Change default iPXE kernel/initrd download from HTTP to HTTPS

* Require an iPXE-enabled network boot environment with support for TLS downloads. PXE clients must chainload to iPXE firmware compiled with `DOWNLOAD_PROTO_HTTPS` enabled ([crypto](https://ipxe.org/crypto)) * iPXE's pre-compiled firmware binaries do _not_ enable HTTPS. Admins should build iPXE from source with support enabled * Affects the Container Linux and Flatcar Linux install profiles that pull from public downloads. No effect when cached_install=true or using Fedora Atomic, as those download from Matchbox * Add `download_protocol` variable. Recognizing boot firmware TLS support is difficult in some environments, set the protocol to "http" for the old behavior (discouraged)
2025-07-17 06:31:34 +02:00 · 2019-03-09 19:34:15 -08:00
parent 4201eb1efa
commit 9493ed3b1d
5 changed files with 27 additions and 9 deletions
--- a/bare-metal/container-linux/kubernetes/variables.tf
+++ b/bare-metal/container-linux/kubernetes/variables.tf
@ -118,6 +118,12 @@ variable "cluster_domain_suffix" {
  default     = "cluster.local"
 }

+variable "download_protocol" {
+  type = "string"
+  default = "https"
+  description = "Protocol iPXE should use to download the kernel and initrd. Defaults to https, which requires iPXE compiled with crypto support. Unused if cached_install is true."
+}
+
 variable "cached_install" {
  type        = "string"
  default     = "false"