chore: add ability to rewrite uuids and set unique tokens for Talos

This PR does those things:
- It allows API calls `MetaWrite` and `MetaRead` in maintenance mode.
- SystemInformation resource now waits for available META
- SystemInformation resource now overwrites UUID from META if there is an override
- META now supports "UUID override" and "unique token" keys
- ProvisionRequest now includes unique token and Talos version

For #7694

Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>

Author: DmitriyMV

api/api.descriptors

@@ -64,6 +64,11 @@ message MetaKeySpec {
   string value = 1;
 }
 
+// MetaLoadedSpec is the spec for meta loaded. The Done field is always true when resource exists.
+message MetaLoadedSpec {
+  bool done = 1;
+}
+
 // MountStatusSpec describes status of the defined sysctls.
 message MountStatusSpec {
   string source = 1;
@@ -93,6 +98,11 @@ message SecurityStateSpec {
   string pcr_signing_key_fingerprint = 3;
 }
 
+// UniqueMachineTokenSpec is the spec for the machine unique token. Token can be empty if machine wasn't assigned any.
+message UniqueMachineTokenSpec {
+  string token = 1;
+}
+
 // UnmetCondition is a failure which prevents machine from being ready at the stage.
 message UnmetCondition {
   string name = 1;

api/resource/definitions/runtime/runtime.proto

@@ -13,6 +13,10 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/client"
 )
 
+var metaCmdFlags struct {
+	insecure bool
+}
+
 var metaCmd = &cobra.Command{
 	Use:   "meta",
 	Short: "Write and delete keys in the META partition",
@@ -26,14 +30,20 @@ var metaWriteCmd = &cobra.Command{
 	Long:  ``,
 	Args:  cobra.ExactArgs(2),
 	RunE: func(cmd *cobra.Command, args []string) error {
-		return WithClient(func(ctx context.Context, c *client.Client) error {
+		fn := func(ctx context.Context, c *client.Client) error {
 			key, err := strconv.ParseUint(args[0], 0, 8)
 			if err != nil {
 				return err
 			}
 
 			return c.MetaWrite(ctx, uint8(key), []byte(args[1]))
-		})
+		}
+
+		if metaCmdFlags.insecure {
+			return WithClientMaintenance(nil, fn)
+		}
+
+		return WithClient(fn)
 	},
 }
 
@@ -43,18 +53,26 @@ var metaDeleteCmd = &cobra.Command{
 	Long:  ``,
 	Args:  cobra.ExactArgs(1),
 	RunE: func(cmd *cobra.Command, args []string) error {
-		return WithClient(func(ctx context.Context, c *client.Client) error {
+		fn := func(ctx context.Context, c *client.Client) error {
 			key, err := strconv.ParseUint(args[0], 0, 8)
 			if err != nil {
 				return err
 			}
 
 			return c.MetaDelete(ctx, uint8(key))
-		})
+		}
+
+		if metaCmdFlags.insecure {
+			return WithClientMaintenance(nil, fn)
+		}
+
+		return WithClient(fn)
 	},
 }
 
 func init() {
+	metaCmd.PersistentFlags().BoolVarP(&metaCmdFlags.insecure, "insecure", "i", false, "write|delete meta using the insecure (encrypted with no auth) maintenance service")
+
 	metaCmd.AddCommand(metaWriteCmd)
 	metaCmd.AddCommand(metaDeleteCmd)
 	addCommand(metaCmd)

cmd/talosctl/cmd/talos/meta.go

@@ -117,7 +117,7 @@ require (
 	github.com/siderolabs/grpc-proxy v0.4.0
 	github.com/siderolabs/kms-client v0.1.0
 	github.com/siderolabs/net v0.4.0
-	github.com/siderolabs/siderolink v0.3.1
+	github.com/siderolabs/siderolink v0.3.2-0.20231109194336-71dd3084984d
 	github.com/siderolabs/talos/pkg/machinery v1.6.0-alpha.1
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
@@ -305,7 +305,7 @@ require (
 	golang.org/x/oauth2 v0.12.0 // indirect
 	golang.org/x/tools v0.12.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b // indirect
+	golang.zx2c4.com/wireguard v0.0.0-20231022001213-2e0774f246fb // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20231012201019-e917dd12ba7a // indirect

