diff --git a/openchami.spec b/openchami.spec index 0f2fb87..dbf50c3 100644 --- a/openchami.spec +++ b/openchami.spec @@ -33,26 +33,29 @@ mkdir -p %{buildroot}/etc/openchami/configs \ %{buildroot}/etc/containers/systemd \ %{buildroot}/etc/systemd/system \ %{buildroot}/usr/bin \ + %{buildroot}/usr/sbin \ %{buildroot}/etc/profile.d \ %{buildroot}/usr/libexec/openchami -cp -r systemd/configs/* %{buildroot}/etc/openchami/configs/ -cp -r systemd/containers/* %{buildroot}/etc/containers/systemd/ -cp -r systemd/volumes/* %{buildroot}/etc/containers/systemd/ -cp -r systemd/networks/* %{buildroot}/etc/containers/systemd/ -cp -r systemd/targets/* %{buildroot}/etc/systemd/system/ -cp -r systemd/system/* %{buildroot}/etc/systemd/system/ -cp scripts/bootstrap_openchami.sh %{buildroot}/usr/libexec/openchami/ -cp scripts/openchami-certificate-update %{buildroot}/usr/bin/ -cp scripts/openchami_profile.sh %{buildroot}/etc/profile.d/openchami.sh -cp scripts/multi-psql-db.sh %{buildroot}/etc/openchami/pg-init/multi-psql-db.sh -cp scripts/ohpc-nodes.sh %{buildroot}/usr/libexec/openchami/ +cp -r systemd/configs/* %{buildroot}/etc/openchami/configs/ +cp -r systemd/containers/* %{buildroot}/etc/containers/systemd/ +cp -r systemd/volumes/* %{buildroot}/etc/containers/systemd/ +cp -r systemd/networks/* %{buildroot}/etc/containers/systemd/ +cp -r systemd/targets/* %{buildroot}/etc/systemd/system/ +cp -r systemd/system/* %{buildroot}/etc/systemd/system/ +cp scripts/bootstrap_openchami.sh %{buildroot}/usr/libexec/openchami/ +cp scripts/openchami-certificate-update %{buildroot}/usr/bin/ +cp scripts/openchami_profile.sh %{buildroot}/etc/profile.d/openchami.sh +cp scripts/multi-psql-db.sh %{buildroot}/etc/openchami/pg-init/multi-psql-db.sh +cp scripts/ohpc-nodes.sh %{buildroot}/usr/libexec/openchami/ +cp scripts/tokensmith_bootstrap_token %{buildroot}/usr/sbin/ chmod +x %{buildroot}/usr/libexec/openchami/bootstrap_openchami.sh chmod +x %{buildroot}/usr/libexec/openchami/ohpc-nodes.sh chmod +x %{buildroot}/usr/libexec/openchami/bootstrap_openchami.sh chmod +x %{buildroot}/usr/bin/openchami-certificate-update chmod +x %{buildroot}/usr/libexec/openchami/ohpc-nodes.sh +chmod 0700 %{buildroot}/usr/sbin/tokensmith_bootstrap_token chmod 600 %{buildroot}/etc/openchami/configs/openchami.env chmod 644 %{buildroot}/etc/openchami/configs/* @@ -70,6 +73,7 @@ chmod 644 %{buildroot}/etc/openchami/configs/* /etc/profile.d/openchami.sh /etc/openchami/pg-init/multi-psql-db.sh /usr/bin/openchami-certificate-update +/usr/sbin/tokensmith_bootstrap_token %pre if [ -f /etc/containers/systemd/coresmd.container ]; then diff --git a/scripts/bootstrap_openchami.sh b/scripts/bootstrap_openchami.sh index 4a854f6..5dbe170 100644 --- a/scripts/bootstrap_openchami.sh +++ b/scripts/bootstrap_openchami.sh @@ -46,7 +46,6 @@ acme_correction() { sed -i "s/^ContainerName=.*/ContainerName=${system_fqdn}/" /etc/containers/systemd/acme-register.container sed -i "s/^HostName=.*/HostName=${system_fqdn}/" /etc/containers/systemd/acme-register.container sed -i "s|-d .* \\\\|-d ${system_fqdn} \\\\|" /etc/containers/systemd/acme-register.container - sed -i "s|--add-host='demo\.openchami\.cluster:[0-9\.]*'|--add-host='${system_fqdn}:${primary_ip}'|" /etc/containers/systemd/opaal.container } # Check and create secrets with random passwords if needed @@ -55,32 +54,17 @@ acme_correction() { postgres_password=$(generate_random_password) create_secret_if_not_exists "postgres_password" "$postgres_password" -# BSS Postgres Password -bss_postgres_password=$(generate_random_password) -create_secret_if_not_exists "bss_postgres_password" "$bss_postgres_password" - # SMD Postgres Password smd_postgres_password=$(generate_random_password) create_secret_if_not_exists "smd_postgres_password" "$smd_postgres_password" -# Hydra Postgres Password -hydra_postgres_password=$(generate_random_password) -create_secret_if_not_exists "hydra_postgres_password" "$hydra_postgres_password" - -# Hydra System Secret -hydra_system_secret=$(generate_random_password) -create_secret_if_not_exists "hydra_system_secret" "$hydra_system_secret" - -# HYDRA_DSN -HYDRA_DSN="postgres://hydra-user:$(podman secret inspect hydra_postgres_password --showsecret | jq -r '.