Introduce BootBox (#601)

- Introduce tinkerbell essentials
- Introduce bootbox


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

# Release Notes: BootBox Package (v0.1.0)

## New Features
- Added BootBox, a PXE hardware provisioning service.
- Introduced network boot configuration with Matchbox and Smee.
- Enabled hardware management through Kubernetes Custom Resource
Definitions.
- Added support for managing physical machine specifications and
configurations.
- New HelmRelease configuration for streamlined deployment.
- Added new application entry for BootBox in the configuration.

## Configuration
- Supports configuring physical machine instances.
- Provides flexible network boot and DHCP settings.
- Includes role-based access control (RBAC) configurations.
- New parameters for trusted proxies and syslog settings.
- Enhanced configuration options for deployment parameters and resource
allocations.
- Introduced new schema for validating configuration values.

## Deployment
- Deployed in `tenant-root` namespace.
- Optional and privileged installation.
- Depends on Cilium and KubeOVN networking components.
- Configurable deployment strategies and resource allocations.
- Introduced new Service and Ingress resources for improved traffic
management.
- Added support for host networking and public IP configurations.

## Compatibility
- Supports single-node and multi-node cluster configurations.
- Compatible with Kubernetes environments.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Andrei Kvapil <[email protected]>

packages/core/installer/Makefile

@@ -55,6 +55,8 @@ image-matchbox:  run-builder
 		--metadata-file images/matchbox.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
+	echo "$(REGISTRY)/matchbox:$(call settag,$(TAG))@$$(yq e '."containerimage.digest"' images/matchbox.json -o json -r)" \
+		> ../../extra/bootbox/images/matchbox.tag
 	rm -f images/matchbox.json
 
 assets: talos-iso talos-nocloud talos-metal

packages/core/platform/bundles/distro-full.yaml

@@ -199,3 +199,11 @@ releases:
   namespace: cozy-keycloak
   optional: true
   dependsOn: [keycloak]
+
+- name: bootbox
+  releaseName: bootbox
+  chart: cozy-bootbox
+  namespace: cozy-bootbox
+  privileged: true
+  optional: true
+  dependsOn: [cilium]

packages/core/platform/bundles/paas-full.yaml

@@ -281,6 +281,14 @@ releases:
   optional: true
   dependsOn: [cilium,kubeovn]
 
+- name: bootbox
+  releaseName: bootbox
+  chart: cozy-bootbox
+  namespace: cozy-bootbox
+  privileged: true
+  optional: true
+  dependsOn: [cilium,kubeovn]
+
 {{- if $oidcEnabled }}
 - name: keycloak
   releaseName: keycloak

packages/extra/bootbox/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: bootbox
+description: PXE hardware provisioning
+icon: /logos/bootbox.svg
+type: application
+version: 0.1.0

packages/extra/bootbox/Makefile

@@ -0,0 +1,11 @@
+NAME=bootbox
+NAMESPACE=tenant-root
+
+include ../../../scripts/package.mk
+
+generate:
+	readme-generator -v values.yaml -s values.schema.json.tmp -r README.md
+	cat values.schema.json.tmp | \
+		jq '.properties.machines.items.type = "object"' \
+		> values.schema.json
+	rm -f values.schema.json.tmp

packages/extra/bootbox/README.md

@@ -0,0 +1,11 @@
+# BootBox
+
+## Parameters
+
+### Common parameters
+
+| Name            | Description                                           | Value  |
+| --------------- | ----------------------------------------------------- | ------ |
+| `whitelistHTTP` | Secure HTTP by enabling  client networks whitelisting | `true` |
+| `whitelist`     | List of client networks                               | `[]`   |
+| `machines`      | Configuration of physical machine instances           | `[]`   |

packages/extra/bootbox/hack/test.sh

@@ -0,0 +1,18 @@
+apk add iptables iproute2 qemu-system-x86_64 qemu-img
+
+iptables -t nat -D POSTROUTING -s 10.8.2.0/24 ! -d 10.8.2.0/24 -j MASQUERADE 2>/dev/null || true
+iptables -t nat -A POSTROUTING -s 10.8.2.0/24 ! -d 10.8.2.0/24 -j MASQUERADE
+
+ip link del tap0 2>/dev/null || true
+ip tuntap add dev tap0 mode tap
+ip link set tap0 up
+ip addr add 10.8.2.1/24 dev tap0
+
+
+rm -f data.img
+qemu-img create data.img 100G
+
+qemu-system-x86_64 -machine type=pc,accel=kvm -cpu host -smp 4 -m 8192 \
+  -device virtio-net,netdev=net0,mac=d6:fa:af:52:25:93 -netdev tap,id=net0,ifname=tap0,script=no,downscript=no \
+  -drive file=data.img,if=virtio,format=raw \
+  -nographic