go.mod

@@ -669,8 +669,8 @@ github.com/siderolabs/net v0.4.0 h1:1bOgVay/ijPkJz4qct98nHsiB/ysLQU0KLoBC4qLm7I=
 github.com/siderolabs/net v0.4.0/go.mod h1:/ibG+Hm9HU27agp5r9Q3eZicEfjquzNzQNux5uEk0kM=
 github.com/siderolabs/protoenc v0.2.0 h1:QFxWIAo//12+/bm27GNYoK/TpQGTYsRrrZCu9jSghvU=
 github.com/siderolabs/protoenc v0.2.0/go.mod h1:mu4gc6pJxhdJYpuloacKE4jsJojj87qDXwn8LUvs2bY=
-github.com/siderolabs/siderolink v0.3.1 h1:n0pkf7dEhiqX0nfcwWiEqGKoD5CuBRTrWdPBvmvQ8vs=
-github.com/siderolabs/siderolink v0.3.1/go.mod h1:LrkE9BoHzfi/m43EQx/Fk6kSal6Uvthu5AtRC3W5GcI=
+github.com/siderolabs/siderolink v0.3.2-0.20231109194336-71dd3084984d h1:05OjO5Ue/UGH6Onq9KLJN1VKl3G3EdKvbtLU2yNtl/E=
+github.com/siderolabs/siderolink v0.3.2-0.20231109194336-71dd3084984d/go.mod h1:3a+b/jpRwA+iyumrnyP2/VmkMUWr8AHZBo6LEHqx/rU=
 github.com/siderolabs/tcpproxy v0.1.0 h1:IbkS9vRhjMOscc1US3M5P1RnsGKFgB6U5IzUk+4WkKA=
 github.com/siderolabs/tcpproxy v0.1.0/go.mod h1:onn6CPPj/w1UNqQ0U97oRPF0CqbrgEApYCw4P9IiCW8=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
@@ -1014,8 +1014,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b h1:J1CaxgLerRR5lgx3wnr6L04cJFbWoceSK9JWBdglINo=
-golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b/go.mod h1:tqur9LnfstdR9ep2LaJT4lFUl0EjlHtge+gAjmsHUG4=
+golang.zx2c4.com/wireguard v0.0.0-20231022001213-2e0774f246fb h1:c5tyN8sSp8jSDxdCCDXVOpJwYXXhmTkNMt+g0zTSOic=
+golang.zx2c4.com/wireguard v0.0.0-20231022001213-2e0774f246fb/go.mod h1:tkCQ4FQXmpAgYVh++1cq16/dH4QJtmvpRv19DWGAHSA=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
@@ -1140,8 +1140,8 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
 gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
-gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0 h1:Wobr37noukisGxpKo5jAsLREcpj61RxrWYzD8uwveOY=
-gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0/go.mod h1:Dn5idtptoW1dIos9U6A2rpebLs/MtTwFacjKb8jLdQA=
+gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259 h1:TbRPT0HtzFP3Cno1zZo7yPzEEnfu8EjLfl6IU9VfqkQ=
+gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259/go.mod h1:AVgIgHMwK63XvmAzWG9vLQ41YnVHN0du0tEC46fI7yY=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

go.sum

@@ -24,18 +24,18 @@ type systemInformation struct {
 }
 
 // Update current systemInformation info.
-func (p systemInformation) Update(systemInformation *smbios.SystemInformation) {
-	translateSystemInformationInfo := func(in *smbios.SystemInformation) hardware.SystemInformationSpec {
-		return hardware.SystemInformationSpec{
-			Manufacturer: in.Manufacturer,
-			ProductName:  in.ProductName,
-			Version:      in.Version,
-			SerialNumber: in.SerialNumber,
-			UUID:         in.UUID,
-			WakeUpType:   in.WakeUpType.String(),
-			SKUNumber:    in.SKUNumber,
-		}
+func (p systemInformation) Update(systemInformation *smbios.SystemInformation, uuidRewrite string) {
+	if uuidRewrite == "" {
+		uuidRewrite = systemInformation.UUID
 	}
 
