Upgrade tinkerbell to latest commit from upstream (#5167)

Author: rajeshvenkata

UPSTREAM_PROJECTS.yaml

@@ -331,7 +331,7 @@ projects:
             go_version: "1.22"
       - name: tinkerbell
         versions:
-          - tag: v0.22.1
+          - commit: 58b84f7d3bc93eda2c5f064665ba582d3618ef52
             go_version: "1.24"
   - org: torvalds
     repos:

projects/tinkerbell/tinkerbell/CHECKSUMS

@@ -1,4 +1,4 @@
-3f9447d5b501f2bde8a2662fc89ea69403d81b445d3a12e94d1333e159b2af37  _output/bin/tinkerbell/linux-amd64/tink-agent
-c0adfa79441f459e6d976f0be323ca7e6ab62d79fa1d40c3299cdd3816e121d6  _output/bin/tinkerbell/linux-amd64/tinkerbell
-c5eca8ac064d53e5d778d3b81f9e61a4bfa846e91c653d408f76a72f521aa9a6  _output/bin/tinkerbell/linux-arm64/tink-agent
-1c0f7695f2fe1192b6f197b58ad98cfe3a3a7a44c9c0854aa5ec8e4a5aae674a  _output/bin/tinkerbell/linux-arm64/tinkerbell
+b06f5a07486092230fae03c8266f6f6bcd6973481022b96017d758e22be13a5f  _output/bin/tinkerbell/linux-amd64/tink-agent
+d5b259f0970457a6eeabbf634e33463df83679a211691847edd856c262756321  _output/bin/tinkerbell/linux-amd64/tinkerbell
+83567a628e14c3abf8722e8fd1dcfc9c84029fe1939ba200217504deb08a4446  _output/bin/tinkerbell/linux-arm64/tink-agent
+4110b1555209ab37d8bf537a09dacd6b591e27a9e736e9095e5e332c427ef3e0  _output/bin/tinkerbell/linux-arm64/tinkerbell

projects/tinkerbell/tinkerbell/GIT_TAG

@@ -1 +1 @@
-v0.22.1
+58b84f7d3bc93eda2c5f064665ba582d3618ef52

projects/tinkerbell/tinkerbell/Makefile

@@ -54,6 +54,11 @@ HELM_CHART_NAMES=tinkerbell-helm
 HELM_DESTINATION_REPOSITORY=tinkerbell/tinkerbell/tinkerbell-helm
 HELM_IMAGE_LIST=tinkerbell/tinkerbell/tinkerbell tinkerbell/tinkerbell/tink-agent
 
+# When GIT_TAG is a commit SHA (not semver), helm package requires a valid semver version.
+# Override HELM_TAG with a semver wrapper: 0.0.1-<commit>-<build-tooling-hash>
+# This must match the NonProdSourceImageTagFormat in eks-anywhere release CLI bundle_release.go
+HELM_TAG=0.0.1-$(GIT_TAG)-$(GIT_HASH)
+
 # Exclude from upgrade buildspec until migration is complete
 EXCLUDE_FROM_UPGRADE_BUILDSPEC=true
 

projects/tinkerbell/tinkerbell/helm/sedfile.template

@@ -1,2 +1,2 @@
-s,^version: 0.0.1,version: ${IMAGE_TAG},g
+s,^version: 0.0.1,version: ${HELM_TAG},g
 s,^name: tinkerbell$,name: tinkerbell-helm,g

projects/tinkerbell/tinkerbell/patches/0001-Remove-secondstar-service.patch

@@ -1,7 +1,7 @@
-From 4152179a9a69f150f2999d061a23025602480f23 Mon Sep 17 00:00:00 2001
+From 331b068757b105adaeb02723072aa975efed3d77 Mon Sep 17 00:00:00 2001
 From: Rahul Ganesh <rahulgab@amazon.com>
 Date: Thu, 22 Jan 2026 16:46:18 -0800
-Subject: [PATCH 1/3] Remove secondstar service
+Subject: [PATCH 1/5] Remove secondstar service
 
 EKS-A does not use the secondstar (SSH over serial) service. Remove it
 to reduce binary size and dependencies.
@@ -11,14 +11,14 @@ it for machine metadata.
 
