, "architecture", "amd64", "Target system architecture (e.g., amd64, arm64)")
 	flag.IntVar(&ipxeServicePort, "ipxe-service-port", 5000, "IPXE Service port to listen on.")
 	flag.StringVar(&ipxeServiceProtocol, "ipxe-service-protocol", "http", "IPXE Service Protocol.")
 	flag.StringVar(&ipxeServiceURL, "ipxe-service-url", "", "IPXE Service URL.")
 	flag.StringVar(&imageServerURL, "image-server-url", "", "OS Image Server URL.")
+	flag.StringVar(&defaultHTTPBootOCIImage, "default-httpboot-oci-image", "", "Default OCI image reference for http boot")
+	flag.StringVar(&defaultHTTPBootUKIURL, "default-httpboot-uki-url", "", "Deprecated: use --default-httpboot-oci-image")
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.StringVar(&bootserverAddr, "boot-server-address", ":8082", "The address the boot-server binds to.")
@@ -122,6 +125,13 @@ func main() {
 
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
+	if defaultHTTPBootUKIURL != "" {
+		setupLog.Info("Flag --default-httpboot-uki-url is deprecated; use --default-httpboot-oci-image instead")
+	}
+	if defaultHTTPBootOCIImage != "" && defaultHTTPBootUKIURL != "" {
+		setupLog.Info("Ignoring --default-httpboot-uki-url because --default-httpboot-oci-image is set")
+	}
+
 	// set the correct ipxe service URL by getting the address from the environment
 	var ipxeServiceAddr string
 	if ipxeServiceURL == "" {
@@ -303,7 +313,7 @@ func main() {
 	}
 
 	setupLog.Info("starting boot-server")
-	go bootserver.RunBootServer(bootserverAddr, ipxeServiceURL, mgr.GetClient(), serverLog.WithName("bootserver"), *defaultHttpUKIURL)
+	go bootserver.RunBootServer(bootserverAddr, ipxeServiceURL, mgr.GetClient(), serverLog.WithName("bootserver"), defaultHTTPBootOCIImage, defaultHTTPBootUKIURL, imageServerURL, architecture)
 
 	setupLog.Info("starting image-proxy-server")
 	go bootserver.RunImageProxyServer(imageProxyServerAddr, mgr.GetClient(), serverLog.WithName("imageproxyserver"))
@@ -361,10 +371,3 @@ func IndexHTTPBootConfigByNetworkIDs(ctx context.Context, mgr ctrl.Manager) erro
 		},
 	)
 }
-
-func NewDefaultHTTPBootData() *string {
-	var defaultUKIURL string
-	flag.StringVar(&defaultUKIURL, "default-httpboot-uki-url", "", "Default UKI URL for http boot")
-
-	return &defaultUKIURL
-}

internal/controller/serverbootconfiguration_http_controller.go

@@ -5,22 +5,19 @@ package controller
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"strings"
 
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 
-	"github.com/containerd/containerd/remotes/docker"
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	"github.com/go-logr/logr"
 	bootv1alpha1 "github.com/ironcore-dev/boot-operator/api/v1alpha1"
+	"github.com/ironcore-dev/boot-operator/internal/uki"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -30,10 +27,6 @@ import (
 	metalv1alpha1 "github.com/ironcore-dev/metal-operator/api/v1alpha1"
 )
 
-const (
-	MediaTypeUKI = "application/vnd.ironcore.image.uki"
-)
-
 type ServerBootConfigurationHTTPReconciler struct {
 	client.Client
 	Scheme         *runtime.Scheme
@@ -187,74 +180,10 @@ func (r *ServerBootConfigurationHTTPReconciler) getSystemNetworkIDsFromServer(ct
 }
 
