Update release with new fabrica-based services; remove old services#50
Update release with new fabrica-based services; remove old services#50travisbcotton wants to merge 70 commits into
Conversation
9bf779d to
ef8d070
Compare
|
Just a couple of other notes before merging. We need to update the
We also need to update |
|
Another note...we're going to update the CoreDHCP config in Here's snippet of the tutorial config should look like after the changes: - coresmd: |
svc_base_uri=https://demo.openchami.cluster:8443
ipxe_base_uri=http://172.16.0.254:8081
ca_cert=/root_ca/root_ca.crt
cache_valid=30s
lease_time=1h
single_port=false
- bootloop: |
lease_file=/tmp/coredhcp.db
script_path=default
lease_time=5m
ipv4_start=172.16.0.200
ipv4_end=172.16.0.250 |
|
A couple of changes:
|
8ab666e to
fc525d0
Compare
|
We'll need |
|
We'll have to note these major changes in the release notes once this is merged. We'll want to bump the minor version on the tag. |
651ce7d to
caa1bd3
Compare
|
Should we provide a Edit: Just to add, here's the default boot-service config.yaml: systemd/configs/boot-service.yaml# SPDX-FileCopyrightText: 2025 OpenCHAMI Contributors
#
# SPDX-License-Identifier: MIT
# OpenCHAMI Boot Service Configuration Example
#
# This is a comprehensive example configuration file for the OpenCHAMI boot service.
# To use this configuration:
# 1. Copy this file to config.yaml: cp config.example.yaml config.yaml
# 2. Customize the settings below for your environment
# 3. Remove or comment out sections you don't need
#
# Configuration precedence (highest to lowest):
# 1. Command-line flags
# 2. Environment variables (e.g., BOOT_SERVICE_PORT=8082)
# 3. Configuration file (config.yaml)
# 4. Default values
# =============================================================================
# SERVER CONFIGURATION
# =============================================================================
# HTTP server settings
port: 8082 # Port to listen on
host: "0.0.0.0" # Interface to bind to (0.0.0.0 for all interfaces)
read_timeout: 30 # HTTP read timeout in seconds
write_timeout: 30 # HTTP write timeout in seconds
idle_timeout: 120 # HTTP idle timeout in seconds
# =============================================================================
# STORAGE CONFIGURATION
# =============================================================================
# Data storage settings
data_dir: "./data" # Directory for storing boot configurations
storage_type: "file" # Storage backend: "file", "database" (future)
# Database settings (when storage_type: "database")
# database:
# driver: "postgres"
# host: "localhost"
# port: 5432
# name: "boot_service"
# user: "boot_user"
# password: "boot_password"
# ssl_mode: "require"
# max_connections: 25
# connection_timeout: 30
# =============================================================================
# FEATURE TOGGLES
# =============================================================================
# Authentication
enable_auth: false # Enable TokenSmith JWT authentication
# Set to true for production environments
# Metrics and monitoring
enable_metrics: true # Enable Prometheus metrics endpoint
metrics_port: 9092 # Port for metrics endpoint (/metrics)
# API compatibility
enable_legacy_api: true # Enable legacy BSS-compatible endpoints
# Disable to force use of new API only
# =============================================================================
# AUTHENTICATION CONFIGURATION (when enable_auth: true)
# =============================================================================
auth:
# Core authentication settings
enabled: false # Must match enable_auth above
# JWT validation method (choose one):
# Option 1: JWKS URL (recommended for production)
jwks_url: "https://auth.openchami.org/.well-known/jwks.json"
