iPXE can't support booting from modern certificate chains issued by
Let's Encrypt, so provide an option to use custom (less secure?)
endpoint for PXE booting.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#19
Using Talos implementation of custom SecureBoot signers, provide full
implementation of SecureBoot assets signed either by static local PKI or
Azure Key Vault reference.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#14
This adds "standard" HTTP metrics for the frontend, and also three kinds
of custom metrics:
* schematic get/create
* system extension popularity score
* asset build metrics: cached/not cached, bytes, requests, in dimension
of asset kind
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Image Factory now signs the generated asset using cosign flow with a
fixed key. Image Factory also verifies the signature before redirecting
to the image. This way we ensure the consistency of the cache.
The signing ECDSA private key (PEM-encoded) should be supplied as
`--signing-key-path` flag.
Fixes#29
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Themes the nomenclature to align with Talos Linux
Signed-off-by: Andrew Rynhard <andrew@rynhard.io>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#18
The intention is to provide educational frontend so that people can get
comfortable using the Image Service by building the appropriate links.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#13
This builds on top of extensions catalog (see
https://github.com/siderolabs/extensions/pull/225), and existing support
for specifying extension in the flavor.
Image Service resolve the list of extensions requested for a specific
version of Talos into a list of container images, pulls them, and
attaches them to the image request.
Image Service also provides endpoints to get information about available
Talos versions, supported extensions for each version, etc.
I also refactored a bit flow around fetching & verifying image to re-use
it in other flows, added support for authentication to the registry.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This appends a "virtual" (built on the fly) extension which contains
flavor ID to all boot assets of Talos.
This allows to easily identify which flavor of Talos which asset was
built with.
E.g.:
```
$ talosctl -n 172.20.0.2 get extensions -i
NODE NAMESPACE TYPE ID VERSION NAME VERSION
runtime ExtensionStatus 0 1 flavor 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba
```
```yaml
node:
metadata:
namespace: runtime
type: ExtensionStatuses.runtime.talos.dev
id: 0
version: 1
owner: runtime.ExtensionStatusController
phase: running
created: 2023-09-07T14:06:03Z
updated: 2023-09-07T14:06:03Z
spec:
image: 0.sqsh
metadata:
name: flavor
version: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba
author: Image Service
description: Virtual extension which specifies the flavor of the image built with Image Service.
compatibility:
talos:
version: '>= 1.0.0'
```
And (as an empty file):
```
$ talosctl -n 172.20.0.2 ls /usr/local/share/flavor/
NODE NAME
172.20.0.2 .
172.20.0.2 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This allows to pull an installer image for a given version of Talos and
configuration.
The actual image is served from the registry, the image service is only
a frontend that redirects to the registry.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Initial version of the image service.
Implements a basic configuration service, and HTTP frontend for assets.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
