feat: support nocloud include url userdata directive

This commit supports #include directive format of standard cloudinit
userdata to fetch userdata/machine config from the remote URL securely.

Signed-off-by: yashutanu <yashutanu1@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 60c12ba)

Author: yashutanu

internal/app/machined/pkg/runtime/v1alpha1/platform/nocloud/metadata.go

@@ -6,7 +6,10 @@
 package nocloud
 
 import (
+	"bufio"
+	"bytes"
 	"context"
+	stderrors "errors"
 	"fmt"
 	"log"
 	"net"
@@ -933,3 +936,52 @@ func withDefault[T comparable](v T, defaultValue T) T {
 
 	return v
 }
+
+// FetchInclude fetches nocloud #include configuration from the URL specified in the body.
+func (n *Nocloud) FetchInclude(ctx context.Context, body []byte, st state.State) ([]byte, error) {
+	u, err := ExtractIncludeURL(body)
+	if err != nil {
+		return nil, err
+	}
+
+	log.Printf("fetching the nocloud #include configuration from: %q", u.String())
+
+	if err = netutils.Wait(ctx, st); err != nil {
+		return nil, err
+	}
+
+	return download.Download(ctx, u.String(), download.WithErrorOnNotFound(errors.ErrNoConfigSource),
+		download.WithErrorOnEmptyResponse(errors.ErrNoConfigSource))
+}
+
+// ExtractIncludeURL extracts the URL from the body of a nocloud #include configuration.
+//
+// Note: only a single URL is expected in the body.
+func ExtractIncludeURL(body []byte) (*url.URL, error) {
+	var urlLine string
+
+	scanner := bufio.NewScanner(bytes.NewReader(body))
+
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+		if line == "" {
+			continue
+		}
+
+		if urlLine != "" {
+			return nil, fmt.Errorf("multiple #include URLs found in nocloud configuration: %q and %q", urlLine, line)
+		}
+
+		urlLine = line
+	}
+
+	if err := scanner.Err(); err != nil {
+		return nil, err
+	}
+
+	if urlLine == "" {
+		return nil, stderrors.New("no #include URL found in nocloud configuration")
+	}
+
+	return url.Parse(urlLine)
+}

internal/app/machined/pkg/runtime/v1alpha1/platform/nocloud/nocloud.go

@@ -96,8 +96,15 @@ func (n *Nocloud) Configuration(ctx context.Context, r state.State) ([]byte, err
 		return nil, err
 	}
 
-	if bytes.HasPrefix(machineConfigDl, []byte("#cloud-config")) {
+	firstLine, rest, _ := bytes.Cut(machineConfigDl, []byte("\n"))
+	firstLine = bytes.TrimSpace(firstLine)
+
+	switch {
+	case bytes.Equal(firstLine, []byte("#cloud-config")):
+		// ignore cloud-config, Talos does not support it
 		return nil, errors.ErrNoConfigSource
+	case bytes.Equal(firstLine, []byte("#include")):
+		return n.FetchInclude(ctx, rest, r)
 	}
 
 	return machineConfigDl, nil

internal/app/machined/pkg/runtime/v1alpha1/platform/nocloud/nocloud_test.go

@@ -189,3 +189,57 @@ func TestMedatada(t *testing.T) {
 		InternalDNS: "talos-worker-3",
 	}, md)
 }
+
+func TestExtractURL(t *testing.T) {
+	t.Parallel()
+
+	for _, test := range []struct {
+		name     string
+		userdata []byte
+
+		expectedURL   string
+		expectedError string
+	}{
+		{
+			name: "valid include userdata URL",
+			userdata: []byte(`https://metadataserver/userdata
+`),
+			expectedURL: "https://metadataserver/userdata",
+		},
+		{
+			name: "multiple URLs is invalid",
+			userdata: []byte(`
+https://metadataserver1/userdata
+https://metadataserver2/userdata
+https://metadataserver3/userdata
+`),
+			expectedError: "multiple #include URLs found",
+		},
+		{
+			name: "invalid URL",
+			userdata: []byte(`
+:/invalidurl/userdata`),
+			expectedError: "missing protocol scheme",
+		},
+		{
+			name: "no URL found",
+			userdata: []byte(`
+`),
+			expectedError: "no #include URL found in nocloud configuration",
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			u, err := nocloud.ExtractIncludeURL(test.userdata)
+
+			if test.expectedError != "" {
+				require.Error(t, err)
+				require.ErrorContains(t, err, test.expectedError)
+			} else {
+				require.NoError(t, err)
+				assert.Equal(t, test.expectedURL, u.String())
+			}
+		})
+	}
+}