feat(auth): implement TokenSmith-backed service authentication

.github/workflows/Release.yaml

@@ -29,12 +29,12 @@ jobs:
     steps:
       - name: Install dependencies
         run: sudo apt-get update && sudo apt-get install -y gcc-aarch64-linux-gnu
-      
+
       - name: Set up latest stable Go
         uses: actions/setup-go@v6
         with:
           go-version: stable
-      
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
@@ -59,7 +59,7 @@ jobs:
           echo "GO_VERSION=$(go version | awk '{print $3}')" >> $GITHUB_ENV
           echo "BUILD_USER=$(whoami)" >> $GITHUB_ENV
           echo "CGO_ENABLED=1" >> $GITHUB_ENV
-          
+
           if [[ "${{ github.event_name }}" == "pull_request" ]]; then
             echo "IS_PR_BUILD=true" >> $GITHUB_ENV
             echo "DOCKER_TAG=pr-${{ github.event.number }}" >> $GITHUB_ENV
@@ -137,4 +137,4 @@ jobs:
         with:
           subject-name: ghcr.io/openchami/coresmd
           subject-digest: ${{ steps.process_goreleaser_output.outputs.digest }}
-          push-to-registry: true
+          push-to-registry: true

.golangci.yml

@@ -32,4 +32,4 @@ formatters:
       local-prefixes:
         - github.com/openchami/coresmd/
   exclusions:
-    generated: lax 
+    generated: lax

.pre-commit-config.yaml

@@ -0,0 +1,84 @@
+# SPDX-FileCopyrightText: Copyright © 2025 OpenCHAMI a Series of LF Projects, LLC
+# SPDX-License-Identifier: MIT
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+    -   id: trailing-whitespace
+    -   id: end-of-file-fixer
+    -   id: check-yaml
+        args: [--allow-multiple-documents]
+    -   id: check-added-large-files
+
+- repo: https://github.com/fsfe/reuse-tool
+  rev: v6.2.0
+  hooks:
+    - id: reuse-lint-file
+
+-   repo: https://github.com/tekwizely/pre-commit-golang
+    # See 'pre-commit help autoupdate'
+    rev: v1.0.0-rc.4
+    hooks:
+
+    # Disabled go-mod-tidy in favor of custom hook below that properly excludes examples
+    # -   id: go-mod-tidy
+    #     exclude: '^(test/integration|examples)/'
+    # Disabled go-test-mod in favor of custom hook below that excludes examples
+    # -   id: go-test-mod
+    #     exclude: '^(test/integration|examples)/'
+    # Disabled go-vet-mod in favor of custom hook below that excludes examples
+    # -   id: go-vet-mod
+    #     exclude: '^(test/integration|examples)/'
+
+    #
+    # Formatters
+    #
+    -   id: go-fmt
+    -   id: go-fmt-repo
+
+    #
+    # Style Checkers
+    # Disabled golangci-lint-mod in favor of custom hook below that excludes examples
+    # -   id: golangci-lint-mod
+    #     exclude: '^(test/integration|examples)/'
+
+# Custom local hooks
+-   repo: local
+    hooks:
+    -   id: go-mod-tidy-exclude-examples
+        name: go mod tidy (excluding examples)
+        # Temporarily rename examples to hide it from go mod tidy, then restore it
+        entry: bash -c 'if [ -d examples ]; then mv examples .examples.tmp && trap "rm -rf examples; mv .examples.tmp examples" EXIT; go mod tidy; else go mod tidy; fi'
+        language: system
+        pass_filenames: false
+        types: [go]
+        files: '^(go\.(mod|sum)|cmd/|pkg/|internal/).*'
+
+    -   id: go-vet-mod-exclude-examples
+        name: go vet (excluding examples)
+        # Temporarily rename examples to hide it from go vet, then restore it
+        entry: bash -c 'if [ -d examples ]; then mv examples .examples.tmp && trap "rm -rf examples; mv .examples.tmp examples" EXIT; go vet -mod=mod ./...; else go vet -mod=mod ./...; fi'
+        language: system
+        pass_filenames: false
+        types: [go]
+        files: '^(cmd/|pkg/|internal/).*\.go$'
+
+    -   id: golangci-lint-mod-exclude-examples
+        name: golangci-lint (excluding examples)
+        # Temporarily rename examples to hide it from golangci-lint, then restore it
+        entry: bash -c 'if [ -d examples ]; then mv examples .examples.tmp && trap "rm -rf examples; mv .examples.tmp examples" EXIT; golangci-lint run --fix=false; else golangci-lint run --fix=false; fi'
+        language: system
+        pass_filenames: false
+        types: [go]
+        files: '^(cmd/|pkg/|internal/).*\.go$'
+
+    -   id: go-test-mod-exclude-examples
+        name: go test (excluding examples and integration tests)
+        entry: bash -c 'go test -mod=readonly -race $(go list ./... 2>/dev/null | grep -v -e "/examples/" -e "/test/integration")'
+        language: system
+        pass_filenames: false
+        types: [go]
+
+    #