 Signed-off-by: Rahul Ganesh <rahulgab@amazon.com>
 ---
- cmd/tinkerbell/cmd.go             | 50 ++----------------------
- cmd/tinkerbell/flag/global.go     |  7 ----
- cmd/tinkerbell/flag/secondstar.go | 64 -------------------------------
- 3 files changed, 3 insertions(+), 118 deletions(-)
+ cmd/tinkerbell/cmd.go             | 50 ++--------------------
+ cmd/tinkerbell/flag/global.go     |  7 ---
+ cmd/tinkerbell/flag/secondstar.go | 71 -------------------------------
+ 3 files changed, 3 insertions(+), 125 deletions(-)
  delete mode 100644 cmd/tinkerbell/flag/secondstar.go
 
 diff --git a/cmd/tinkerbell/cmd.go b/cmd/tinkerbell/cmd.go
-index 565187ec..686c2e24 100644
+index 4b7d3a6a..5c2368d7 100644
 --- a/cmd/tinkerbell/cmd.go
 +++ b/cmd/tinkerbell/cmd.go
 @@ -23,7 +23,6 @@ import (
@@ -29,23 +29,23 @@ index 565187ec..686c2e24 100644
  	"github.com/tinkerbell/tinkerbell/smee"
  	"github.com/tinkerbell/tinkerbell/tink/controller"
  	"github.com/tinkerbell/tinkerbell/tink/server"
-@@ -36,7 +35,6 @@ import (
+@@ -37,7 +36,6 @@ import (
  const (
  	defaultRufioMetricsPort          = 8082
  	defaultRufioProbePort            = 8083
 -	defaultSecondStarPort            = 2222
  	defaultSmeeHTTPPort              = 7171
  	defaultSmeeHTTPSPort             = 7272
  	defaultTinkControllerMetricsPort = 8080
-@@ -61,7 +59,6 @@ func Execute(ctx context.Context, cancel context.CancelFunc, args []string) erro
+@@ -63,7 +61,6 @@ func Execute(ctx context.Context, cancel context.CancelFunc, args []string) erro
  		EnableTinkServer:     true,
  		EnableTinkController: true,
  		EnableRufio:          true,
 -		EnableSecondStar:     true,
+ 		EnableUI:             true,
  		EnableCRDMigrations:  true,
  		EmbeddedGlobalConfig: flag.EmbeddedGlobalConfig{
- 			EnableKubeAPIServer: (embeddedApiserverExecute != nil),
-@@ -113,14 +110,6 @@ func Execute(ctx context.Context, cancel context.CancelFunc, args []string) erro
+@@ -116,14 +113,6 @@ func Execute(ctx context.Context, cancel context.CancelFunc, args []string) erro
  		Config: rufio.NewConfig(rufioOpts...),
  	}
 