[0].SecretData')@postgres:5432/hydradb?sslmode=disable&max_conns=20&max_idle_conns=4" -create_secret_if_not_exists "hydra_dsn" "$HYDRA_DSN" # POSTGRES_MULTIPLE_DATABASES -POSTGRES_MULTIPLE_DATABASES="hmsds:smd-user:$(podman secret inspect smd_postgres_password --showsecret | jq -r '.[0].SecretData'),bssdb:bss-user:$(podman secret inspect bss_postgres_password --showsecret | jq -r '.[0].SecretData'),hydradb:hydra-user:$(podman secret inspect hydra_postgres_password --showsecret | jq -r '.[0].SecretData')" +POSTGRES_MULTIPLE_DATABASES="hmsds:smd-user:$(podman secret inspect smd_postgres_password --showsecret | jq -r '.[0].SecretData')" create_secret_if_not_exists "postgres_multiple_databases" "$POSTGRES_MULTIPLE_DATABASES" # openchami.env Configuration generate_environment_file # Correct the ACME files -acme_correction \ No newline at end of file +acme_correction diff --git a/scripts/openchami-certificate-update b/scripts/openchami-certificate-update index 06d3caa..6331bf5 100755 --- a/scripts/openchami-certificate-update +++ b/scripts/openchami-certificate-update @@ -19,7 +19,6 @@ update_dns() { sed -i "s/^ContainerName=.*/ContainerName=${system_fqdn}/" /etc/containers/systemd/acme-register.container sed -i "s/^HostName=.*/HostName=${system_fqdn}/" /etc/containers/systemd/acme-register.container sed -i "s|-d .* \\\\|-d ${system_fqdn} \\\\|" /etc/containers/systemd/acme-register.container - sed -i "s|--add-host='.*|--add-host='${system_fqdn}:${primary_ip}'|" /etc/containers/systemd/opaal.container # Reload systemD after .container changes systemctl daemon-reload diff --git a/scripts/tokensmith_bootstrap_token b/scripts/tokensmith_bootstrap_token new file mode 100644 index 0000000..d955281 --- /dev/null +++ b/scripts/tokensmith_bootstrap_token @@ -0,0 +1,31 @@ +#!/bin/bash +usage() { + echo "usage: $0 CLIENT" + echo + echo 'CLIENT: name of client service to generate token for' +} + +CLIENT="${1}" +SERVICE="smd" + +if [[ -z "$CLIENT" ]] +then + echo "Empty client" + usage >&2 + exit 1 +fi + +echo "Generating bootstrap token for service client ${CLIENT}" +TOKENSMITH_BOOTSTRAP_TOKEN=$(podman exec -e SERVICE=$SERVICE -e CLIENT=$CLIENT tokensmith /bin/sh -c "\ + /usr/local/bin/tokensmith bootstrap-token create \ + --bootstrap-store \${TOKENSMITH_RFC8693_BOOTSTRAP_STORE} \ + --subject \${CLIENT} \ + --audience \${SERVICE} \ + --scopes "read" \ + --output-format json | jq -r '.bootstrap_token' + ") + +SECRET_NAME="${CLIENT}-bootstrap-token" +echo "Creating secret ${CLIENT}-bootstrap-token" +printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret rm -i ${SECRET_NAME} 2>/dev/null || true +printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret create ${SECRET_NAME} - \ No newline at end of file diff --git a/systemd/configs/coredhcp.yaml b/systemd/configs/coredhcp.yaml index 1d80964..e54af04 100644 --- a/systemd/configs/coredhcp.yaml +++ b/systemd/configs/coredhcp.yaml @@ -1,18 +1,95 @@ +# Based on https://github.com/coredhcp/coredhcp/blob/master/cmds/coredhcp/config.yml.example +# See there for more extensive CoreDHCP configuration documentation. + server4: -# You can configure the specific interfaces that you want OpenCHAMI to listen on by -# uncommenting the lines below and setting the interface - # listen: - # - "%virbr-openchami" + # Optionally define how CoreDHCP binds to an interface or address. If