Update release with new fabrica-based services; remove old services

openchami.spec

@@ -33,26 +33,29 @@ mkdir -p %{buildroot}/etc/openchami/configs \
          %{buildroot}/etc/containers/systemd \
          %{buildroot}/etc/systemd/system \
          %{buildroot}/usr/bin \
+         %{buildroot}/usr/sbin \
          %{buildroot}/etc/profile.d \
          %{buildroot}/usr/libexec/openchami
 
-cp -r systemd/configs/*                 %{buildroot}/etc/openchami/configs/
-cp -r systemd/containers/*              %{buildroot}/etc/containers/systemd/
-cp -r systemd/volumes/*                 %{buildroot}/etc/containers/systemd/
-cp -r systemd/networks/*                %{buildroot}/etc/containers/systemd/
-cp -r systemd/targets/*                 %{buildroot}/etc/systemd/system/
-cp -r systemd/system/*                  %{buildroot}/etc/systemd/system/
-cp scripts/bootstrap_openchami.sh       %{buildroot}/usr/libexec/openchami/
-cp scripts/openchami-certificate-update %{buildroot}/usr/bin/
-cp scripts/openchami_profile.sh         %{buildroot}/etc/profile.d/openchami.sh
-cp scripts/multi-psql-db.sh             %{buildroot}/etc/openchami/pg-init/multi-psql-db.sh
-cp scripts/ohpc-nodes.sh          %{buildroot}/usr/libexec/openchami/
+cp -r systemd/configs/*                     %{buildroot}/etc/openchami/configs/
+cp -r systemd/containers/*                  %{buildroot}/etc/containers/systemd/
+cp -r systemd/volumes/*                     %{buildroot}/etc/containers/systemd/
+cp -r systemd/networks/*                    %{buildroot}/etc/containers/systemd/
+cp -r systemd/targets/*                     %{buildroot}/etc/systemd/system/
+cp -r systemd/system/*                      %{buildroot}/etc/systemd/system/
+cp scripts/bootstrap_openchami.sh           %{buildroot}/usr/libexec/openchami/
+cp scripts/openchami-certificate-update     %{buildroot}/usr/bin/
+cp scripts/openchami_profile.sh             %{buildroot}/etc/profile.d/openchami.sh
+cp scripts/multi-psql-db.sh                 %{buildroot}/etc/openchami/pg-init/multi-psql-db.sh
+cp scripts/ohpc-nodes.sh                    %{buildroot}/usr/libexec/openchami/
+cp scripts/tokensmith_bootstrap_token       %{buildroot}/usr/sbin/
 
 chmod +x %{buildroot}/usr/libexec/openchami/bootstrap_openchami.sh
 chmod +x %{buildroot}/usr/libexec/openchami/ohpc-nodes.sh
 chmod +x %{buildroot}/usr/libexec/openchami/bootstrap_openchami.sh
 chmod +x %{buildroot}/usr/bin/openchami-certificate-update
 chmod +x %{buildroot}/usr/libexec/openchami/ohpc-nodes.sh
+chmod 0700 %{buildroot}/usr/sbin/tokensmith_bootstrap_token
 
 chmod 600 %{buildroot}/etc/openchami/configs/openchami.env
 chmod 644 %{buildroot}/etc/openchami/configs/*
@@ -70,6 +73,7 @@ chmod 644 %{buildroot}/etc/openchami/configs/*
 /etc/profile.d/openchami.sh
 /etc/openchami/pg-init/multi-psql-db.sh
 /usr/bin/openchami-certificate-update
+/usr/sbin/tokensmith_bootstrap_token
 