@@ -57,34 +57,35 @@ index 565187ec..686c2e24 100644
 -		},
 -	}
 -
- 	// order here determines the help output.
- 	top := ff.NewFlagSet("smee - DHCP and iPXE service")
- 	if embeddedFlagSet != nil {
-@@ -131,14 +120,12 @@ func Execute(ctx context.Context, cancel context.CancelFunc, args []string) erro
+ 	uiOpts := []ui.Option{
+ 		ui.WithURLPrefix("/"),
+ 		ui.WithBindPort(defaultUIPort),
+@@ -142,15 +131,13 @@ func Execute(ctx context.Context, cancel context.CancelFunc, args []string) erro
  	tfs := ff.NewFlagSet("tink server - Workflow service").SetParent(hfs)
  	cfs := ff.NewFlagSet("tink controller - Workflow controller").SetParent(tfs)
  	rfs := ff.NewFlagSet("rufio - BMC controller").SetParent(cfs)
 -	ssfs := ff.NewFlagSet("secondstar - SSH over serial service").SetParent(rfs)
--	gfs := ff.NewFlagSet("globals").SetParent(ssfs)
-+	gfs := ff.NewFlagSet("globals").SetParent(rfs)
+-	uifs := ff.NewFlagSet("ui - UI service").SetParent(ssfs)
++	uifs := ff.NewFlagSet("ui - UI service").SetParent(rfs)
+ 	gfs := ff.NewFlagSet("globals").SetParent(uifs)
  	flag.RegisterSmeeFlags(&flag.Set{FlagSet: sfs}, s)
  	flag.RegisterTootlesFlags(&flag.Set{FlagSet: hfs}, h)
  	flag.RegisterTinkServerFlags(&flag.Set{FlagSet: tfs}, ts)
  	flag.RegisterTinkControllerFlags(&flag.Set{FlagSet: cfs}, tc)
  	flag.RegisterRufioFlags(&flag.Set{FlagSet: rfs}, rc)
 -	flag.RegisterSecondStarFlags(&flag.Set{FlagSet: ssfs}, ssc)
+ 	flag.RegisterUIFlags(&flag.Set{FlagSet: uifs}, uic)
  	flag.RegisterGlobal(&flag.Set{FlagSet: gfs}, globals)
  	if embeddedApiserverExecute != nil && embeddedFlagSet != nil {
- 		// This way the embedded flags only show up when the embedded services have been compiled in.
-@@ -170,7 +157,6 @@ func Execute(ctx context.Context, cancel context.CancelFunc, args []string) erro
+@@ -183,7 +170,6 @@ func Execute(ctx context.Context, cancel context.CancelFunc, args []string) erro
  		"tinkServerEnabled", globals.EnableTinkServer,
  		"tinkControllerEnabled", globals.EnableTinkController,
  		"rufioEnabled", globals.EnableRufio,
 -		"secondStarEnabled", globals.EnableSecondStar,
+ 		"uiEnabled", globals.EnableUI,
  		"publicIP", globals.PublicIP,
  		"embeddedKubeAPIServer", globals.EmbeddedGlobalConfig.EnableKubeAPIServer,
- 		"embeddedEtcd", globals.EmbeddedGlobalConfig.EnableETCD,
-@@ -224,14 +210,6 @@ func Execute(ctx context.Context, cancel context.CancelFunc, args []string) erro
+@@ -238,14 +224,6 @@ func Execute(ctx context.Context, cancel context.CancelFunc, args []string) erro
  		rc.Config.ProbeAddr = netip.AddrPortFrom(globals.BindAddr, rc.Config.ProbeAddr.Port())
  	}
 
@@ -96,10 +97,10 @@ index 565187ec..686c2e24 100644
 -		ssc.Config.BindAddr = globals.BindAddr
 -	}
 -
- 	g, ctx := errgroup.WithContext(ctx)
- 	// Etcd server
- 	g.Go(func() error {
-@@ -294,7 +272,7 @@ func Execute(ctx context.Context, cancel context.CancelFunc, args []string) erro
+ 	// UI
+ 	uic.Convert(globals.BindAddr, globals.TLS.CertFile, globals.TLS.KeyFile)
+ 
+@@ -311,7 +289,7 @@ func Execute(ctx context.Context, cancel context.CancelFunc, args []string) erro
  			cliLog.Info("CRD migrations completed")
  		}
 
@@ -108,15 +109,15 @@ index 565187ec..686c2e24 100644
  		if err != nil {
  			return fmt.Errorf("failed to create kube backend: %w", err)
  		}
-@@ -307,7 +285,6 @@ func Execute(ctx context.Context, cancel context.CancelFunc, args []string) erro
+@@ -324,7 +302,6 @@ func Execute(ctx context.Context, cancel context.CancelFunc, args []string) erro
  		tc.Config.Client = b.ClientConfig
  		tc.Config.DynamicClient = b
  		rc.Config.Client = b.ClientConfig
 -		ssc.Config.Backend = b
  	case "file":
  		b, err := newFileBackend(ctx, log, globals.BackendFilePath)
  		if err != nil {
-@@ -401,19 +378,6 @@ func Execute(ctx context.Context, cancel context.CancelFunc, args []string) erro
+@@ -418,19 +395,6 @@ func Execute(ctx context.Context, cancel context.CancelFunc, args []string) erro
  		return nil
  	})
 