-	*p.SystemInformation.TypedSpec() = translateSystemInformationInfo(systemInformation)
+	*p.SystemInformation.TypedSpec() = hardware.SystemInformationSpec{
+		Manufacturer: systemInformation.Manufacturer,
+		ProductName:  systemInformation.ProductName,
+		Version:      systemInformation.Version,
+		SerialNumber: systemInformation.SerialNumber,
+		UUID:         uuidRewrite,
+		WakeUpType:   systemInformation.WakeUpType.String(),
+		SKUNumber:    systemInformation.SKUNumber,
+	}
 }

internal/app/machined/pkg/adapters/hardware/system_information.go

@@ -46,21 +46,6 @@ func (suite *HardwareSuite) SetupTest() {
 	suite.Require().NoError(err)
 }
 
-func (suite *HardwareSuite) assertResource(md resource.Metadata, check func(res resource.Resource) error) func() error {
-	return func() error {
-		r, err := suite.state.Get(suite.ctx, md)
-		if err != nil {
-			if state.IsNotFoundError(err) {
-				return retry.ExpectedError(err)
-			}
-
-			return err
-		}
-
-		return check(r)
-	}
-}
-
 func (suite *HardwareSuite) assertNoResource(md resource.Metadata) func() error {
 	return func() error {
 		_, err := suite.state.Get(suite.ctx, md)
@@ -83,3 +68,11 @@ func (suite *HardwareSuite) TearDownTest() {
 
 	suite.wg.Wait()
 }
+
+func (suite *HardwareSuite) State() state.State {
+	return suite.state
+}
+
+func (suite *HardwareSuite) Ctx() context.Context {
+	return suite.ctx
+}

internal/app/machined/pkg/controllers/hardware/hardware_test.go

@@ -10,14 +10,18 @@ import (
 	"strings"
 
 	"github.com/cosi-project/runtime/pkg/controller"
-	"github.com/cosi-project/runtime/pkg/resource"
+	"github.com/cosi-project/runtime/pkg/safe"
+	"github.com/cosi-project/runtime/pkg/state"
+	"github.com/siderolabs/gen/optional"
 	"github.com/siderolabs/go-smbios/smbios"
 	"go.uber.org/zap"
 
 	hwadapter "github.com/siderolabs/talos/internal/app/machined/pkg/adapters/hardware"
 	runtimetalos "github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
+	"github.com/siderolabs/talos/internal/pkg/meta"
 	pkgSMBIOS "github.com/siderolabs/talos/internal/pkg/smbios"
 	"github.com/siderolabs/talos/pkg/machinery/resources/hardware"
+	"github.com/siderolabs/talos/pkg/machinery/resources/runtime"
 )
 
 // SystemInfoController populates CPU information of the underlying hardware.
@@ -33,7 +37,19 @@ func (ctrl *SystemInfoController) Name() string {
 
 // Inputs implements controller.Controller interface.
 func (ctrl *SystemInfoController) Inputs() []controller.Input {
-	return nil
+	return []controller.Input{
+		{
+			Namespace: runtime.NamespaceName,
+			Type:      runtime.MetaKeyType,
+			Kind:      controller.InputWeak,
+		},
+		{
+			Namespace: runtime.NamespaceName,
+			Type:      runtime.MetaLoadedType,
+			ID:        optional.Some(runtime.MetaLoadedID),
+			Kind:      controller.InputWeak,
+		},
+	}
 }
 
 // Outputs implements controller.Controller interface.
@@ -58,59 +74,83 @@ func (ctrl *SystemInfoController) Outputs() []controller.Output {
 //
 //nolint:gocyclo
 func (ctrl *SystemInfoController) Run(ctx context.Context, r controller.Runtime, logger *zap.Logger) error {
-	select {
-	case <-ctx.Done():
-		return nil
-	case <-r.EventCh():
-	}
-
 	// smbios info is not available inside container, so skip the controller
 	if ctrl.V1Alpha1Mode == runtimetalos.ModeContainer {
 		return nil
 	}
-	// controller runs only once
-	if ctrl.SMBIOS == nil {
-		s, err := pkgSMBIOS.GetSMBIOSInfo()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return nil
+		case <-r.EventCh():
+		}
+
+		_, err := safe.ReaderGetByID[*runtime.MetaLoaded](ctx, r, runtime.MetaLoadedID)
 		if err != nil {
-			return err
+			if state.IsNotFoundError(err) {
+				continue
+			}
+
+			return fmt.Errorf("error getting meta loaded resource: %w", err)
 		}
 