packages/extra/bootbox/images/matchbox.tag

@@ -0,0 +1 @@
+ghcr.io/aenix-io/cozystack/matchbox:v0.23.1

packages/extra/bootbox/templates/check-release-name.yaml

@@ -0,0 +1,6 @@
+{{- if ne .Release.Name .Chart.Name }}
+{{- fail (printf "The name of the release MUST BE %s" .Chart.Name) }}
+{{- end -}}
+{{- if ne .Release.Namespace "tenant-root" }}
+{{- fail "The namespace of the release MUST BE tenant-root" }}
+{{- end -}}

packages/extra/bootbox/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,35 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  resourceNames:
+  - bootbox
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - grafana-admin-password
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - bootbox
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - bootbox-matchbox
+  verbs: ["get", "list", "watch"]
+
+

packages/extra/bootbox/templates/matchbox/configmaps.yaml

@@ -0,0 +1,42 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bootbox-profiles
+data:
+  default.json: |
+    {
+      "id": "default",
+      "name": "default",
+      "boot": {
+        "kernel": "/assets/vmlinuz",
+        "initrd": ["/assets/initramfs.xz"],
+        "args": [
+          "initrd=initramfs.xz",
+          "init_on_alloc=1",
+          "slab_nomerge",
+          "pti=on",
+          "console=tty0",
+          "console=ttyS0",
+          "printk.devkmsg=on",
+          "talos.platform=metal"
+        ]
+      }
+    }
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bootbox-groups
+data:
+  default.json: |
+    {
+      "id": "default",
+      "name": "default",
+      "profile": "default"
+    }
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bootbox-configs
+data:

packages/extra/bootbox/templates/matchbox/deployment.yaml

@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bootbox-matchbox
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: bootbox-matchbox
+  template:
+    metadata:
+      labels:
+        app: bootbox-matchbox
+    spec:
+      containers:
+      - name: matchbox
+        image: "{{ $.Files.Get "images/matchbox.tag" | trim }}"
+        args:
+          - "-address=:8080"
+          - "-log-level=debug"
+        volumeMounts:
+          - name: profiles-volume
+            mountPath: /var/lib/matchbox/profiles
+          - name: groups-volume
+            mountPath: /var/lib/matchbox/groups
+          - name: configs-volume
+            mountPath: /var/lib/matchbox/assets/configs
+        ports:
+          - name: http
+            containerPort: 8080
+            protocol: TCP
+      volumes:
+        - name: profiles-volume
+          configMap:
+            name: bootbox-profiles
+        - name: groups-volume
+          configMap:
+            name: bootbox-groups
+        - name: configs-volume
+          configMap:
+            name: bootbox-configs
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: bootbox-matchbox
+spec:
+  replicas: 1
+  minReplicas: 1
+  kind: bootbox
+  type: matchbox
+  selector:
+    app: bootbox-matchbox
+  version: {{ $.Chart.Version }}

packages/extra/bootbox/templates/matchbox/ingress.yaml

@@ -0,0 +1,37 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
+
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bootbox
+  labels:
+    app: bootbox
+  annotations:
+    {{- if ne $issuerType "cloudflare" }}
+    acme.cert-manager.io/http01-ingress-class: {{ $ingress }}
+    {{- end }}
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    {{- if .Values.whitelistHTTP }}
+    nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," (.Values.whitelist | default "0.0.0.0/32") }}"
+    {{- end }}
+spec:
+  ingressClassName: {{ $ingress }}
+  tls:
+    - hosts:
+        - "{{ printf "bootbox.%s" (.Values.host | default $host) }}"
+      secretName: bootbox-tls
+  rules:
+    - host: "{{ printf "bootbox.%s" (.Values.host | default $host) }}"
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: bootbox
+                port:
+                  name: http