Merge branch 'main' into os-use-fix

jkossak · web-flow · commit 4adbcdc7ac86 · 2025-11-04T16:56:04.000Z
diff --git a/onboarding-manager/.trivyignore b/onboarding-manager/.trivyignore
@@ -12,11 +12,14 @@ AVD-KSV-0014
 # We should be safe to ignore CVE-2020-8559 as long as we use kube-api server that doesn't respond with redirects.
 CVE-2020-8559
 
-# FIXME Upgrade of golang to 1.24.6 to be taken up post 3.1 release
-CVE-2025-47907
 
 # FIXME Upgrade of golang to 1.24.9/1.25.3
 CVE-2025-58187
+CVE-2025-47912
+CVE-2025-58183
+CVE-2025-58186
+CVE-2025-58188
+CVE-2025-61724
 
 # PostgreSQL CVEs
 CVE-2023-45853
@@ -151,5 +154,3 @@ CVE-2023-45287
 CVE-2023-45288
 CVE-2024-37370
 
-# Upgrade of golang to 1.24.6 to be taken up post 3.1 release
-CVE-2025-47907
diff --git a/onboarding-manager/Dockerfile b/onboarding-manager/Dockerfile
@@ -1,7 +1,7 @@
 # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 
-FROM golang:1.24.8-bookworm as builder
+FROM golang:1.24.6-bookworm as builder
 
 ENV GO111MODULE=on
 ARG MAKE_TARGET=go-build
diff --git a/onboarding-manager/VERSION b/onboarding-manager/VERSION
@@ -1 +1 @@
-1.38.10
+1.38.12
diff --git a/onboarding-manager/internal/handlers/controller/reconcilers/instance.go b/onboarding-manager/internal/handlers/controller/reconcilers/instance.go
@@ -463,8 +463,8 @@ func (ir *InstanceReconciler) tryProvisionInstance(ctx context.Context, instance
 
 	// Check status of Prod Workflow and initiate if it's not running.
 	if err := onboarding.CheckStatusOrRunProdWorkflow(ctx, deviceInfo, instance); err != nil {
-		zlogInst.InfraSec().Err(err).Msgf("Failed CheckStatusOrRunProdWorkflow - Instance %s with Host UUID %s",
-			instance.GetResourceId(), instance.GetHost().GetUuid())
+		zlogInst.InfraSec().Err(err).Msgf("Failed CheckStatusOrRunProdWorkflow - Instance %s with Host UUID %s and Error is %s",
+			instance.GetResourceId(), instance.GetHost().GetUuid(), err.Error())
 		return err
 	}
 
diff --git a/onboarding-manager/internal/onboarding/types/types.go b/onboarding-manager/internal/onboarding/types/types.go
@@ -59,5 +59,7 @@ type (
 		IsStandaloneNode bool
 		// LVMSize is the size of LVM to be created on the host
 		UserLVMSize uint64
+		// TLS CA Certificate for HTTPS downloads from custom servers (e.g., nginx file server)
+		OSTLSCACert string
 	}
 )
diff --git a/onboarding-manager/internal/onboarding/workflow.go b/onboarding-manager/internal/onboarding/workflow.go
@@ -82,16 +82,20 @@ func CheckStatusOrRunProdWorkflow(ctx context.Context,
 		// 2) we already finished & removed workflow for Instance -> in this case we should never get here
 		runErr := runProdWorkflow(ctx, kubeClient, deviceInfo, instance)
 		if runErr != nil {
+			zlog.Error().Err(runErr).Msgf("Failed to run Prod workflow for host %s and Error is %s",
+				deviceInfo.GUID, runErr.Error())
 			return runErr
 		}
 
-		// runProdWorkflow returned no error, but we return an error here so that the upper layer can handle it appropriately
+		// runProdWorkflow returned no error, but we return an error here so that the
+		// upper layer can handle it appropriately
 		// and reconcile until the workflow is finished.
 		return inv_errors.Errorfr(inv_errors.Reason_OPERATION_IN_PROGRESS, "Prod workflow started, waiting for it to complete")
 	}
 
 	if err != nil {
 		// some unexpected error, we fail to get workflow status
+		zlog.Error().Err(err).Msgf("Failed to run Prod workflow for host %s and Error is %s", deviceInfo.GUID, err.Error())
 		return err
 	}
 