unset, + # the server will bind to all interfaces (0.0.0.0). + # + #listen: + # - "%virbr-openchami" plugins: -# You are able to set the IP address of the system in server_id as the place to look for a DHCP server -# DNS is able to be set to whatever you want but it is much easier if you keep it set to the server IP -# Router is also able to be set to whatever you network router address is - # - server_id: 172.16.0.254 - # - dns: 172.16.0.254 - # - router: 172.16.0.254 + # Set DHCP Server Identifier to help resolve situations when there are + # multiple DHCP servers on a network. + #- server_id: 172.16.0.254 + + # Advertise list of DNS resolvers to use for hosts on network. + #- dns: 172.16.0.254 + + # REQUIRED: Advertise address of default router on network. + #- router: 172.16.0.254 + + # Advertise network mask of assigned IPs on network. - netmask: 255.255.255.0 -# The lines below define where the system should assign ip addresses for systems that do not have -# mac addresses stored in SMD - # - coresmd: https://demo.openchami.cluster:8443 http://172.16.0.254:8081 /root_ca/root_ca.crt 30s 1h false - # - bootloop: /tmp/coredhcp.db default 5m 172.16.0.200 172.16.0.250 + # + # OpenCHAMI CONFIGURATION + # + + # Assign IP addresses to devices known to OpenCHAMI based on MAC address. + #- coresmd: | + # /* Base URI for contacting SMD */ + # svc_base_uri=https://demo.openchami.cluster:8443 + # + # /* Base URI for contacting boot-service for boot scripts */ + # ipxe_base_uri=http://172.16.0.254:8081 + # + # /* + # * Path to root CA certificate in container to use for TLS + # * verification for communication with SMD + # */ + # ca_cert=/root_ca/root_ca.crt + # + # /* Refresh interval for CoreSMD's component cache */ + # cache_valid=30s + # + # /* Duration DHCP leases should be valid */ + # lease_time=1h + # + # /* Toggle TFTP single-port mode */ + # single_port=false + # + # /* + # * RICH RULES + # * + # * These are used to set DHCP options based on certain selectors. + # * See: https://github.com/OpenCHAMI/coresmd/blob/main/examples/coredhcp/rules.md + # */ + # + # /* Domain to append to set hostnames (able to be overridden) + # domain=openchami.cluster + # + # /* + # * Log level for rules. + # * + # * none: do not log + # * info: log rule matches + # * debug: log rule matches and non-matches + # */ + # rule_log=info + # + # /* Set hostname based on type (node or BMC, respectively) */ + # rule=type:Node,hostname:n{02d} + # rule=type:NodeBMC,hostname:{id} + + # Optional catch-all for extra devices. This plugin is meant to assign + # temporary IPs via a very short lease to devices not tracked in SMD, e.g. + # for BMCs to be discoverable via Redfish so they _can_ be added to SMD. + # Non-BMC devices are served an iPXE script that instructs them to reboot + # (by default, this is customizable, hence the name 'bootloop') so that + # they will constantly try to get a new lease. The idea is that once they + # are added to SMD, CoreSMD above will catch it. + #- bootloop: | + # /* Where to store leases (sqlite) + # lease_file=/tmp/coredhcp.db + # + # /* iPXE script to use ('default' reboots) + # script_path=default + # + # /* Duration of short-lived lease */ + # lease_time=5m + # + # /* Beginning IP of assignable IPv4 addresses */ + # ipv4_start=172.16.0.200 + # + # /* Ending IP of assignable IPv4 addresses */ + # ipv4_end=172.16.0.250 diff --git a/systemd/configs/haproxy.cfg b/systemd/configs/haproxy.cfg index a1b683e..df9a21c 100644 --- a/systemd/configs/haproxy.cfg +++ b/systemd/configs/haproxy.cfg @@ -23,50 +23,32 @@ frontend openchami bind :443 ssl crt /etc/haproxy/certs/ strict-sni option forwardfor - acl PATH_smd path_beg -i /hsm/v2 + acl PATH_smd path_beg -i /hsm/v2 + acl PATH_configurator path_beg -i /configurator /generate + acl