jwks_refresh_interval: "1h" # How often to refresh JWKS cache
# Option 2: Static RSA public key (for development/testing)
# jwt_public_key: |
# -----BEGIN PUBLIC KEY-----
# MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
# -----END PUBLIC KEY-----
# JWT validation options
jwt_issuer: "https://auth.openchami.org" # Expected token issuer
jwt_audience: "boot-service" # Expected token audience
validate_expiration: true # Check token expiration
validate_issuer: true # Validate issuer claim
validate_audience: true # Validate audience claim
# Authorization requirements
required_claims: ["sub", "iss", "aud"] # Required JWT claims
required_scopes: ["boot:read"] # Required OAuth2 scopes
# Development/testing options (never use in production)
allow_empty_token: false # Allow requests without tokens
non_enforcing: false # Log auth failures but don't block requests
# =============================================================================
# HARDWARE STATE MANAGER INTEGRATION
# =============================================================================
# HSM (Hardware State Manager) settings
hsm_url: "http://localhost:27779" # URL of the HSM service
# Set to your HSM endpoint
# TokenSmith-backed HSM service authentication
# When both hsm_url and tokensmith_url are configured, boot-service exchanges a
# bootstrap token for short-lived service tokens and adds them to HSM requests.
# Standardized env vars: TOKENSMITH_URL, TOKENSMITH_BOOTSTRAP_TOKEN,
# TOKENSMITH_TARGET_SERVICE, TOKENSMITH_SCOPES, TOKENSMITH_REFRESH_SKEW_SEC
tokensmith_url: "http://localhost:8080"
tokensmith_target_service: "hsm"
tokensmith_scopes: "hsm:read"
tokensmith_refresh_skew_sec: 120
# tokensmith_bootstrap_token: "<bootstrap-jwt>" # Prefer env var for secrets
# Environment fallback: TOKENSMITH_BOOTSTRAP_TOKEN
# HSM authentication (when HSM requires auth)
# hsm_auth:
# type: "service_token" # Authentication type for HSM
# service_name: "boot-service"
# token_endpoint: "http://tokensmith:8080/token"
# =============================================================================
# EXTERNAL SERVICES
# =============================================================================
# TokenSmith authentication service (when enable_auth: true)
tokensmith:
url: "http://localhost:8080" # TokenSmith service URL
timeout: 30 # Request timeout in seconds
# Service-to-service authentication
service_auth:
enabled: false # Enable service tokens
service_name: "boot-service" # This service's identifier
token_endpoint: "/token" # Token endpoint path
# BSS (Boot Script Service) integration
bss:
enabled: false # Enable BSS integration
url: "http://localhost:27778" # BSS service URL
timeout: 30 # Request timeout in seconds
# =============================================================================
# LOGGING AND MONITORING
# =============================================================================
# Logging configuration
logging:
level: "info" # Log level: debug, info, warn, error
format: "json" # Log format: json, text
output: "stdout" # Log output: stdout, stderr, file
# file: "/var/log/boot-service.log" # Log file (when output: file)
# Health check configuration
health:
enabled: true # Enable health check endpoint
endpoint: "/health" # Health check URL path
timeout: 5 # Health check timeout in seconds
# =============================================================================
# PERFORMANCE AND SCALING
# =============================================================================
# Request limits
limits:
max_request_size: "10MB" # Maximum request body size
max_concurrent: 100 # Maximum concurrent requests
rate_limit: 1000 # Requests per minute per IP
# Caching (future feature)
# cache:
# enabled: false
# type: "memory" # Cache type: memory, redis
# ttl: "5m" # Cache TTL
# max_size: "100MB" # Maximum cache size
# =============================================================================
# DEVELOPMENT AND TESTING
# =============================================================================
# Development mode settings
development:
enabled: false # Enable development mode
cors_enabled: true # Enable CORS for browser testing
cors_origins: ["*"] # Allowed CORS origins
debug_endpoints: false # Enable debug/diagnostic endpoints
mock_services: false # Use mock external services
# =============================================================================
# DEPLOYMENT ENVIRONMENT EXAMPLES
# =============================================================================
# Uncomment and modify one of these sections for your deployment environment:
# --- Development Environment ---
# enable_auth: false
# enable_metrics: true
# logging:
# level: "debug"
# development:
# enabled: true
# debug_endpoints: true
# --- Production Environment ---
# enable_auth: true
# enable_metrics: true
# auth:
# enabled: true
# jwks_url: "https://auth.openchami.org/.well-known/jwks.json"
# jwt_issuer: "https://auth.openchami.org"
# jwt_audience: "boot-service"
# required_scopes: ["boot:read"]
# logging:
# level: "info"
# format: "json"
# --- Kubernetes/Container Environment ---
# port: 8080
# host: "0.0.0.0"
# data_dir: "/data"
# auth:
# jwks_url: "http://tokensmith:8080/.well-known/jwks.json"
# jwt_issuer: "openchami-tokensmith"
# jwt_audience: "openchami-cluster"
# hsm_url: "http://smd:27779"
# logging:
# format: "json"
# output: "stdout" |
We may want to add default hostname rules since the default if none is to prefix with The above will make the node hostnames be like |
synackd
left a comment
There was a problem hiding this comment.