@@ -116,6 +120,7 @@ func runProdWorkflow(
 	deviceInfo.AuthClientID = clientID
 	deviceInfo.AuthClientSecret = clientSecret
 	deviceInfo.TenantID = instance.GetTenantId()
+	deviceInfo.OSTLSCACert = instance.GetOs().GetTlsCaCert()
 
 	if instance.GetLocalaccount() != nil {
 		deviceInfo.LocalAccountUserName = instance.GetLocalaccount().Username
@@ -165,7 +170,7 @@ func getWorkflow(ctx context.Context, k8sCli client.Client, workflowName, hostRe
 	}
 
 	if clientErr != nil {
-		zlog.InfraSec().InfraErr(clientErr).Msgf("")
+		zlog.InfraSec().InfraErr(clientErr).Msgf("Failed to get workflow %s status. Error is %s", workflowName, clientErr.Error())
 		// some other error that may need retry
 		return nil, inv_errors.Errorf("Failed to get workflow %s status.", workflowName)
 	}
diff --git a/onboarding-manager/internal/tinkerbell/template_data.go b/onboarding-manager/internal/tinkerbell/template_data.go
@@ -229,7 +229,7 @@ func tinkActionCexecImage(tinkerImageVersion string) string {
 func tinkActionDiskImage(tinkerImageVersion string) string {
 	iv := getTinkerImageVersion(tinkerImageVersion)
 	if v := os.Getenv(envTinkActionDiskImage); v != "" {
-		return fmt.Sprintf("%s:%s", v, iv)
+		return v
 	}
 	return fmt.Sprintf("%s:%s", defaultTinkActionDiskImage, iv)
 }
@@ -261,7 +261,7 @@ func tinkActionKernelupgradeImage(tinkerImageVersion string) string {
 func tinkActionQemuNbdImage2DiskImage(tinkerImageVersion string) string {
 	iv := getTinkerImageVersion(tinkerImageVersion)
 	if v := os.Getenv(envTinkActionQemuNbdImage2DiskImage); v != "" {
-		return fmt.Sprintf("%s:%s", v, iv)
+		return v
 	}
 	return fmt.Sprintf("%s:%s", defaultTinkActionQemuNbdImage2DiskImage, iv)
 }
@@ -335,6 +335,8 @@ func GenerateWorkflowInputs(ctx context.Context, deviceInfo onboarding_types.Dev
 		ENProxyNoProxy: infraConfig.ENProxyNoProxy,
 	}
 
+	inputs.DeviceInfo.OSTLSCACert = deviceInfo.OSTLSCACert
+
 	return structToMapStringString(inputs), nil
 }
 
diff --git a/onboarding-manager/internal/tinkerbell/templates/microvisor.yaml b/onboarding-manager/internal/tinkerbell/templates/microvisor.yaml
@@ -29,6 +29,7 @@ tasks:
         environment:
           IMG_URL: {{ .DeviceInfoOSImageURL }}
           SHA256: {{ .DeviceInfoOsImageSHA256 }}
+          TLS_CA_CERT: "{{ .DeviceInfoOSTLSCACert }}"
           COMPRESSED: true
           HTTP_PROXY: {{ .EnvENProxyHTTP }}
           HTTPS_PROXY: {{ .EnvENProxyHTTPS }}
diff --git a/onboarding-manager/internal/tinkerbell/templates/ubuntu.yaml b/onboarding-manager/internal/tinkerbell/templates/ubuntu.yaml
@@ -34,6 +34,7 @@ tasks:
         environment:
           IMG_URL: {{ .DeviceInfoOSImageURL }}
           SHA256: {{ .DeviceInfoOsImageSHA256 }}
+          TLS_CA_CERT: "{{ .DeviceInfoOSTLSCACert }}"
           HTTP_PROXY: {{ .EnvENProxyHTTP }}
           HTTPS_PROXY: {{ .EnvENProxyHTTPS }}
           NO_PROXY: {{ .EnvENProxyNoProxy }}
diff --git a/onboarding-manager/pkg/platformbundle/ubuntu-22.04/Installer b/onboarding-manager/pkg/platformbundle/ubuntu-22.04/Installer
@@ -197,7 +197,7 @@ install_dependencies() {
         rm -f /etc/apt/sources.list.d/edge-node.list
         apt-get update
         echo -e "\e[32m[install git python3-pip]\e[0m"
-        sudo apt-get install -y curl wget unzip apparmor iptables lvm2 cryptsetup lxc mosquitto tpm2-abrmd tpm2-tools software-properties-common python3-venv git jq libpq5 python3-pip ca-certificates gnupg dmidecode libace-dev cmake python3 libglib2.0-dev libcurl4-openssl-dev libxerces-c-dev libnl-3-dev libnl-route-3-dev libxml2-dev libidn2-0-dev xsltproc docbook-xsl devscripts
+        sudo apt-get install -y curl wget unzip apparmor iptables lvm2 cryptsetup lxc tpm2-abrmd tpm2-tools software-properties-common python3-venv git jq libpq5 python3-pip ca-certificates gnupg dmidecode libace-dev cmake python3 libglib2.0-dev libcurl4-openssl-dev libxerces-c-dev libnl-3-dev libnl-route-3-dev libxml2-dev libidn2-0-dev xsltproc docbook-xsl devscripts
 