Dockerfile

@@ -23,7 +23,7 @@ RUN set -ex \
 
 
 # Both coredns and coredhcp are built and added to the same container.
-# By default, coredhcp is started and coredns is not.  To start coredns, override the CMD in the 
+# By default, coredhcp is started and coredns is not.  To start coredns, override the CMD in the
 # container runtime configuration and provide a volume with the appropriate configuration file.
 COPY coredhcp /coredhcp
 COPY coredns /coredns

README.md

@@ -401,4 +401,3 @@ Once all prerequisites are set, you can run CoreDHCP or CoreDNS.
 - [SMD GitHub](https://github.com/OpenCHAMI/smd)
 - [GoReleaser Documentation](https://goreleaser.com/install/)
 - [Magellan (OpenCHAMI)](https://github.com/OpenCHAMI/magellan)
-

examples/coredhcp/README.md

@@ -105,6 +105,50 @@ plugins:
 
 See [coredhcp.yaml](coredhcp.yaml) for a complete example showing both DHCPv4 and DHCPv6 configurations.
 
+## TokenSmith Auth for SMD Requests
+
+The CoreDHCP `coresmd` plugin can authenticate outbound SMD API requests using
+TokenSmith service tokens.
+
+Configure auth in the `coresmd` key-value block:
+
+- `auth_mode={disabled|optional|required}`
+  - `disabled` (default): no auth
+  - `optional`: try auth, continue unauthenticated if bootstrap exchange fails
+  - `required`: fail startup if bootstrap exchange fails
+- `tokensmith_url=https://tokensmith.cluster.local`
+  - required for `optional` and `required`
+- `refresh_before=2m`
+  - optional lead time before token expiry for proactive refresh
+
+Set the bootstrap token in the environment for the CoreDHCP process:
+
+```bash
+export TOKENSMITH_BOOTSTRAP_TOKEN="<bootstrap-token>"
+```
+
+Example:
+
+```yaml
+plugins:
+  - coresmd: |
+      svc_base_uri=https://smd.openchami.cluster
+      ipxe_base_uri=http://172.16.0.253:8081
+      ca_cert=/root_ca/root_ca.crt
+      cache_valid=30s
+
+      auth_mode=required
+      tokensmith_url=https://tokensmith.cluster.local
+      refresh_before=90s
+
+      rule=type:Node,hostname:nid{04d}
+      rule=type:NodeBMC,hostname:bmc{04d}
+      domain=openchami.cluster
+```
+
+`target_service` and `scopes` are intentionally omitted from plugin config.
+TokenSmith derives both from bootstrap token claims.
+
 ## Custom Hostnames
 
 Hostname patterns can be used to specify custom hostnames for nodes and BMCs. See [**hostnames.md**](hostnames.md) for more details.

examples/coredhcp/rules.md

@@ -117,6 +117,37 @@ A rule may set:
 - `routers` (DHCPv4 option 3)
 - `netmask` (DHCPv4 option 1)
 
+### `auth_mode={disabled|optional|required}`
+
+Controls outbound SMD authentication behavior using TokenSmith-issued service
+tokens.
+
+- `disabled` (default): do not attempt auth
+- `optional`: attempt auth at startup, continue unauthenticated if exchange fails
+- `required`: fail startup if exchange fails
+
+### `tokensmith_url=URL`
+
+TokenSmith base URL used for bootstrap token exchange.
+
+Required when `auth_mode` is `optional` or `required`.
+
+### `refresh_before=DURATION`
+
+Optional lead time before token expiration to refresh proactively.
+
+**Default:** `2m`
+
+Uses Go duration syntax (for example `30s`, `90s`, `2m`, `5m`).
+
+### Token Bootstrap Environment
+
+Set `TOKENSMITH_BOOTSTRAP_TOKEN` in the CoreDHCP process environment. The
+plugin reads this value at startup.
+
+`target_service` and `scopes` are intentionally not configured in CoreDHCP.
+TokenSmith reads them from bootstrap token claims.
+
 ## Migrating from `*_pattern`
 