 func (r *ServerBootConfigurationHTTPReconciler) constructUKIURL(ctx context.Context, image string) (string, error) {
-	imageDetails := strings.Split(image, ":")
-	if len(imageDetails) != 2 {
-		return "", fmt.Errorf("invalid image format")
-	}
-
-	ukiDigest, err := r.getUKIDigestFromNestedManifest(ctx, imageDetails[0], imageDetails[1])
-	if err != nil {
-		return "", fmt.Errorf("failed to fetch UKI layer digest: %w", err)
-	}
-
-	ukiDigest = strings.TrimPrefix(ukiDigest, "sha256:")
-	ukiURL := fmt.Sprintf("%s/%s/sha256-%s.efi", r.ImageServerURL, imageDetails[0], ukiDigest)
-	return ukiURL, nil
-}
-
-func (r *ServerBootConfigurationHTTPReconciler) getUKIDigestFromNestedManifest(ctx context.Context, imageName, imageVersion string) (string, error) {
-	resolver := docker.NewResolver(docker.ResolverOptions{})
-	imageRef := fmt.Sprintf("%s:%s", imageName, imageVersion)
-	name, desc, err := resolver.Resolve(ctx, imageRef)
-	if err != nil {
-		return "", fmt.Errorf("failed to resolve image reference: %w", err)
-	}
-
-	targetManifestDesc := desc
-	manifestData, err := fetchContent(ctx, resolver, name, desc)
-	if err != nil {
-		return "", fmt.Errorf("failed to fetch manifest data: %w", err)
-	}
-
-	var manifest ocispec.Manifest
-	if desc.MediaType == ocispec.MediaTypeImageIndex {
-		var indexManifest ocispec.Index
-		if err := json.Unmarshal(manifestData, &indexManifest); err != nil {
-			return "", fmt.Errorf("failed to unmarshal index manifest: %w", err)
-		}
-
-		for _, manifest := range indexManifest.Manifests {
-			platform := manifest.Platform
-			if manifest.Platform != nil && platform.Architecture == r.Architecture {
-				targetManifestDesc = manifest
-				break
-			}
-		}
-		if targetManifestDesc.Digest == "" {
-			return "", fmt.Errorf("failed to find target manifest with architecture %s", r.Architecture)
-		}
-
-		nestedData, err := fetchContent(ctx, resolver, name, targetManifestDesc)
-		if err != nil {
-			return "", fmt.Errorf("failed to fetch nested manifest: %w", err)
-		}
-
-		if err := json.Unmarshal(nestedData, &manifest); err != nil {
-			return "", fmt.Errorf("failed to unmarshal nested manifest: %w", err)
-		}
-	} else {
-		if err := json.Unmarshal(manifestData, &manifest); err != nil {
-			return "", fmt.Errorf("failed to unmarshal manifest: %w", err)
-		}
+	if strings.TrimSpace(r.ImageServerURL) == "" {
+		return "", fmt.Errorf("image server URL is empty")
 	}
-
-	for _, layer := range manifest.Layers {
-		if layer.MediaType == MediaTypeUKI {
-			return layer.Digest.String(), nil
-		}
-	}
-
-	return "", fmt.Errorf("UKI layer digest not found")
+	return uki.ConstructUKIURLFromOCI(ctx, image, r.ImageServerURL, r.Architecture)
 }
 
 func (r *ServerBootConfigurationHTTPReconciler) enqueueServerBootConfigReferencingIgnitionSecret(ctx context.Context, secret client.Object) []reconcile.Request {