PATH_boot-service path_beg -i /boot-service/ + acl PATH_metadata-service path_beg -i /metadata-service/ + acl PATH_tokensmith path_beg -i /tokensmith/ - acl PATH_bss path_beg -i /boot/v1 - acl PATH_bss path_beg -i /apis/bss/ - - acl PATH_opaal path_beg -i /token - acl PATH_opaal path_beg -i /login - acl PATH_opaal path_beg -i /oidc/callback - - acl PATH_opaal-idp path_beg -i /.well-known/openid-configuration - acl PATH_opaal-idp path_beg -i /.well-known/jwks.json - acl PATH_opaal-idp path_beg -i /browser/login - acl PATH_opaal-idp path_beg -i /api/login - acl PATH_opaal-idp path_beg -i /oauth2/authorize - acl PATH_opaal-idp path_beg -i /oauth2/token - - acl PATH_cloud-init path_beg -i /cloud-init - - acl PATH_configurator path_beg -i /generate - acl PATH_configurator path_beg -i /configurator - - use_backend opaal if PATH_opaal - use_backend opaal-idp if PATH_opaal-idp use_backend smd if PATH_smd - use_backend bss if PATH_bss - use_backend cloud-init if PATH_cloud-init use_backend configurator if PATH_configurator - -backend opaal - server opaal opaal:3333 - -backend opaal-idp - server opaal-idp opaal-idp:3332 + use_backend boot-service if PATH_boot-service + use_backend metadata-service if PATH_metadata-service + use_backend tokensmith if PATH_tokensmith backend smd server smd smd:27779 -backend bss - server bss bss:27778 - http-request replace-path ^/apis/bss/(.*) /\1 - -backend cloud-init - server cloud-init-server cloud-init-server:27777 - http-request replace-path ^/cloud-init(/.*) \1 - backend configurator server configurator configurator:3334 init-addr none + +backend boot-service + http-request set-path %[path,regsub(^/boot-service/,/)] + server boot-service boot-service:8081 + +backend metadata-service + http-request set-path %[path,regsub(^/metadata-service/,/)] + server metadata-service metadata-service:8080 + +backend tokensmith + http-request set-path %[path,regsub(^/tokensmith/,/)] + server tokensmith tokensmith:8080 diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index efbe4ea..017ced9 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -14,27 +14,29 @@ URLS_LOGOUT=https://${SYSTEM_URL}/logout # Environemnt Variables POSTGRES_USER=ochami -# Environemnt Variables -BSS_USESQL=true -BSS_INSECURE=true -BSS_DEBUG=true -BSS_DBHOST=postgres -BSS_DBPORT=5432 -BSS_DBNAME=bssdb -BSS_DBUSER=bss-user -BSS_JWKS_URL=http://opaal:3333/keys -BSS_OAUTH2_ADMIN_BASE_URL=http://opaal:3333 -BSS_OAUTH2_PUBLIC_BASE_URL=http://opaal:3333 -BSS_IPXE_SERVER=${SYSTEM_URL} -BSS_CHAIN_PROTO=https - # Environemnt Variables SMD_DBHOST=postgres SMD_DBPORT=5432 SMD_DBNAME=hmsds SMD_DBUSER=smd-user SMD_DBOPTS=sslmode=disable -SMD_JWKS_URL=http://opaal:3333/keys +SMD_JWKS_URL=http://tokensmith:8080/.well-known/jwks.json +SMD_AUTH_BACKEND=tokensmith +SMD_AUTH_ISSUER=https://tokensmith.openchami.dev +SMD_AUTH_AUDIENCES=smd + +# Environemnt Variables +TOKENSMITH_ISSUER=https://tokensmith.openchami.dev +TOKENSMITH_CLUSTER_ID=demo-cluster +TOKENSMITH_OPENCHAMI_ID=demo-openchami +TOKENSMITH_CONFIG=/etc/tokensmith/config.json +TOKENSMITH_KEY_DIR=/tokensmith/data/keys +TOKENSMITH_RFC8693_BOOTSTRAP_STORE=/tokensmith/data/bootstrap +TOKENSMITH_RFC8693_REFRESH_STORE=/tokensmith/data/refresh +#TOKENSMITH_OIDC_PROVIDER should point to an actual OIDC provider if you intend to use a real provider +#The default is http://hydra:4444 so leaving it here for visibility +TOKENSMITH_OIDC_PROVIDER=http://hydra:4444 +TOKENSMITH_PORT=8080 # Environemnt Variables STEPPATH=/home/step @@ -46,13 +48,6 @@ DOCKER_STEPCA_INIT_PROVISIONER_NAME="Admin" DOCKER_STEPCA_INIT_PROVISIONER_PASSWORD="provisionerpassword" # Environemnt Variables -OPAAL_URL=http://opaal:3333 +SMD_URL=http://smd:27779 HSM_URL=http://smd:27779 ANSIBLE_HOST_KEY_CHECKING=False - -# Environemnt Variables for