 %pre
 if [ -f /etc/containers/systemd/coresmd.container ]; then

scripts/bootstrap_openchami.sh

@@ -46,7 +46,6 @@ acme_correction() {
   sed -i "s/^ContainerName=.*/ContainerName=${system_fqdn}/" /etc/containers/systemd/acme-register.container
   sed -i "s/^HostName=.*/HostName=${system_fqdn}/" /etc/containers/systemd/acme-register.container
   sed -i "s|-d .* \\\\|-d ${system_fqdn} \\\\|" /etc/containers/systemd/acme-register.container
-  sed -i "s|--add-host='demo\.openchami\.cluster:[0-9\.]*'|--add-host='${system_fqdn}:${primary_ip}'|" /etc/containers/systemd/opaal.container
 }
 
 # Check and create secrets with random passwords if needed
@@ -55,32 +54,17 @@ acme_correction() {
 postgres_password=$(generate_random_password)
 create_secret_if_not_exists "postgres_password" "$postgres_password"
 
-# BSS Postgres Password
-bss_postgres_password=$(generate_random_password)
-create_secret_if_not_exists "bss_postgres_password" "$bss_postgres_password"
-
 # SMD Postgres Password
 smd_postgres_password=$(generate_random_password)
 create_secret_if_not_exists "smd_postgres_password" "$smd_postgres_password"
 
-# Hydra Postgres Password
-hydra_postgres_password=$(generate_random_password)
-create_secret_if_not_exists "hydra_postgres_password" "$hydra_postgres_password"
-
-# Hydra System Secret
-hydra_system_secret=$(generate_random_password)
-create_secret_if_not_exists "hydra_system_secret" "$hydra_system_secret"
-
-# HYDRA_DSN
-HYDRA_DSN="postgres://hydra-user:$(podman secret inspect hydra_postgres_password --showsecret | jq -r '.[0].SecretData')@postgres:5432/hydradb?sslmode=disable&max_conns=20&max_idle_conns=4"
-create_secret_if_not_exists "hydra_dsn" "$HYDRA_DSN"
 
 # POSTGRES_MULTIPLE_DATABASES
-POSTGRES_MULTIPLE_DATABASES="hmsds:smd-user:$(podman secret inspect smd_postgres_password --showsecret | jq -r '.[0].SecretData'),bssdb:bss-user:$(podman secret inspect bss_postgres_password --showsecret | jq -r '.[0].SecretData'),hydradb:hydra-user:$(podman secret inspect hydra_postgres_password --showsecret | jq -r '.[0].SecretData')"
+POSTGRES_MULTIPLE_DATABASES="hmsds:smd-user:$(podman secret inspect smd_postgres_password --showsecret | jq -r '.[0].SecretData')"
 create_secret_if_not_exists "postgres_multiple_databases" "$POSTGRES_MULTIPLE_DATABASES"
 
 # openchami.env Configuration
 generate_environment_file
 
 # Correct the ACME files
-acme_correction
+acme_correction

scripts/openchami-certificate-update

@@ -19,7 +19,6 @@ update_dns() {
     sed -i "s/^ContainerName=.*/ContainerName=${system_fqdn}/" /etc/containers/systemd/acme-register.container
     sed -i "s/^HostName=.*/HostName=${system_fqdn}/" /etc/containers/systemd/acme-register.container
     sed -i "s|-d .* \\\\|-d ${system_fqdn} \\\\|" /etc/containers/systemd/acme-register.container
-    sed -i "s|--add-host='.*|--add-host='${system_fqdn}:${primary_ip}'|" /etc/containers/systemd/opaal.container
 