internal/uki/oci.go

@@ -0,0 +1,118 @@
+// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package uki
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/containerd/containerd/remotes"
+	"github.com/containerd/containerd/remotes/docker"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+const MediaTypeUKI = "application/vnd.ironcore.image.uki"
+
+func ConstructUKIURLFromOCI(ctx context.Context, image string, imageServerURL string, architecture string) (string, error) {
+	imageDetails := strings.Split(image, ":")
+	if len(imageDetails) != 2 {
+		return "", fmt.Errorf("invalid image format")
+	}
+
+	ukiDigest, err := getUKIDigestFromNestedManifest(ctx, imageDetails[0], imageDetails[1], architecture)
+	if err != nil {
+		return "", fmt.Errorf("failed to fetch UKI layer digest: %w", err)
+	}
+
+	ukiDigest = strings.TrimPrefix(ukiDigest, "sha256:")
+	ukiURL := fmt.Sprintf("%s/%s/sha256-%s.efi", imageServerURL, imageDetails[0], ukiDigest)
+	return ukiURL, nil
+}
+
+func getUKIDigestFromNestedManifest(ctx context.Context, imageName, imageVersion, architecture string) (string, error) {
+	resolver := docker.NewResolver(docker.ResolverOptions{})
+	imageRef := fmt.Sprintf("%s:%s", imageName, imageVersion)
+	name, desc, err := resolver.Resolve(ctx, imageRef)
+	if err != nil {
+		return "", fmt.Errorf("failed to resolve image reference: %w", err)
+	}
+
+	targetManifestDesc := desc
+	manifestData, err := fetchContent(ctx, resolver, name, desc)
+	if err != nil {
+		return "", fmt.Errorf("failed to fetch manifest data: %w", err)
+	}
+
+	var manifest ocispec.Manifest
+	if desc.MediaType == ocispec.MediaTypeImageIndex {
+		var indexManifest ocispec.Index
+		if err := json.Unmarshal(manifestData, &indexManifest); err != nil {
+			return "", fmt.Errorf("failed to unmarshal index manifest: %w", err)
+		}
+
+		for _, manifest := range indexManifest.Manifests {
+			platform := manifest.Platform
+			if manifest.Platform != nil && platform.Architecture == architecture {
+				targetManifestDesc = manifest
+				break
+			}
+		}
+		if targetManifestDesc.Digest == "" {
+			return "", fmt.Errorf("failed to find target manifest with architecture %s", architecture)
+		}
+
+		nestedData, err := fetchContent(ctx, resolver, name, targetManifestDesc)
+		if err != nil {
+			return "", fmt.Errorf("failed to fetch nested manifest: %w", err)
+		}
+
+		if err := json.Unmarshal(nestedData, &manifest); err != nil {
+			return "", fmt.Errorf("failed to unmarshal nested manifest: %w", err)
+		}
+	} else {
+		if err := json.Unmarshal(manifestData, &manifest); err != nil {
+			return "", fmt.Errorf("failed to unmarshal manifest: %w", err)
+		}
+	}
+
+	for _, layer := range manifest.Layers {
+		if layer.MediaType == MediaTypeUKI {
+			return layer.Digest.String(), nil
+		}
+	}
+
+	return "", fmt.Errorf("UKI layer digest not found")
+}
+
+func fetchContent(ctx context.Context, resolver remotes.Resolver, ref string, desc ocispec.Descriptor) ([]byte, error) {
+	fetcher, err := resolver.Fetcher(ctx, ref)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get fetcher: %w", err)
+	}
+
+	reader, err := fetcher.Fetch(ctx, desc)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch content: %w", err)
+	}
+
+	defer func() {
+		if cerr := reader.Close(); cerr != nil {
+			fmt.Printf("failed to close reader: %v\n", cerr)
+		}
+	}()
+
+	data, err := io.ReadAll(reader)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read content: %w", err)
+	}
+
+	if int64(len(data)) != desc.Size {
+		return nil, fmt.Errorf("size mismatch: expected %d, got %d", desc.Size, len(data))
+	}
+
+	return data, nil
+}

server/bootserver.go

@@ -23,6 +23,7 @@ import (
 	butanecommon "github.com/coreos/butane/config/common"
 	"github.com/go-logr/logr"
 	bootv1alpha1 "github.com/ironcore-dev/boot-operator/api/v1alpha1"
+	"github.com/ironcore-dev/boot-operator/internal/uki"
 )
 
 type IPXETemplateData struct {
@@ -48,13 +49,13 @@ var predefinedConditions = map[string]v1.Condition{
 	},
 }
 