@@ -127,22 +128,25 @@ index 565187ec..686c2e24 100644
 -			return nil
 -		}
 -		ll := ternary((ssc.LogLevel != 0), ssc.LogLevel, globals.LogLevel)
--		if err := ssc.Config.Start(ctx, defaultLogger(ll).WithName("secondstar")); err != nil {
+-		if err := ssc.Config.Start(ctx, getLogger(ssc.NoLog, ll).WithName("secondstar")); err != nil {
 -			return fmt.Errorf("failed to start secondstar service: %w", err)
 -		}
 -		return nil
 -	})
 -
- 	if err := g.Wait(); err != nil && !errors.Is(err, context.Canceled) {
- 		return err
- 	}
-@@ -445,13 +409,10 @@ func numEnabled(globals *flag.GlobalConfig) int {
+ 	// UI
+ 	g.Go(func() error {
+ 		if !globals.EnableUI {
+@@ -475,16 +439,13 @@ func numEnabled(globals *flag.GlobalConfig) int {
  	if globals.EnableRufio {
  		n++
  	}
 -	if globals.EnableSecondStar {
 -		n++
 -	}
+ 	if globals.EnableUI {
+ 		n++
+ 	}
  	return n
  }
 
@@ -151,7 +155,7 @@ index 565187ec..686c2e24 100644
  	idxs := make(map[kube.IndexType]kube.Index, 0)
 
  	if smeeEnabled {
-@@ -467,11 +428,6 @@ func enabledIndexes(smeeEnabled, tootlesEnabled, tinkServerEnabled, secondStarEn
+@@ -500,11 +461,6 @@ func enabledIndexes(smeeEnabled, tootlesEnabled, tinkServerEnabled, secondStarEn
  			idxs[k] = v
  		}
  	}
@@ -164,26 +168,26 @@ index 565187ec..686c2e24 100644
  	return idxs
  }
 diff --git a/cmd/tinkerbell/flag/global.go b/cmd/tinkerbell/flag/global.go
-index 9b14383a..6ea5a506 100644
+index 30fba8ec..ce112939 100644
 --- a/cmd/tinkerbell/flag/global.go
 +++ b/cmd/tinkerbell/flag/global.go
 @@ -23,7 +23,6 @@ type GlobalConfig struct {
  	EnableTinkServer     bool
  	EnableTinkController bool
  	EnableRufio          bool
 -	EnableSecondStar     bool
+ 	EnableUI             bool
  	EnableCRDMigrations  bool
  	EmbeddedGlobalConfig EmbeddedGlobalConfig
- 	BackendKubeOptions   BackendKubeOptions
-@@ -58,7 +57,6 @@ func RegisterGlobal(fs *Set, gc *GlobalConfig) {
+@@ -59,7 +58,6 @@ func RegisterGlobal(fs *Set, gc *GlobalConfig) {
  	fs.Register(EnableTinkServer, ffval.NewValueDefault(&gc.EnableTinkServer, gc.EnableTinkServer))
  	fs.Register(EnableTinkController, ffval.NewValueDefault(&gc.EnableTinkController, gc.EnableTinkController))
  	fs.Register(EnableRufioController, ffval.NewValueDefault(&gc.EnableRufio, gc.EnableRufio))
 -	fs.Register(EnableSecondStar, ffval.NewValueDefault(&gc.EnableSecondStar, gc.EnableSecondStar))
+ 	fs.Register(EnableUI, ffval.NewValueDefault(&gc.EnableUI, gc.EnableUI))
  	fs.Register(EnableCRDMigrations, ffval.NewValueDefault(&gc.EnableCRDMigrations, gc.EnableCRDMigrations))
  	fs.Register(LogLevelConfig, ffval.NewValueDefault(&gc.LogLevel, gc.LogLevel))
- 	fs.Register(OTELEndpoint, ffval.NewValueDefault(&gc.OTELEndpoint, gc.OTELEndpoint))
-@@ -160,11 +158,6 @@ var EnableRufioController = Config{
+@@ -162,11 +160,6 @@ var EnableRufioController = Config{
  	Usage: "enable Rufio Controller service",
  }
 