-		ctrl.SMBIOS = s
-	}
+		if ctrl.SMBIOS == nil {
+			var s *smbios.SMBIOS
 
-	if err := r.Modify(ctx, hardware.NewSystemInformation(hardware.SystemInformationID), func(res resource.Resource) error {
-		hwadapter.SystemInformation(res.(*hardware.SystemInformation)).Update(&ctrl.SMBIOS.SystemInformation)
+			s, err = pkgSMBIOS.GetSMBIOSInfo()
+			if err != nil {
+				return err
+			}
 
-		return nil
-	}); err != nil {
-		return fmt.Errorf("error updating objects: %w", err)
-	}
+			ctrl.SMBIOS = s
+		}
+
+		uuidRewriteRes, err := safe.ReaderGetByID[*runtime.MetaKey](ctx, r, runtime.MetaKeyTagToID(meta.UUIDOverride))
+		if err != nil && !state.IsNotFoundError(err) {
+			return fmt.Errorf("error getting meta key resource: %w", err)
+		}
+
+		var uuidRewrite string
 
-	for _, p := range ctrl.SMBIOS.ProcessorInformation {
-		// replaces `CPU 0` with `CPU-0`
-		id := strings.ReplaceAll(p.SocketDesignation, " ", "-")
+		if uuidRewriteRes != nil && uuidRewriteRes.TypedSpec().Value != "" {
+			uuidRewrite = uuidRewriteRes.TypedSpec().Value
 
-		if err := r.Modify(ctx, hardware.NewProcessorInfo(id), func(res resource.Resource) error {
-			hwadapter.Processor(res.(*hardware.Processor)).Update(&p)
+			logger.Info("using UUID rewrite", zap.String("uuid", uuidRewrite))
+		}
+
+		if err := safe.WriterModify(ctx, r, hardware.NewSystemInformation(hardware.SystemInformationID), func(res *hardware.SystemInformation) error {
+			hwadapter.SystemInformation(res).Update(&ctrl.SMBIOS.SystemInformation, uuidRewrite)
 
 			return nil
 		}); err != nil {
 			return fmt.Errorf("error updating objects: %w", err)
 		}
-	}
 
-	for _, m := range ctrl.SMBIOS.MemoryDevices {
-		// replaces `SIMM 0` with `SIMM-0`
-		id := strings.ReplaceAll(m.DeviceLocator, " ", "-")
+		for _, p := range ctrl.SMBIOS.ProcessorInformation {
+			// replaces `CPU 0` with `CPU-0`
+			id := strings.ReplaceAll(p.SocketDesignation, " ", "-")
 
-		if err := r.Modify(ctx, hardware.NewMemoryModuleInfo(id), func(res resource.Resource) error {
-			hwadapter.MemoryModule(res.(*hardware.MemoryModule)).Update(&m)
+			if err := safe.WriterModify(ctx, r, hardware.NewProcessorInfo(id), func(res *hardware.Processor) error {
+				hwadapter.Processor(res).Update(&p)
 
-			return nil
-		}); err != nil {
-			return fmt.Errorf("error updating objects: %w", err)
+				return nil
+			}); err != nil {
+				return fmt.Errorf("error updating objects: %w", err)
+			}
 		}
-	}
 
-	return nil
+		for _, m := range ctrl.SMBIOS.MemoryDevices {
+			// replaces `SIMM 0` with `SIMM-0`
+			id := strings.ReplaceAll(m.DeviceLocator, " ", "-")
+
+			if err := safe.WriterModify(ctx, r, hardware.NewMemoryModuleInfo(id), func(res *hardware.MemoryModule) error {
+				hwadapter.MemoryModule(res).Update(&m)
+
+				return nil
+			}); err != nil {
+				return fmt.Errorf("error updating objects: %w", err)
+			}
+		}
+	}
 }