-func RunBootServer(ipxeServerAddr string, ipxeServiceURL string, k8sClient client.Client, log logr.Logger, defaultUKIURL string) {
+func RunBootServer(ipxeServerAddr string, ipxeServiceURL string, k8sClient client.Client, log logr.Logger, defaultOCIImage string, defaultUKIURL string, imageServerURL string, architecture string) {
 	http.HandleFunc("/ipxe/", func(w http.ResponseWriter, r *http.Request) {
 		handleIPXE(w, r, k8sClient, log, ipxeServiceURL)
 	})
 
 	http.HandleFunc("/httpboot", func(w http.ResponseWriter, r *http.Request) {
-		handleHTTPBoot(w, r, k8sClient, log, defaultUKIURL)
+		handleHTTPBoot(w, r, k8sClient, log, defaultOCIImage, defaultUKIURL, imageServerURL, architecture)
 	})
 
 	http.HandleFunc("/ignition/", func(w http.ResponseWriter, r *http.Request) {
@@ -369,7 +370,7 @@ func renderIgnition(yamlData []byte) ([]byte, error) {
 	return jsonData, nil
 }
 
-func handleHTTPBoot(w http.ResponseWriter, r *http.Request, k8sClient client.Client, log logr.Logger, defaultUKIURL string) {
+func handleHTTPBoot(w http.ResponseWriter, r *http.Request, k8sClient client.Client, log logr.Logger, defaultOCIImage string, defaultUKIURL string, imageServerURL string, architecture string) {
 	log.Info("Processing HTTPBoot request", "method", r.Method, "path", r.URL.Path, "clientIP", r.RemoteAddr)
 	ctx := r.Context()
 
@@ -407,9 +408,24 @@ func handleHTTPBoot(w http.ResponseWriter, r *http.Request, k8sClient client.Cli
 	var httpBootResponseData map[string]string
 	if len(httpBootConfigs.Items) == 0 {
 		log.Info("No HTTPBootConfig found for client IP, delivering default httpboot data", "clientIPs", clientIPs)
+		ukiURL := defaultUKIURL
+		if defaultOCIImage != "" {
+			if imageServerURL == "" {
+				log.Error(fmt.Errorf("image server URL is empty"), "Default OCI image provided but image server URL is not set")
+				http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+				return
+			}
+			constructedURL, err := uki.ConstructUKIURLFromOCI(ctx, defaultOCIImage, imageServerURL, architecture)
+			if err != nil {
+				log.Error(err, "Failed to construct default UKI URL from OCI image", "image", defaultOCIImage)
+				http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+				return
+			}
+			ukiURL = constructedURL
+		}
 		httpBootResponseData = map[string]string{
 			"ClientIPs": strings.Join(clientIPs, ","),
-			"UKIURL":    defaultUKIURL,
+			"UKIURL":    ukiURL,
 		}
 	} else {
 		// TODO: Pick the first HttpBootConfig if multiple CRs are found.

server/imageproxyserver.go

@@ -13,6 +13,7 @@ import (
 	"strings"
 
 	"github.com/go-logr/logr"
+	"github.com/ironcore-dev/boot-operator/internal/uki"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -22,7 +23,6 @@ const (
 	imageKey       = "imageName"
 	layerDigestKey = "layerDigest"
 	versionKey     = "version"
-	MediaTypeUKI   = "application/vnd.ironcore.image.uki"
 )
 
 type TokenResponse struct {
@@ -208,7 +208,7 @@ func modifyProxyResponse(bearerToken string) func(*http.Response) error {
 		}
 
 		// Rewrite media type if it's a UKI
-		if ct := resp.Header.Get("Content-Type"); ct == MediaTypeUKI {
+		if ct := resp.Header.Get("Content-Type"); ct == uki.MediaTypeUKI {
 			resp.Header.Set("Content-Type", "application/efi")
 		}