Initial code review without testing this yet.
240792f to
a800adc
Compare
synackd
left a comment
There was a problem hiding this comment.
Testing now. I get:
sed: can't read /etc/containers/systemd/opaal.container: No such file or directory
when running the openchami-certificate-update script.
If getting rid of hydra, we'll want to remove references to it, e.g. in
release/scripts/openchami_profile.sh
Line 27 in d77457c
We can probably just get rid of those functions.
3cc4ae4 to
49b143d
Compare
Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com>
Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com>
Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com>
Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com>
Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com>
Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com>
Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com>
Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com>
eaee9ff to
4f94aef
Compare
|
Rebased to incorporate openchami.target changes on main. |
|
Capturing this here so it is public and not just part of a DM thread... Sometime around the time of the rebase, the following commits were lost on this branch: This means, among other things, that metadata-service regressed from v0.1.2 to v0.1.1 in the branch, which causes metadata service to stop working. |
|
I think we can take these out of the # Environemnt Variables
URLS_SELF_ISSUER=https://${SYSTEM_URL}/
URLS_SELF_PUBLIC=https://${SYSTEM_URL}/
URLS_LOGIN=https://${SYSTEM_URL}/login
URLS_CONSENT=https://${SYSTEM_URL}/consent
URLS_LOGOUT=https://${SYSTEM_URL}/logout |
|
I am getting a failure between What I see in the logs is that Then the second is on After that
The last continuing in a loop until When the After this, |
|
I have found a fix for the
This overrides the |
Signed-off-by: David Allen <davidallendj@gmail.com>
I just pushed these changes to the branch for the containers. They seemed to have been working when I tested on my JS2 instance. |
Signed-off-by: David Allen <davidallendj@gmail.com>
Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com>
Enable YAML data resource unmarshalling. Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com>
Enable YAML data resource unmarshalling. Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com>
Thanks, Eric. I've re-added these commits. |
#61 cleans this up in a more idiomatic way. Once that gets merged, we can rebase this on that. |
That was my original plan so that the legacy services would get the new systemd paths as well as the new ones in this PR, and so that we could work out the initial kinks of that PR and this one in parallel. |
I am more focused on getting the new services merged into the release after testing what we already got here. I don't really plan on testing the other PR and would prefer not having to change my current testing environment to finish testing especially since the PR is already massive. |
I've already tested that PR and am working with @seantronsen to finalize it if you're worried about stretching yourself thin. That said, while it would be nice to have a version of the release that uses the proper systemd paths for the old services, I don't think it's strictly necessary. I would be fine waiting on merging 61 after this gets merged and working out the kinks there, but I wouldn't want to tag a release until the new systemd paths are being used. |
|
As of yesterday afternoon, my deployment tool was able, using the modifications to its approximation of the tutorial procedure that I have had to make to it, to deploy this PR onto both my local VMs and, using vTDS cluster running under GCP. In this comment I will summarize what I have had to do to get this to work, to help in figuring out how much divergence there is still remaining from the original tutorial. It looks like all of these are unavoidable due to the nature of the changes in the PR and probably known, but I think it is worthwhile to capture them here:
In addition to the above, I was forced when using |
Pull Request Template
Thank you for your contribution! Please ensure the following before submitting:
Checklist
make test(or equivalent) locally and all tests passgit commit -s) with my real name and email<filename>.licensesidecarLICENSES/directoryDescription
Please include a summary of the change and which issue is fixed.
Also include relevant motivation and context.
Fixes #(issue)
Type of Change
For more info, see Contributing Guidelines.