     # Reload systemD after .container changes
     systemctl daemon-reload

scripts/tokensmith_bootstrap_token

@@ -0,0 +1,31 @@
+#!/bin/bash
+usage() {
+  echo "usage: $0 CLIENT"
+  echo
+  echo 'CLIENT: name of client service to generate token for'
+}
+
+CLIENT="${1}"
+SERVICE="smd"
+
+if [[ -z "$CLIENT" ]]
+then
+	echo "Empty client"
+    usage >&2
+	exit 1
+fi
+
+echo "Generating bootstrap token for service client ${CLIENT}"
+TOKENSMITH_BOOTSTRAP_TOKEN=$(podman exec -e SERVICE=$SERVICE -e CLIENT=$CLIENT tokensmith /bin/sh -c "\
+                        /usr/local/bin/tokensmith bootstrap-token create \
+                        --bootstrap-store \${TOKENSMITH_RFC8693_BOOTSTRAP_STORE} \
+                        --subject \${CLIENT} \
+                        --audience \${SERVICE} \
+                        --scopes "read" \
+                        --output-format json | jq -r '.bootstrap_token'
+                        ")
+
+SECRET_NAME="${CLIENT}-bootstrap-token"
+echo "Creating secret ${CLIENT}-bootstrap-token"
+printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret rm -i ${SECRET_NAME} 2>/dev/null || true
+printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret create ${SECRET_NAME} -

systemd/configs/coredhcp.yaml

@@ -1,18 +1,95 @@
+# Based on https://github.com/coredhcp/coredhcp/blob/master/cmds/coredhcp/config.yml.example
+# See there for more extensive CoreDHCP configuration documentation.
+
 server4:
-# You can configure the specific interfaces that you want OpenCHAMI to listen on by 
-# uncommenting the lines below and setting the interface
-  # listen:
-  #   - "%virbr-openchami"
+  # Optionally define how CoreDHCP binds to an interface or address. If unset,
+  # the server will bind to all interfaces (0.0.0.0).
+  #
+  #listen:
+  #  - "%virbr-openchami"
   plugins:
-# You are able to set the IP address of the system in server_id as the place to look for a DHCP server
-# DNS is able to be set to whatever you want but it is much easier if you keep it set to the server IP
-# Router is also able to be set to whatever you network router address is 
-    # - server_id: 172.16.0.254
-    # - dns: 172.16.0.254
-    # - router: 172.16.0.254
+    # Set DHCP Server Identifier to help resolve situations when there are
+    # multiple DHCP servers on a network.
+    #- server_id: 172.16.0.254
+
+    # Advertise list of DNS resolvers to use for hosts on network.
+    #- dns: 172.16.0.254
+
+    # REQUIRED: Advertise address of default router on network.
+    #- router: 172.16.0.254
+
+    # Advertise network mask of assigned IPs on network.
     - netmask: 255.255.255.0
-# The lines below define where the system should assign ip addresses for systems that do not have
-# mac addresses stored in SMD
-    # - coresmd: https://demo.openchami.cluster:8443 http://172.16.0.254:8081 /root_ca/root_ca.crt 30s 1h false
-    # - bootloop: /tmp/coredhcp.db default 5m 172.16.0.200 172.16.0.250
 
