josh
9bb4b09a04
CI / Lint + build + test (push) Has been cancelled
Post-repair hardware validation pipeline for Proxmox cluster hosts. Go orchestrator + in-image agent + mkosi live image + bundled dnsmasq PXE + SQLite + HTMX/SSE UI + notify registry + janitor + full docs.
182 lines
4.9 KiB
Go
182 lines
4.9 KiB
Go
package agent
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto/sha256"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"encoding/hex"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
// Client talks to the orchestrator's /api/v1/runs/:id/* endpoints.
|
|
type Client struct {
|
|
BaseURL string
|
|
RunID int64
|
|
Token string
|
|
TLSCertFPR string // optional sha256 hex fingerprint
|
|
HTTP *http.Client
|
|
}
|
|
|
|
func NewClient(baseURL string, runID int64, token, tlsCertFPR string) *Client {
|
|
tlsCfg := &tls.Config{MinVersion: tls.VersionTLS12}
|
|
// Cert pinning: if fingerprint provided, accept any cert whose DER
|
|
// sha256 matches. The orchestrator may be using a self-signed cert
|
|
// inside the LAN.
|
|
if tlsCertFPR != "" {
|
|
want := strings.ToLower(strings.ReplaceAll(tlsCertFPR, ":", ""))
|
|
tlsCfg.InsecureSkipVerify = true
|
|
tlsCfg.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
|
|
for _, c := range rawCerts {
|
|
sum := sha256.Sum256(c)
|
|
if hex.EncodeToString(sum[:]) == want {
|
|
return nil
|
|
}
|
|
}
|
|
return fmt.Errorf("agent: no presented cert matched pinned fingerprint")
|
|
}
|
|
}
|
|
return &Client{
|
|
BaseURL: strings.TrimRight(baseURL, "/"),
|
|
RunID: runID,
|
|
Token: token,
|
|
TLSCertFPR: tlsCertFPR,
|
|
HTTP: &http.Client{
|
|
Timeout: 30 * time.Second,
|
|
Transport: &http.Transport{TLSClientConfig: tlsCfg},
|
|
},
|
|
}
|
|
}
|
|
|
|
func (c *Client) Hello(ctx context.Context) error {
|
|
return c.postJSON(ctx, "/hello", nil, nil)
|
|
}
|
|
|
|
func (c *Client) Claim(ctx context.Context, agentIP string) (*ClaimResponse, error) {
|
|
body := map[string]any{"agent_ip": agentIP}
|
|
var out ClaimResponse
|
|
if err := c.postJSON(ctx, "/claim", body, &out); err != nil {
|
|
return nil, err
|
|
}
|
|
return &out, nil
|
|
}
|
|
|
|
func (c *Client) Heartbeat(ctx context.Context) (*HeartbeatResponse, error) {
|
|
var out HeartbeatResponse
|
|
if err := c.postJSON(ctx, "/heartbeat", nil, &out); err != nil {
|
|
return nil, err
|
|
}
|
|
return &out, nil
|
|
}
|
|
|
|
func (c *Client) Log(ctx context.Context, lines []LogLine) error {
|
|
return c.postJSON(ctx, "/log", map[string]any{"lines": lines}, nil)
|
|
}
|
|
|
|
func (c *Client) Result(ctx context.Context, result any) (*ResultResponse, error) {
|
|
var out ResultResponse
|
|
if err := c.postJSON(ctx, "/result", result, &out); err != nil {
|
|
return nil, err
|
|
}
|
|
return &out, nil
|
|
}
|
|
|
|
func (c *Client) Hold(ctx context.Context, agentIP string) (*HoldResponse, error) {
|
|
var out HoldResponse
|
|
if err := c.postJSON(ctx, "/hold", map[string]any{"agent_ip": agentIP}, &out); err != nil {
|
|
return nil, err
|
|
}
|
|
return &out, nil
|
|
}
|
|
|
|
// Sensor posts a batch of numeric samples (thermal readings, fio IOPS,
|
|
// iperf throughput, PSU voltages). Empty batches are allowed.
|
|
func (c *Client) Sensor(ctx context.Context, samples []SensorSample) error {
|
|
return c.postJSON(ctx, "/sensor", map[string]any{"samples": samples}, nil)
|
|
}
|
|
|
|
// SensorSample is the on-wire shape; the server persists each row into
|
|
// the measurements table.
|
|
type SensorSample struct {
|
|
TS string `json:"ts,omitempty"`
|
|
Kind string `json:"kind"`
|
|
Key string `json:"key"`
|
|
Value float64 `json:"value"`
|
|
Unit string `json:"unit,omitempty"`
|
|
}
|
|
|
|
type ClaimResponse struct {
|
|
OK bool `json:"ok"`
|
|
RunID int64 `json:"run_id"`
|
|
Stages []string `json:"stages"`
|
|
ExpectedDisks []ClaimExpectedDiskSpec `json:"expected_disks"`
|
|
IperfPort int `json:"iperf_port"`
|
|
}
|
|
|
|
type ClaimExpectedDiskSpec struct {
|
|
Serial string `json:"serial"`
|
|
SizeGB int `json:"size_gb"`
|
|
}
|
|
|
|
type HeartbeatResponse struct {
|
|
Cmd string `json:"cmd"`
|
|
State string `json:"state"`
|
|
Stage string `json:"stage,omitempty"`
|
|
OverrideFlags json.RawMessage `json:"override_flags,omitempty"`
|
|
}
|
|
|
|
type LogLine struct {
|
|
TS string `json:"ts,omitempty"`
|
|
Level string `json:"level,omitempty"`
|
|
Text string `json:"text"`
|
|
}
|
|
|
|
type ResultResponse struct {
|
|
OK bool `json:"ok"`
|
|
NextState string `json:"next_state"`
|
|
}
|
|
|
|
type HoldResponse struct {
|
|
AuthorizedKey string `json:"authorized_key"`
|
|
RunID int64 `json:"run_id"`
|
|
}
|
|
|
|
func (c *Client) postJSON(ctx context.Context, path string, in, out any) error {
|
|
var body io.Reader
|
|
if in != nil {
|
|
buf, err := json.Marshal(in)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
body = bytes.NewReader(buf)
|
|
}
|
|
url := fmt.Sprintf("%s/api/v1/runs/%d%s", c.BaseURL, c.RunID, path)
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, body)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
req.Header.Set("Authorization", "Bearer "+c.Token)
|
|
if in != nil {
|
|
req.Header.Set("Content-Type", "application/json")
|
|
}
|
|
resp, err := c.HTTP.Do(req)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer func() { _ = resp.Body.Close() }()
|
|
if resp.StatusCode >= 300 {
|
|
b, _ := io.ReadAll(resp.Body)
|
|
return fmt.Errorf("%s %s: %d %s", req.Method, path, resp.StatusCode, strings.TrimSpace(string(b)))
|
|
}
|
|
if out != nil {
|
|
return json.NewDecoder(resp.Body).Decode(out)
|
|
}
|
|
return nil
|
|
}
|