         # IMPORTANT: These hardcoded uid/gid must be aligned to that in Edge Microvisor Toolkit specified in cluster-agent.conf.
         # If additional new users or groups need to be created by DKAM, they MUST be added after the users and group created below to
diff --git a/tinker-actions/.trivyignore b/tinker-actions/.trivyignore
@@ -21,3 +21,17 @@ CVE-2025-1125
 # Ignore the below CVEs FDE-DMV tinker action
 CVE-2025-32988 # gnutls: Vulnerability in GnuTLS otherName SAN export
 CVE-2025-32990 # gnutls: Vulnerability in GnuTLS certtool template parsing
+
+# Adding below CVE to ignore list
+# TODO Remove it once upgrade golang version to >=1.24.9
+CVE-2025-58187
+CVE-2025-47912
+CVE-2025-58183
+
+# FIXME CVEs related to http client, would be fixed before 3.2 release.
+# Lack of limit when parsing cookies can cause memory exhaustion in net/http
+CVE-2025-58186
+# Panic when validating certificates with DSA public keys in crypto/x509
+CVE-2025-58188
+# Excessive CPU consumption in Reader.ReadResponse in net/textproto
+CVE-2025-61724
diff --git a/tinker-actions/VERSION b/tinker-actions/VERSION
@@ -1,2 +1,2 @@
-1.19.7
+1.19.8
 
diff --git a/tinker-actions/src/image2disk/image/image.go b/tinker-actions/src/image2disk/image/image.go
@@ -9,11 +9,15 @@ package image
 // This package handles the pulling and management of images
 
 import (
+	"bytes"
 	"compress/bzip2"
 	"compress/gzip"
 	"context"
 	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/hex"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"io"
@@ -95,16 +99,52 @@ func (wc *WriteCounter) Write(p []byte) (int, error) {
 // Write will pull an image and write it to local storage device
 // with compress set to true it will use gzip compression to expand the data before
 // writing to an underlying device.
-func Write(ctx context.Context, log *slog.Logger, sourceImage, destinationDevice string, compressed bool, progressInterval time.Duration) error {
+func Write(ctx context.Context, log *slog.Logger, sourceImage, destinationDevice string, compressed bool, progressInterval time.Duration, tlsCaCert []byte) error {
 	req, err := http.NewRequestWithContext(ctx, "GET", sourceImage, nil)
 	if err != nil {
 		return err
 	}
+	client := http.DefaultClient
+	if len(tlsCaCert) > 0 {
+		err, valid := validate_cert(log, tlsCaCert)
+		if err != nil {
+			log.Error("Failed to validate CA certificate", "error", err)
+			return fmt.Errorf("failed to validate CA certificate: %w", err)
+		}
+		if !valid {
+			log.Error("Invalid CA certificate")
+			return fmt.Errorf("invalid CA certificate")
+		}
+
+		caCertPool := x509.NewCertPool()
+		if !caCertPool.AppendCertsFromPEM(tlsCaCert) {
+			log.Error("Failed to append CA cert to pool - certificate may be corrupted or invalid")
+			return fmt.Errorf("failed to append CA cert to pool: certificate is not valid PEM format or is corrupted")
+		}
+
+		log.Info("Successfully added CA certificate to trust pool")
+
+		if !caCertPool.AppendCertsFromPEM(tlsCaCert) {
+			return errors.New("failed to append CA cert to pool")
+		}
+
+		transport := &http.Transport{
+			TLSClientConfig: &tls.Config{
+				RootCAs: caCertPool,
+			},
+			Proxy: http.ProxyFromEnvironment,
+		}
+		client = &http.Client{Transport: transport}
+		log.Info("HTTP client configured with custom TLS settings")
+	} else {
+		log.Info("No TLS CA certificate provided, using default HTTP client")
+	}
 
