Merge branch 'main' into allend/add-group-tag

cmd/cloud-init-server/main.go

@@ -26,6 +26,8 @@ var (
 	smdEndpoint   = "http://smd:27779"
 	jwksUrl       = "" // jwt keyserver URL for secure-route token validation
 	insecure      = false
+	accessToken   = ""
+	certPath      = ""
 	store         ciStore
 )
 
@@ -34,6 +36,8 @@ func main() {
 	flag.StringVar(&tokenEndpoint, "token-url", tokenEndpoint, "OIDC server URL (endpoint) to fetch new tokens from (for SMD access)")
 	flag.StringVar(&smdEndpoint, "smd-url", smdEndpoint, "http IP/url and port for running SMD")
 	flag.StringVar(&jwksUrl, "jwks-url", jwksUrl, "JWT keyserver URL, required to enable secure route")
+	flag.StringVar(&accessToken, "access-token", accessToken, "encoded JWT access token")
+	flag.StringVar(&certPath, "cacert", certPath, "Path to CA cert. (defaults to system CAs)")
 	flag.BoolVar(&insecure, "insecure", insecure, "Set to bypass TLS verification for requests")
 	flag.Parse()
 
@@ -78,7 +82,7 @@ func main() {
 		fakeSm.Summary()
 		sm = fakeSm
 	} else {
-		sm = smdclient.NewSMDClient(smdEndpoint, tokenEndpoint, insecure)
+		sm = smdclient.NewSMDClient(smdEndpoint, tokenEndpoint, accessToken, certPath, insecure)
 	}
 
 	// Unsecured datastore and router

internal/smdclient/SMDclient.go

@@ -2,17 +2,19 @@ package smdclient
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"io"
-	"log"
+	"net"
 	"net/http"
 	"os"
 	"strings"
 	"time"
 
 	base "github.com/Cray-HPE/hms-base"
 	"github.com/OpenCHAMI/smd/v2/pkg/sm"
+	"github.com/rs/zerolog/log"
 )
 
 // Create an SMDClient Interface which can be more easily tested and mocked
@@ -42,20 +44,47 @@ type SMDClient struct {
 
 // NewSMDClient creates a new SMDClient which connects to the SMD server at baseurl
 // and uses the provided JWT server for authentication
-func NewSMDClient(baseurl string, jwtURL string, insecure bool) *SMDClient {
+func NewSMDClient(baseurl string, jwtURL string, accessToken string, certPath string, insecure bool) *SMDClient {
 	c := &http.Client{Timeout: 2 * time.Second}
 	if insecure {
 		c.Transport = &http.Transport{
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: true,
 			},
 		}
+	} else {
+		cacert, err := os.ReadFile(certPath)
+		if err != nil {
+			log.Error().Err(err).Msgf("failed to read cert from path %s", certPath)
+			return nil
+		}
+		certPool := x509.NewCertPool()
+		certPool.AppendCertsFromPEM(cacert)
+
+		// add cert pool to client if valid
+		if certPool != nil {
+			// make sure that we can access the internal client
+			c.Transport = &http.Transport{
+				TLSClientConfig: &tls.Config{
+					RootCAs:            certPool,
+					InsecureSkipVerify: true,
+				},
+				DisableKeepAlives: true,
+				Dial: (&net.Dialer{
+					Timeout:   120 * time.Second,
+					KeepAlive: 120 * time.Second,
+				}).Dial,
+				TLSHandshakeTimeout:   120 * time.Second,
+				ResponseHeaderTimeout: 120 * time.Second,
+			}
+		}
+
 	}
 	return &SMDClient{
 		smdClient:     c,
 		smdBaseURL:    baseurl,
 		tokenEndpoint: jwtURL,
-		accessToken:   "",
+		accessToken:   accessToken,
 	}
 }
 
@@ -78,13 +107,13 @@ func (s *SMDClient) getSMD(ep string, smd interface{}) error {
 		if resp.StatusCode == http.StatusUnauthorized {
 			// Request failed; handle appropriately (based on whether or not
 			// this was a fresh JWT)
-			log.Println("Cached JWT was rejected by SMD")
+			log.Info().Msg("Cached JWT was rejected by SMD")
 			if !freshToken {
-				log.Println("Fetching new JWT and retrying...")
+				log.Info().Msg("Fetching new JWT and retrying...")
 				s.RefreshToken()
 				freshToken = true
 			} else {
-				log.Fatalln("SMD authentication failed, even with a fresh" +
+				log.Info().Msg("SMD authentication failed, even with a fresh" +
 					" JWT. Something has gone terribly wrong; exiting to" +
 					" avoid invalid request spam.")
 				os.Exit(2)