CORS-3417: capi/aws: support ignition proxy and CA bundle

Make sure ignition configuration respects proxy/noproxy and CA bundle
settings.

Author: r4f4

pkg/asset/machines/aws/awsmachines.go

@@ -2,8 +2,12 @@
 package aws
 
 import (
+	"bytes"
+	"encoding/pem"
 	"fmt"
+	"strings"
 
+	"github.com/vincent-petithory/dataurl"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -24,6 +28,7 @@ type MachineInput struct {
 	Subnets  map[string]string
 	Tags     capa.Tags
 	PublicIP bool
+	Ignition *capa.Ignition
 }
 
 // GenerateMachines returns manifests and runtime objects to provision the control plane (including bootstrap, if applicable) nodes using CAPI.
@@ -70,7 +75,7 @@ func GenerateMachines(clusterID string, in *MachineInput) ([]*asset.RuntimeFile,
 				},
 			},
 			Spec: capa.AWSMachineSpec{
-				Ignition:             &capa.Ignition{Version: "3.2"},
+				Ignition:             in.Ignition,
 				UncompressedUserData: ptr.To(true),
 				InstanceType:         mpool.InstanceType,
 				AMI:                  capa.AMIReference{ID: ptr.To(mpool.AMIID)},
@@ -160,3 +165,62 @@ func CapaTagsFromUserTags(clusterID string, usertags map[string]string) (capa.Ta
 	}
 	return tags, nil
 }
+
+// CapaIgnitionWithCertBundleAndProxy generates CAPA ignition config with cert and proxy information.
+func CapaIgnitionWithCertBundleAndProxy(userCA string, proxy *types.Proxy) (*capa.Ignition, error) {
+	carefs, err := parseCertificateBundle([]byte(userCA))
+	if err != nil {
+		return nil, err
+	}
+	return &capa.Ignition{
+		Version: "3.2",
+		TLS: &capa.IgnitionTLS{
+			CASources: carefs,
+		},
+		Proxy: capaIgnitionProxy(proxy),
+	}, nil
+}
+
+// TODO: try to share this code with ignition.bootstrap package?
+// parseCertificateBundle loads each certificate in the bundle to the CAPA
+// carrier type, ignoring any invisible character before, after and in between
+// certificates.
+func parseCertificateBundle(userCA []byte) ([]capa.IgnitionCASource, error) {
+	userCA = bytes.TrimSpace(userCA)
+
+	var carefs []capa.IgnitionCASource
+	for len(userCA) > 0 {
+		var block *pem.Block
+		block, userCA = pem.Decode(userCA)
+		if block == nil {
+			return nil, fmt.Errorf("unable to parse certificate, please check the certificates")
+		}
+
+		carefs = append(carefs, capa.IgnitionCASource(dataurl.EncodeBytes(pem.EncodeToMemory(block))))
+
+		userCA = bytes.TrimSpace(userCA)
+	}
+
+	return carefs, nil
+}
+
+func capaIgnitionProxy(proxy *types.Proxy) *capa.IgnitionProxy {
+	capaProxy := &capa.IgnitionProxy{}
+	if proxy == nil {
+		return capaProxy
+	}
+	if httpProxy := proxy.HTTPProxy; httpProxy != "" {
+		capaProxy.HTTPProxy = &httpProxy
+	}
+	if httpsProxy := proxy.HTTPSProxy; httpsProxy != "" {
+		capaProxy.HTTPSProxy = &httpsProxy
+	}
+	capaProxy.NoProxy = make([]capa.IgnitionNoProxy, 0, len(proxy.NoProxy))
+	if noProxy := proxy.NoProxy; noProxy != "" {
+		noProxySplit := strings.Split(noProxy, ",")
+		for _, p := range noProxySplit {
+			capaProxy.NoProxy = append(capaProxy.NoProxy, capa.IgnitionNoProxy(p))
+		}
+	}
+	return capaProxy
+}

pkg/asset/machines/clusterapi.go

@@ -147,13 +147,19 @@ func (c *ClusterAPI) Generate(dependencies asset.Parents) error {
 			return fmt.Errorf("failed to create CAPA tags from UserTags: %w", err)
 		}
 
+		ignition, err := aws.CapaIgnitionWithCertBundleAndProxy(installConfig.Config.AdditionalTrustBundle, installConfig.Config.Proxy)
+		if err != nil {
+			return fmt.Errorf("failed to generation CAPA ignition: %w", err)
+		}
+
 		pool.Platform.AWS = &mpool
 		awsMachines, err := aws.GenerateMachines(clusterID.InfraID, &aws.MachineInput{
 			Role:     "master",
 			Pool:     &pool,
 			Subnets:  subnets,
 			Tags:     tags,
 			PublicIP: false,
+			Ignition: ignition,
 		})
 		if err != nil {
 			return errors.Wrap(err, "failed to create master machine objects")
@@ -170,6 +176,7 @@ func (c *ClusterAPI) Generate(dependencies asset.Parents) error {
 			Pool:     &pool,
 			Tags:     tags,
 			PublicIP: installConfig.Config.Publish == types.ExternalPublishingStrategy,
+			Ignition: ignition,
 		})
 		if err != nil {
 			return fmt.Errorf("failed to create bootstrap machine object: %w", err)