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := client.Do(req)
 	if err != nil {
-		return err
+		return fmt.Errorf("Failed to download the image from URL: %v", err)
 	}
+
 	defer resp.Body.Close()
 
 	if resp.StatusCode > 300 {
@@ -185,8 +225,6 @@ func Write(ctx context.Context, log *slog.Logger, sourceImage, destinationDevice
 	// if SHA256 env variable provided as input, compare the expected SHA256 with img_url SHA256
 	if len(expectedSHA256) != 0 && actualSHA256 != expectedSHA256 {
 		fmt.Printf("-----Mismatch SHA256 for actualSHA256 & expectedSHA256 ---\n")
-		log.Info("expectedSHA256 : [%s] ", expectedSHA256)
-		log.Info("actualSHA256 : [%s] ", actualSHA256)
 		log.Error("------SHA256 MISMATCH---------")
 		return fmt.Errorf("Image SHA-256 hash mismatch")
 	}
@@ -220,3 +258,30 @@ func findDecompressor(imageURL string, r io.Reader) (io.ReadCloser, error) {
 
 	return nil, fmt.Errorf("unknown compression suffix [%s]", filepath.Ext(imageURL))
 }
+
+func validate_cert(log *slog.Logger, tlsCaCert []byte) (error, bool) {
+	// Validate that the certificate data looks like PEM format
+	if !bytes.Contains(tlsCaCert, []byte("-----BEGIN CERTIFICATE-----")) {
+		return fmt.Errorf("invalid CA certificate: missing PEM header '-----BEGIN CERTIFICATE-----'"), false
+	}
+	if !bytes.Contains(tlsCaCert, []byte("-----END CERTIFICATE-----")) {
+		return fmt.Errorf("invalid CA certificate: missing PEM footer '-----END CERTIFICATE-----'"), false
+	}
+	block, rest := pem.Decode(tlsCaCert)
+	if block == nil {
+		log.Info("Failed to decode CA certificate as PEM")
+		log.Debug("Certificate data", "data", string(tlsCaCert))
+		log.Debug("Successfully decoded PEM block", "remainingBytes", len(rest))
+		// Parse the certificate to validate it before adding to pool
+		return fmt.Errorf("invalid CA certificate: failed to parse X.509 certificate"), false
+	}
+	// Verify it's actually a certificate
+	_, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		log.Error("Failed to parse certificate from PEM block:", "error", err)
+		return fmt.Errorf("invalid CA certificate: failed to parse X.509 certificate: %w", err), false
+	}
+	log.Debug("Successfully validated certificate structure")
+
+	return nil, true
+}
diff --git a/tinker-actions/src/image2disk/main.go b/tinker-actions/src/image2disk/main.go
@@ -8,7 +8,9 @@ package main
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
+	"img2disk/image"
 	"log/slog"
 	"net/url"
 	"os"
@@ -17,8 +19,6 @@ import (
 	"syscall"
 	"time"
 
-	"img2disk/image"
-
 	dd "github.com/open-edge-platform/infra-onboarding/tinker-actions/pkg/drive_detection"
 
 	"github.com/cenkalti/backoff"
@@ -96,6 +96,18 @@ func main() {
 		fmt.Printf("-----SHA256 not provided proceeding without checksum check \n")
 	}
 