+    #
+    # OpenCHAMI CONFIGURATION
+    #
+
+    # Assign IP addresses to devices known to OpenCHAMI based on MAC address.
+    #- coresmd: |
+    #    /* Base URI for contacting SMD */
+    #    svc_base_uri=https://demo.openchami.cluster:8443
+    #
+    #    /* Base URI for contacting boot-service for boot scripts */
+    #    ipxe_base_uri=http://172.16.0.254:8081
+    #
+    #    /*
+    #     * Path to root CA certificate in container to use for TLS
+    #     * verification for communication with SMD
+    #     */
+    #    ca_cert=/root_ca/root_ca.crt
+    #
+    #    /* Refresh interval for CoreSMD's component cache */
+    #    cache_valid=30s
+    #
+    #    /* Duration DHCP leases should be valid */
+    #    lease_time=1h
+    #
+    #    /* Toggle TFTP single-port mode */
+    #    single_port=false
+    #
+    #    /*
+    #     * RICH RULES
+    #     *
+    #     * These are used to set DHCP options based on certain selectors.
+    #     * See: https://github.com/OpenCHAMI/coresmd/blob/main/examples/coredhcp/rules.md
+    #     */
+    #
+    #    /* Domain to append to set hostnames (able to be overridden)
+    #    domain=openchami.cluster
+    #
+    #    /*
+    #     * Log level for rules.
+    #     *
+    #     * none: do not log
+    #     * info: log rule matches
+    #     * debug: log rule matches and non-matches
+    #     */
+    #    rule_log=info
+    #
+    #    /* Set hostname based on type (node or BMC, respectively) */
+    #    rule=type:Node,hostname:n{02d}
+    #    rule=type:NodeBMC,hostname:{id}
+
+    # Optional catch-all for extra devices. This plugin is meant to assign
+    # temporary IPs via a very short lease to devices not tracked in SMD, e.g.
+    # for BMCs to be discoverable via Redfish so they _can_ be added to SMD.
+    # Non-BMC devices are served an iPXE script that instructs them to reboot
+    # (by default, this is customizable, hence the name 'bootloop') so that
+    # they will constantly try to get a new lease. The idea is that once they
+    # are added to SMD, CoreSMD above will catch it.
+    #- bootloop: |
+    #    /* Where to store leases (sqlite)
+    #    lease_file=/tmp/coredhcp.db
+    #
+    #    /* iPXE script to use ('default' reboots)
+    #    script_path=default
+    #
+    #    /* Duration of short-lived lease */
+    #    lease_time=5m
+    #
+    #    /* Beginning IP of assignable IPv4 addresses */
+    #    ipv4_start=172.16.0.200
+    #
+    #    /* Ending IP of assignable IPv4 addresses */
+    #    ipv4_end=172.16.0.250

systemd/configs/haproxy.cfg

@@ -23,50 +23,32 @@ frontend openchami
   bind :443 ssl crt /etc/haproxy/certs/ strict-sni
   option forwardfor
 
-  acl PATH_smd path_beg -i /hsm/v2
+  acl PATH_smd              path_beg -i /hsm/v2
+  acl PATH_configurator     path_beg -i /configurator /generate
+  acl PATH_boot-service     path_beg -i /boot-service/
+  acl PATH_metadata-service path_beg -i /metadata-service/
+  acl PATH_tokensmith       path_beg -i /tokensmith/
 
-  acl PATH_bss path_beg -i /boot/v1
-  acl PATH_bss path_beg -i /apis/bss/
-
-  acl PATH_opaal path_beg -i /token
-  acl PATH_opaal path_beg -i /login
-  acl PATH_opaal path_beg -i /oidc/callback
-
-  acl PATH_opaal-idp path_beg -i /.well-known/openid-configuration
-  acl PATH_opaal-idp path_beg -i /.well-known/jwks.json
-  acl PATH_opaal-idp path_beg -i /browser/login
-  acl PATH_opaal-idp path_beg -i /api/login
-  acl PATH_opaal-idp path_beg -i /oauth2/authorize
-  acl PATH_opaal-idp path_beg -i /oauth2/token
-
-  acl PATH_cloud-init path_beg -i /cloud-init
-
-  acl PATH_configurator path_beg -i /generate
-  acl PATH_configurator path_beg -i /configurator
-
-  use_backend opaal if PATH_opaal
-  use_backend opaal-idp if PATH_opaal-idp
   use_backend smd if PATH_smd
-  use_backend bss if PATH_bss
-  use_backend cloud-init if PATH_cloud-init
   use_backend configurator if PATH_configurator
-
-backend opaal
-  server opaal opaal:3333
-
-backend opaal-idp
-  server opaal-idp opaal-idp:3332
+  use_backend boot-service if PATH_boot-service
+  use_backend metadata-service if PATH_metadata-service
+  use_backend tokensmith if PATH_tokensmith
 
