From 4ff4abfdfe3842cd287ef4be197968540ee925a7 Mon Sep 17 00:00:00 2001
From: Jacob Weinstock <jakobweinstock@gmail.com>
Date: Sun, 8 Oct 2023 09:44:05 -0600
Subject: [PATCH 1/2] Use checksum from Hook release:

Hook now provides a checksum file.
Use it to verify downloads of Hook.

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
---
 tinkerbell/stack/Chart.yaml           |  4 ++--
 tinkerbell/stack/templates/nginx.yaml | 21 ++++++++++-----------
 tinkerbell/stack/values.yaml          | 10 ++++------
 3 files changed, 16 insertions(+), 19 deletions(-)

diff --git a/tinkerbell/stack/Chart.yaml b/tinkerbell/stack/Chart.yaml
index 458be338..d6c5ef1f 100644
--- a/tinkerbell/stack/Chart.yaml
+++ b/tinkerbell/stack/Chart.yaml
@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.1
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.3.1"
+appVersion: "0.4.0"
 
 dependencies:
   - name: tink
diff --git a/tinkerbell/stack/templates/nginx.yaml b/tinkerbell/stack/templates/nginx.yaml
index 15d3f100..0c9e3035 100644
--- a/tinkerbell/stack/templates/nginx.yaml
+++ b/tinkerbell/stack/templates/nginx.yaml
@@ -64,20 +64,19 @@ spec:
       initContainers:
       - name: init-hook-download
         image: {{ .Values.stack.hook.image }}
-        command: ["/bin/sh", "-xeuc"]
+        command: ["bash", "-xeuc"]
         args:
         - |
           cd /usr/share/nginx/html
-          {{- range $index, $keys := .Values.stack.hook.downloads }}
-          p=/tmp/hook{{ $index }}.tar.gz
-          rm -f $p
-          wget -O $p {{ $keys.url }}
-          sha512sum -c <<EOF
-          {{ $keys.sha512sum }} $p
-          EOF
-          tar -zxvf $p
-          rm -f $p
-          {{- end }}
+          rm -f *.tar.gz checksum.txt vmlinuz* initramfs*
+          base_loc="{{ .Values.stack.hook.downloadURL}}"
+          files="$base_loc/hook_aarch64.tar.gz $base_loc/hook_x86_64.tar.gz $base_loc/checksum.txt"
+          for f in $files; do
+            echo "$f"
+            wget "$f"
+          done
+          sha512sum -c checksum.txt
+          for f in *.tar.gz; do tar --no-same-permissions --overwrite -ozxvf "$f" && rm -f "$f"; done
         volumeMounts:
         - mountPath: /usr/share/nginx/html
           name: hook-artifacts
diff --git a/tinkerbell/stack/values.yaml b/tinkerbell/stack/values.yaml
index 15044f51..8e8d7f76 100644
--- a/tinkerbell/stack/values.yaml
+++ b/tinkerbell/stack/values.yaml
@@ -16,13 +16,11 @@ stack:
     enabled: true
     name: hook-files
     port: 8080
-    image: alpine
+    image: bash
     downloadsDest: /opt/hook
-    downloads:
-      - url: https://github.com/tinkerbell/hook/releases/download/v0.8.1/hook_x86_64.tar.gz
-        sha512sum: 29d8cf6991272eea20499d757252b07deba824eb778368192f9ab88b215a0dafa584e83422dac08feeb43ddce65f485557ad66210f005a81ab95fb53b7d8d424
-      - url: https://github.com/tinkerbell/hook/releases/download/v0.8.1/hook_aarch64.tar.gz
-        sha512sum: f740af6941b2b7d4edcded3f0ae19985ef160fb5cb82995c7e6ce528ad8171a6e0b49920bdc2c58242efed84e9000bcfb53bf1c004cf13190092a1501eaa9dd6
+    # downloadURL only works with the > 0.8.1 Hook release.
+    # This is because previous Hook versions didn't provide a checksum file.
+    downloadURL: https://github.com/tinkerbell/hook/releases/download/latest
   kubevip:
     enabled: true
     name: kube-vip

From 94ee906fb71ce0eb2926ba3b244b3cae111492b2 Mon Sep 17 00:00:00 2001
From: Jacob Weinstock <jakobweinstock@gmail.com>
Date: Mon, 9 Oct 2023 11:13:39 -0600
Subject: [PATCH 2/2] Download Hook tarballs to a temp dir:

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
---
 tinkerbell/stack/templates/nginx.yaml | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/tinkerbell/stack/templates/nginx.yaml b/tinkerbell/stack/templates/nginx.yaml
index 0c9e3035..372f9d20 100644
--- a/tinkerbell/stack/templates/nginx.yaml
+++ b/tinkerbell/stack/templates/nginx.yaml
@@ -69,14 +69,17 @@ spec:
         - |
           cd /usr/share/nginx/html
           rm -f *.tar.gz checksum.txt vmlinuz* initramfs*
-          base_loc="{{ .Values.stack.hook.downloadURL}}"
+          base_loc="https://github.com/tinkerbell/hook/releases/download/latest"
           files="$base_loc/hook_aarch64.tar.gz $base_loc/hook_x86_64.tar.gz $base_loc/checksum.txt"
-          for f in $files; do
-            echo "$f"
-            wget "$f"
+          tmp_dir=$(mktemp -d)
+          for f in ${files}; do
+            echo "${f}"
+            wget -P "${tmp_dir}" "${f}"
           done
-          sha512sum -c checksum.txt
-          for f in *.tar.gz; do tar --no-same-permissions --overwrite -ozxvf "$f" && rm -f "$f"; done
+          (cd "${tmp_dir}" && sha512sum -c checksum.txt)
+          mv "${tmp_dir}"/checksum.txt .
+          for f in ${tmp_dir}/*.tar.gz; do tar --no-same-permissions --overwrite -ozxvf "${f}" && rm -f "${f}"; done
+          rm -rf "${tmp_dir}"
         volumeMounts:
         - mountPath: /usr/share/nginx/html
           name: hook-artifacts