+	var tls_ca_cert []byte
+	tls_ca_cert_str := os.Getenv("TLS_CA_CERT")
+	if len(tls_ca_cert_str) > 0 {
+		decoded, err := base64.StdEncoding.DecodeString(tls_ca_cert_str)
+		if err != nil {
+			log.Error("Error decoding base64 TLS CA certificate", "err", err)
+			os.Exit(1)
+		}
+		tls_ca_cert = decoded
+		log.Info("TLS CA certificate decoded successfully")
+	}
+
 	// We can ignore the error and default compressed to false.
 	cmp, _ := strconv.ParseBool(compressedEnv)
 	re, er := strconv.ParseBool(retryEnabled)
@@ -111,7 +123,7 @@ func main() {
 	interval := time.Duration(pi) * time.Second
 
 	operation := func() error {
-		if err := image.Write(ctx, log, u.String(), disk, cmp, interval); err != nil {
+		if err := image.Write(ctx, log, u.String(), disk, cmp, interval, tls_ca_cert); err != nil {
 			return fmt.Errorf("error writing image to disk: %w", err)
 		}
 		return nil
diff --git a/tinker-actions/src/qemu_nbd_image2disk/image/image.go b/tinker-actions/src/qemu_nbd_image2disk/image/image.go
diff --git a/tinker-actions/src/qemu_nbd_image2disk/main.go b/tinker-actions/src/qemu_nbd_image2disk/main.go

Original file line number	Diff line number	Diff line change
`@@ -463,8 +463,8 @@ func (ir *InstanceReconciler) tryProvisionInstance(ctx context.Context, instance`
`463`	`463`
`464`	`464`	`// Check status of Prod Workflow and initiate if it's not running.`
`465`	`465`	`if err := onboarding.CheckStatusOrRunProdWorkflow(ctx, deviceInfo, instance); err != nil {`
`466`		`- zlogInst.InfraSec().Err(err).Msgf("Failed CheckStatusOrRunProdWorkflow - Instance %s with Host UUID %s",`
`467`		`- instance.GetResourceId(), instance.GetHost().GetUuid())`
	`466`	`+ zlogInst.InfraSec().Err(err).Msgf("Failed CheckStatusOrRunProdWorkflow - Instance %s with Host UUID %s and Error is %s",`
	`467`	`+ instance.GetResourceId(), instance.GetHost().GetUuid(), err.Error())`
`468`	`468`	`return err`
`469`	`469`	`}`
`470`	`470`
Original file line number	Diff line number	Diff line change
`@@ -59,5 +59,7 @@ type (`
`59`	`59`	`IsStandaloneNode bool`
`60`	`60`	`// LVMSize is the size of LVM to be created on the host`
`61`	`61`	`UserLVMSize uint64`
	`62`	`+ // TLS CA Certificate for HTTPS downloads from custom servers (e.g., nginx file server)`
	`63`	`+ OSTLSCACert string`
`62`	`64`	`}`
`63`	`65`	`)`
Original file line number	Diff line number	Diff line change
`@@ -229,7 +229,7 @@ func tinkActionCexecImage(tinkerImageVersion string) string {`
`229`	`229`	`func tinkActionDiskImage(tinkerImageVersion string) string {`
`230`	`230`	`iv := getTinkerImageVersion(tinkerImageVersion)`
`231`	`231`	`if v := os.Getenv(envTinkActionDiskImage); v != "" {`
`232`		`- return fmt.Sprintf("%s:%s", v, iv)`
	`232`	`+ return v`
`233`	`233`	`}`
`234`	`234`	`return fmt.Sprintf("%s:%s", defaultTinkActionDiskImage, iv)`
`235`	`235`	`}`
`@@ -261,7 +261,7 @@ func tinkActionKernelupgradeImage(tinkerImageVersion string) string {`
`261`	`261`	`func tinkActionQemuNbdImage2DiskImage(tinkerImageVersion string) string {`
`262`	`262`	`iv := getTinkerImageVersion(tinkerImageVersion)`
`263`	`263`	`if v := os.Getenv(envTinkActionQemuNbdImage2DiskImage); v != "" {`
`264`		`- return fmt.Sprintf("%s:%s", v, iv)`
	`264`	`+ return v`
`265`	`265`	`}`
`266`	`266`	`return fmt.Sprintf("%s:%s", defaultTinkActionQemuNbdImage2DiskImage, iv)`
`267`	`267`	`}`
`@@ -335,6 +335,8 @@ func GenerateWorkflowInputs(ctx context.Context, deviceInfo onboarding_types.Dev`
`335`	`335`	`ENProxyNoProxy: infraConfig.ENProxyNoProxy,`
`336`	`336`	`}`
`337`	`337`
	`338`	`+ inputs.DeviceInfo.OSTLSCACert = deviceInfo.OSTLSCACert`
	`339`	`+`
`338`	`340`	`return structToMapStringString(inputs), nil`
`339`	`341`	`}`
`340`	`342`