cloud-init -LISTEN=:27777 -SMD_URL=http://smd:27779 -OPAAL_URL=http://opaal:3333 -JWKS_URL=http://opaal:3333/keys -IMPERSONATION=true diff --git a/systemd/configs/tokensmith.json b/systemd/configs/tokensmith.json new file mode 100644 index 0000000..09d4ed4 --- /dev/null +++ b/systemd/configs/tokensmith.json @@ -0,0 +1,19 @@ +{ + "groupScopes": { + "admin": [ + "admin", + "write", + "read" + ], + "operator": [ + "write", + "read" + ], + "user": [ + "read" + ], + "viewer": [ + "read" + ] + } +} \ No newline at end of file diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container new file mode 100644 index 0000000..3c88578 --- /dev/null +++ b/systemd/containers/boot-service.container @@ -0,0 +1,32 @@ +[Unit] +Description=The boot-service container +PartOf=openchami.target + +# Ensure dependent services have started +Wants=smd.service +After=smd.service + +[Container] +ContainerName=boot-service +HostName=boot-service +Image=ghcr.io/openchami/boot-service:v0.1.5 + +# Environment Variables +EnvironmentFile=/etc/openchami/configs/openchami.env + +#Volume=/etc/openchami/configs/boot-service.yaml:/etc/boot-service/config.yaml:ro,Z + +# Secrets +Secret=boot-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN + +# Networks for the Container to use +Network=openchami-internal.network + +# Proxy settings +PodmanArgs=--http-proxy=false + +Exec=serve --enable-legacy-api=false --enable-auth=true --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd --port 8081 + +[Service] +ExecStartPre=/usr/sbin/tokensmith_bootstrap_token boot-service +Restart=always \ No newline at end of file diff --git a/systemd/containers/bss-init.container b/systemd/containers/bss-init.container deleted file mode 100644 index 4bebd0c..0000000 --- a/systemd/containers/bss-init.container +++ /dev/null @@ -1,28 +0,0 @@ -[Unit] -Description=The bss-init container -Wants=smd.service -Requires=postgres.service -PartOf=openchami.target - -[Container] -ContainerName=bss-init -HostName=bss-init -Image=ghcr.io/openchami/bss:v1.32.2 - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Secrets -Secret=bss_postgres_password,type=env,target=BSS_DBPASS - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false -PodmanArgs=--entrypoint='["/bin/sh","-c","/usr/local/bin/bss-init "]' - -[Service] -Restart=on-failure -Type=oneshot -RemainAfterExit=yes diff --git a/systemd/containers/bss.container b/systemd/containers/bss.container deleted file mode 100644 index 044d69c..0000000 --- a/systemd/containers/bss.container +++ /dev/null @@ -1,36 +0,0 @@ -[Unit] -Description=The bss container -PartOf=openchami.target - -# Ensure the init job has started (and if it fails, BSS will fail): -Requires=bss-init.service -After=bss-init.service - -# Ensure SMD has started already -Wants=smd.service -After=smd.service - -# Hydraledger JWKS must be generated first: -Wants=hydra-gen-jwks.service -After=hydra-gen-jwks.service - - -[Container] -ContainerName=bss -HostName=bss -Image=ghcr.io/openchami/bss:v1.32.2 - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Secrets -Secret=bss_postgres_password,type=env,target=BSS_DBPASS - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/cloud-init-server.container b/systemd/containers/cloud-init-server.container deleted file mode 100644 index fd914df..0000000 --- a/systemd/containers/cloud-init-server.container +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=The cloud-init-server container -Wants=smd.service -After=smd.service opaal.service -PartOf=openchami.target - -[Container] -ContainerName=cloud-init-server -HostName=cloud-init -Image=ghcr.io/openchami/cloud-init:v1.3.0 - -Volume=cloud-init-data:/cloud-init:rw,Z - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/coresmd-coredhcp.container b/systemd/containers/coresmd-coredhcp.container