@@ -192,15 +196,15 @@ index 9b14383a..6ea5a506 100644
 -	Usage: "enable SecondStar service",
 -}
 -
- var EnableKubeAPIServer = Config{
- 	Name:  "enable-embedded-kube-apiserver",
- 	Usage: "enables the embedded kube-apiserver",
+ var EnableUI = Config{
+ 	Name:  "enable-ui",
+ 	Usage: "enable UI service",
 diff --git a/cmd/tinkerbell/flag/secondstar.go b/cmd/tinkerbell/flag/secondstar.go
 deleted file mode 100644
-index 4b0faecf..00000000
+index 5f396ecc..00000000
 --- a/cmd/tinkerbell/flag/secondstar.go
 +++ /dev/null
-@@ -1,64 +0,0 @@
+@@ -1,71 +0,0 @@
 -package flag
 -
 -import (
@@ -213,6 +217,7 @@ index 4b0faecf..00000000
 -	Config      *secondstar.Config
 -	HostKeyPath string
 -	LogLevel    int
+-	NoLog       bool
 -}
 -
 -var KubeIndexesSecondStar = map[kube.IndexType]kube.Index{
@@ -226,6 +231,7 @@ index 4b0faecf..00000000
 -	fs.Register(SecondStarIPMIToolPath, ffval.NewValueDefault(&ssc.Config.IPMITOOLPath, ssc.Config.IPMITOOLPath))
 -	fs.Register(SecondStarIdleTimeout, ffval.NewValueDefault(&ssc.Config.IdleTimeout, ssc.Config.IdleTimeout))
 -	fs.Register(SecondStarLogLevel, ffval.NewValueDefault(&ssc.LogLevel, ssc.LogLevel))
+-	fs.Register(SecondStarNoLog, ffval.NewValueDefault(&ssc.NoLog, ssc.NoLog))
 -}
 -
 -var SecondStarPort = Config{
@@ -253,6 +259,11 @@ index 4b0faecf..00000000
 -	Usage: "the higher the number the more verbose, level 0 inherits the global log level",
 -}
 -
+-var SecondStarNoLog = Config{
+-	Name:  "secondstar-no-log",
+-	Usage: "disable all logging output for SecondStar service",
+-}
+-
 -func (ssc *SecondStarConfig) Convert() error {
 -	// convert the host key path to an SSH Signer
 -	if ssc.HostKeyPath == "" {
@@ -266,5 +277,5 @@ index 4b0faecf..00000000
 -	return nil
 -}
 -- 
-2.46.0
+2.49.0
 

projects/tinkerbell/tinkerbell/patches/0002-Auto-patch-reboot-action-to-success.patch

@@ -1,7 +1,7 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From b51df29bc299f114468043ed035e8139d205f777 Mon Sep 17 00:00:00 2001
 From: rajeshvenkata <rajesh.venkat.p@gmail.com>
 Date: Wed, 28 Jan 2026 00:00:00 +0000
-Subject: [PATCH 2/3] Auto-patch reboot action to success
+Subject: [PATCH 2/5] Auto-patch reboot action to success
 
 During reboot actions, the tink-agent may be terminated before it can
 report the action status back to the server, as the machine reboots
@@ -19,6 +19,7 @@ Signed-off-by: rajeshvenkata <rajesh.venkat.p@gmail.com>
  1 file changed, 11 insertions(+)
 
 diff --git a/tink/server/internal/grpc/grpc.go b/tink/server/internal/grpc/grpc.go
+index 3b01a7ba..d496e6c7 100644
 --- a/tink/server/internal/grpc/grpc.go
 +++ b/tink/server/internal/grpc/grpc.go
 @@ -325,6 +325,17 @@ func (h *Handler) doReportActionStatus(ctx context.Context, req *proto.ActionSta
@@ -40,4 +41,5 @@ diff --git a/tink/server/internal/grpc/grpc.go b/tink/server/internal/grpc/grpc.
  	for ti, task := range wf.Status.Tasks {
  		for ai, action := range task.Actions {
 -- 
-2.40.1
+2.49.0
+