 backend smd
   server smd smd:27779
 
-backend bss
-  server bss bss:27778
-  http-request replace-path ^/apis/bss/(.*) /\1
-
-backend cloud-init
-  server cloud-init-server cloud-init-server:27777
-  http-request replace-path ^/cloud-init(/.*) \1
-
 backend configurator
   server configurator configurator:3334 init-addr none
+
+backend boot-service
+  http-request set-path %[path,regsub(^/boot-service/,/)]
+  server boot-service boot-service:8081
+
+backend metadata-service
+  http-request set-path %[path,regsub(^/metadata-service/,/)]
+  server metadata-service metadata-service:8080
+
+backend tokensmith
+  http-request set-path %[path,regsub(^/tokensmith/,/)]
+  server tokensmith tokensmith:8080

systemd/configs/openchami.env

@@ -14,27 +14,29 @@ URLS_LOGOUT=https://${SYSTEM_URL}/logout
 # Environemnt Variables
 POSTGRES_USER=ochami
 
-# Environemnt Variables
-BSS_USESQL=true
-BSS_INSECURE=true
-BSS_DEBUG=true
-BSS_DBHOST=postgres
-BSS_DBPORT=5432
-BSS_DBNAME=bssdb
-BSS_DBUSER=bss-user
-BSS_JWKS_URL=http://opaal:3333/keys
-BSS_OAUTH2_ADMIN_BASE_URL=http://opaal:3333
-BSS_OAUTH2_PUBLIC_BASE_URL=http://opaal:3333
-BSS_IPXE_SERVER=${SYSTEM_URL}
-BSS_CHAIN_PROTO=https
-
 # Environemnt Variables
 SMD_DBHOST=postgres
 SMD_DBPORT=5432
 SMD_DBNAME=hmsds
 SMD_DBUSER=smd-user
 SMD_DBOPTS=sslmode=disable
-SMD_JWKS_URL=http://opaal:3333/keys
+SMD_JWKS_URL=http://tokensmith:8080/.well-known/jwks.json
+SMD_AUTH_BACKEND=tokensmith
+SMD_AUTH_ISSUER=https://tokensmith.openchami.dev
+SMD_AUTH_AUDIENCES=smd
+
+# Environemnt Variables
+TOKENSMITH_ISSUER=https://tokensmith.openchami.dev
+TOKENSMITH_CLUSTER_ID=demo-cluster
+TOKENSMITH_OPENCHAMI_ID=demo-openchami
+TOKENSMITH_CONFIG=/etc/tokensmith/config.json
+TOKENSMITH_KEY_DIR=/tokensmith/data/keys
+TOKENSMITH_RFC8693_BOOTSTRAP_STORE=/tokensmith/data/bootstrap
+TOKENSMITH_RFC8693_REFRESH_STORE=/tokensmith/data/refresh
+#TOKENSMITH_OIDC_PROVIDER should point to an actual OIDC provider if you intend to use a real provider
+#The default is http://hydra:4444 so leaving it here for visibility
+TOKENSMITH_OIDC_PROVIDER=http://hydra:4444
+TOKENSMITH_PORT=8080
 
 # Environemnt Variables
 STEPPATH=/home/step
@@ -46,13 +48,6 @@ DOCKER_STEPCA_INIT_PROVISIONER_NAME="Admin"
 DOCKER_STEPCA_INIT_PROVISIONER_PASSWORD="provisionerpassword"
 
 # Environemnt Variables
-OPAAL_URL=http://opaal:3333
+SMD_URL=http://smd:27779
 HSM_URL=http://smd:27779
 ANSIBLE_HOST_KEY_CHECKING=False
-
-# Environemnt Variables for cloud-init
-LISTEN=:27777
-SMD_URL=http://smd:27779
-OPAAL_URL=http://opaal:3333
-JWKS_URL=http://opaal:3333/keys
-IMPERSONATION=true

systemd/configs/tokensmith.json

@@ -0,0 +1,19 @@
+{
+  "groupScopes": {
+    "admin": [
+      "admin",
+      "write",
+      "read"
+    ],
+    "operator": [
+      "write",
+      "read"
+    ],
+    "user": [
+      "read"
+    ],
+    "viewer": [
+      "read"
+    ]
+  }
+}