index 9030c90..48f0848 100644 --- a/systemd/containers/coresmd-coredhcp.container +++ b/systemd/containers/coresmd-coredhcp.container @@ -1,14 +1,14 @@ [Unit] Description=The CoreSMD CoreDHCP container -Wants=haproxy.service -After=haproxy.service +Wants=tokensmith.service smd.service +After=tokensmith.service smd.service PartOf=openchami.target [Container] ContainerName=coresmd-coredhcp HostName=coresmd-coredhcp -Image=ghcr.io/openchami/coresmd:v0.4.3 +Image=ghcr.io/openchami/coresmd:v0.6.1 # Capabilities AddCapability=NET_ADMIN diff --git a/systemd/containers/coresmd-coredns.container b/systemd/containers/coresmd-coredns.container index 817479d..0b0b6d6 100644 --- a/systemd/containers/coresmd-coredns.container +++ b/systemd/containers/coresmd-coredns.container @@ -8,7 +8,7 @@ PartOf=openchami.target ContainerName=coresmd-coredns HostName=coresmd-coredns -Image=ghcr.io/openchami/coresmd:v0.4.3 +Image=ghcr.io/openchami/coresmd:v0.6.1 Exec=/coredns diff --git a/systemd/containers/haproxy.container b/systemd/containers/haproxy.container index ac1c0f0..0c91ded 100644 --- a/systemd/containers/haproxy.container +++ b/systemd/containers/haproxy.container @@ -1,7 +1,7 @@ [Unit] Description=The haproxy container -Wants=bss.service cloud-init-server.service smd.service acme-deploy.service -After=openchami-external-network.service opaal.service smd.service bss.service acme-deploy.service cloud-init-server.service +Wants=boot-service.service metadata-service.service smd.service acme-deploy.service +After=openchami-external-network.service smd.service boot-service.service acme-deploy.service metadata-service.service Requires=openchami-external-network.service acme-deploy.service PartOf=openchami.target diff --git a/systemd/containers/hydra-gen-jwks.container b/systemd/containers/hydra-gen-jwks.container deleted file mode 100644 index e643bb5..0000000 --- a/systemd/containers/hydra-gen-jwks.container +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=The hydra-gen-jwks container -Wants=hydra.service -After=hydra.service -PartOf=openchami.target - -[Container] -ContainerName=hydra-gen-jwks -HostName=hydra-gen-jwks -Image=cgr.dev/chainguard/curl:latest - -# Command to run in container -Exec=--retry 10 --retry-delay 5 --retry-all-errors --verbose http://hydra:4444/.well-known/jwks.json - -# Networks for the Container to use -Network=openchami-jwt-internal.network - - -# Unsupported by generator options -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=on-failure -Type=oneshot -RemainAfterExit=yes diff --git a/systemd/containers/hydra-migrate.container b/systemd/containers/hydra-migrate.container deleted file mode 100644 index 9829126..0000000 --- a/systemd/containers/hydra-migrate.container +++ /dev/null @@ -1,32 +0,0 @@ -[Unit] -Description=The hydra-migrate container -Requires=postgres.service -After=postgres.service -PartOf=openchami.target - -[Container] -ContainerName=hydra-migrate -HostName=hydra-migrate -Image=docker.io/oryd/hydra:v2.3 - -# Volumes -Volume=/etc/openchami/configs/:/etc/config/hydra:Z - -# Secrets -Secret=hydra_system_secret,type=env,target=SECRETS_SYSTEM -Secret=hydra_postgres_password,type=env,target=HYDRA_POSTGRES_PASSWORD -Secret=hydra_dsn,type=env,target=DSN - -# Command to run in container -Exec=migrate -c /etc/config/hydra/hydra.yml sql -e --yes - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=on-failure -Type=oneshot -RemainAfterExit=yes diff --git a/systemd/containers/hydra.container b/systemd/containers/hydra.container deleted file mode 100644 index 4cd6461..0000000 --- a/systemd/containers/hydra.container +++ /dev/null @@ -1,40 +0,0 @@ -[Unit] -Description=The hydra container -PartOf=openchami.target - -# 1) Don’t start until hydra-migrate has successfully started: -Requires=hydra-migrate.service -After=hydra-migrate.service - -# 2) Also require Step-CA to be running first: -Wants=step-ca.service -After=step-ca.service - - -[Container] -ContainerName=hydra -HostName=hydra -Image=docker.io/oryd/hydra:v2.3 - -# Volumes -Volume=/etc/openchami/configs/:/etc/config/hydra:Z - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Secrets -Secret=hydra_system_secret,type=env,target=SECRETS_SYSTEM -Secret=hydra_dsn,type=env,target=DSN - -# Command to run in container -Exec=serve -c /etc/config/hydra/hydra.yml all --sqa-opt-out - -# Networks for the Container to use -Network=openchami-jwt-internal.network - - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container new file mode 100644 index 0000000..39644a5 --- /dev/null +++ b/systemd/containers/metadata-service.container @@ -0,0 +1,33 @@ +[Unit] +Description=The metadata-service container +# Depends on SMD +Wants=smd.service +After=smd.service +PartOf=openchami.target + +[Container] +ContainerName=metadata-service +HostName=metadata-service +Image=ghcr.io/openchami/metadata-service:v0.1.0 + +Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN + +# Environment Variables +EnvironmentFile=/etc/openchami/configs/openchami.env + +# Secrets +Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN + +Volume=metadata-data.volume:/data + +Exec=serve + +# Networks for the Container to use +Network=openchami-internal.network + +# Proxy settings +PodmanArgs=--http-proxy=false + +[Service] +ExecStartPre=/usr/sbin/tokensmith_bootstrap_token metadata-service +Restart=always \ No newline at end of file diff --git a/systemd/containers/opaal-idp.container b/systemd/containers/opaal-idp.container deleted file mode 100644 index cccba39..0000000 --- a/systemd/containers/opaal-idp.container +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=The opaal-idp container -Wants=hydra-gen-jwks.service -After=hydra-gen-jwks.service -PartOf=openchami.target - -[Container] -ContainerName=opaal-idp -HostName=opaal-idp -Image=ghcr.io/openchami/opaal:v0.3.12 - -# Volumes -Volume=/etc/openchami/configs:/opaal/config/:Z - -# Command to run in container -Exec=/opaal/opaal serve --config /opaal/config/opaal.yaml - -EnvironmentFile=/etc/openchami/configs/openchami.env -# Networks for the Container to use -Network=openchami-jwt-internal - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/opaal.container b/systemd/containers/opaal.container deleted file mode 100644 index 700b72c..0000000 --- a/systemd/containers/opaal.container +++ /dev/null @@ -1,33 +0,0 @@ -[Unit] -Description=The opaal container -PartOf=openchami.target - -# Don’t start until the ID-P is running: -Wants=opaal-idp.service -After=opaal-idp.service - -[Container] -ContainerName=opaal -HostName=opaal -Image=ghcr.io/openchami/opaal:v0.3.12 - - -# Volumes -Volume=/etc/openchami/configs:/opaal/config/:Z - -# Command to run in container -Exec=/opaal/opaal login --config /opaal/config/opaal.yaml - -# Networks for the Container to use -Network=openchami-internal.network -Network=openchami-jwt-internal.network - -# Extra hosts -PodmanArgs=--add-host='demo.openchami.cluster:172.16.0.254' -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always -# Run commands after container starts -ExecStartPost=sleep 10s diff --git a/systemd/containers/postgres.container b/systemd/containers/postgres.container index 9cc50db..fdcfe44 100644 --- a/systemd/containers/postgres.container +++ b/systemd/containers/postgres.container @@ -18,9 +18,7 @@ EnvironmentFile=/etc/openchami/configs/openchami.env # Secrets Secret=postgres_password,type=env,target=POSTGRES_PASSWORD -Secret=bss_postgres_password,type=env,target=BSS_POSTGRES_PASSWORD Secret=smd_postgres_password,type=env,target=SMD_POSTGRES_PASSWORD -Secret=hydra_postgres_password,type=env,target=HYDRA_POSTGRES_PASSWORD Secret=postgres_multiple_databases,type=env,target=POSTGRES_MULTIPLE_DATABASES diff --git a/systemd/containers/smd-init.container b/systemd/containers/smd-init.container index e5e26fc..027bccc 100644 --- a/systemd/containers/smd-init.container +++ b/systemd/containers/smd-init.container @@ -7,7 +7,8 @@ PartOf=openchami.target [Container] ContainerName=smd-init HostName=smd-init -Image=ghcr.io/openchami/smd:v2.19.3 +Image=ghcr.io/openchami/smd:v2.20.3 + # Environemnt Variables Environment=SMD_DBHOST=postgres diff --git a/systemd/containers/smd.container b/systemd/containers/smd.container index 7e73cba..48e8c12 100644 --- a/systemd/containers/smd.container +++ b/systemd/containers/smd.container @@ -4,16 +4,13 @@ PartOf=openchami.target # Don’t start until its init has run (and propagate failures): Requires=smd-init.service -After=smd-init.service - -# Don’t start until JWKS is ready: -Wants=hydra-gen-jwks.service -After=hydra-gen-jwks.service +After=smd-init.service tokensmith.service +Wants=smd-init.service tokensmith.service [Container] ContainerName=smd HostName=smd -Image=ghcr.io/openchami/smd:v2.19.3 +Image=ghcr.io/openchami/smd:v2.20.3 # Environment Variables EnvironmentFile=/etc/openchami/configs/openchami.env diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container new file mode 100644 index 0000000..ee18464 --- /dev/null +++ b/systemd/containers/tokensmith.container @@ -0,0 +1,28 @@ +[Unit] +Description=The tokensmith container +PartOf=openchami.target + +[Container] +ContainerName=tokensmith +HostName=tokensmith +Image=ghcr.io/openchami/tokensmith:v0.4.1 +#Image=tokensmith:test +EnvironmentFile=/etc/openchami/configs/openchami.env + +Exec=--enable-local-user-mint + +# Volumes +Volume=/etc/openchami/configs/tokensmith.json:/etc/tokensmith/config.json:Z +Volume=tokensmith-data:/tokensmith/data:Z,U + +# Networks for the Container to use +Network=openchami-internal.network +Network=openchami-jwt-internal.network + +# Extra hosts +PodmanArgs=--add-host='demo.openchami.cluster:172.16.0.254' +# Proxy settings +PodmanArgs=--http-proxy=false + +[Service] +Restart=always \ No newline at end of file diff --git a/systemd/targets/openchami.target b/systemd/targets/openchami.target index 200ad60..b904c1a 100644 --- a/systemd/targets/openchami.target +++ b/systemd/targets/openchami.target @@ -1,5 +1,4 @@ [Unit] Description=Group of OpenCHAMI-related services -Requires=bss.service smd.service opaal.service cloud-init-server.service coresmd-coredhcp.service step-ca.service haproxy.service -Wants=coresmd-coredns.service -After=bss-init.service smd-init.service postgres.service coresmd-coredns.service +Wants=coresmd-coredns.service boot-service.service smd.service tokensmith.service metadata-service.service coresmd-coredhcp.service step-ca.service haproxy.service +After=smd-init.service postgres.service coresmd-coredns.service diff --git a/systemd/volumes/cloud-init-data.volume b/systemd/volumes/cloud-init-data.volume deleted file mode 100644 index 6ad7204..0000000 --- a/systemd/volumes/cloud-init-data.volume +++ /dev/null @@ -1,5 +0,0 @@ -[Unit] -Description=cloud-init-server Data Volume - -[Volume] -VolumeName=cloud-init-data diff --git a/systemd/volumes/metadata-data.volume b/systemd/volumes/metadata-data.volume new file mode 100644 index 0000000..f4003ba --- /dev/null +++ b/systemd/volumes/metadata-data.volume @@ -0,0 +1,5 @@ +[Unit] +Description=metadata-service Data Volume + +[Volume] +VolumeName=metadata-service-data diff --git a/systemd/volumes/tokensmith.volume b/systemd/volumes/tokensmith.volume new file mode 100644 index 0000000..e6fcde5 --- /dev/null +++ b/systemd/volumes/tokensmith.volume @@ -0,0 +1,5 @@ +[Unit] +Description=tokensmith Volume + +[Volume] +VolumeName=tokensmith-data \ No newline at end of file