 Older CoreSMD configurations used legacy pattern directives (for example

examples/coredns/README.md

@@ -96,6 +96,41 @@ coresmd {
 }
 ```
 
+### Enabling TokenSmith Auth for SMD Requests
+
+The CoreDNS `coresmd` plugin can authenticate outbound SMD API requests using
+TokenSmith-issued service tokens.
+
+Auth directives in the `coresmd` block:
+
+- `auth_mode`: `disabled` (default), `optional`, or `required`
+- `tokensmith_url`: required when `auth_mode` is `optional` or `required`
+- `refresh_before`: optional token refresh lead time (default `2m`)
+
+Set the bootstrap token in the environment before starting CoreDNS:
+
+```bash
+export TOKENSMITH_BOOTSTRAP_TOKEN="<bootstrap-token>"
+```
+
+Example Corefile snippet:
+
+```corefile
+coresmd {
+   smd_url https://smd.cluster.local
+   auth_mode optional
+   tokensmith_url https://tokensmith.cluster.local
+   refresh_before 2m
+
+   zone openchami.cluster {
+      nodes nid{04d}
+   }
+}
+```
+
+`target_service` and `scopes` are not configured in the plugin. TokenSmith
+reads those constraints from the bootstrap token claims.
+
 ## Testing
 
 ### Test DNS Resolution

examples/coredns/advanced/Corefile

@@ -5,7 +5,7 @@
 
 # Advanced CoreSMD CoreDNS Configuration
 # This configuration provides DNS resolution with custom zones and TLS support
-# 
+#
 # This example demonstrates advanced features including:
 # - TLS certificate validation for secure SMD communication
 # - Multiple zone configurations for different domains
@@ -18,31 +18,31 @@
     coresmd {
         # URL of the SMD server that provides component information
         smd_url https://smd.cluster.local
-        
+
         # CA certificate for validating SMD server TLS certificate
         # Required for secure communication in production environments
         ca_cert /etc/ssl/certs/smd-ca.crt
-        
+
         # Extended cache duration for production (60 seconds)
         # Longer cache reduces SMD server load but may delay updates
         cache_duration 60s
-        
+
         # Primary zone configuration for cluster.local domain
         zone cluster.local {
             # Pattern for compute node hostnames: nid0001, nid0002, etc.
             nodes nid{04d}
         }
-        
+
         # Secondary zone configuration for management network
         zone mgmt.local {
             # Pattern for management node hostnames: mgmt0001, mgmt0002, etc.
             nodes mgmt{04d}
         }
     }
-    
+
     # Prometheus metrics endpoint for monitoring and alerting
     prometheus 0.0.0.0:9153
-    
+
     # Forward all other queries to Google's DNS servers
     forward . 8.8.8.8
-} 
+}

examples/coredns/basic/Corefile

@@ -5,7 +5,7 @@
 
 # Basic CoreSMD CoreDNS Configuration
 # This configuration provides DNS resolution for OpenCHAMI cluster components
-# 
+#
 # The coresmd plugin integrates with the OpenCHAMI SMD (State Management Database)
 # to provide dynamic DNS resolution for compute nodes and BMCs (Baseboard Management Controllers)
 # based on their hardware addresses and component information.
@@ -16,20 +16,20 @@
     coresmd {
         # URL of the SMD server that provides component information
         smd_url https://demo.openchami.cluster:8443
-        
+
         # How long to cache SMD data before refreshing (30 seconds)
         cache_duration 30s
-        
+
         # Zone configuration for openchami.cluster domain
         zone openchami.cluster {
             # Pattern for node hostnames: nid0001, nid0002, etc.
             nodes nid{04d}
         }
     }
-    
+
     # Prometheus metrics endpoint for monitoring
     prometheus 0.0.0.0:9153
-    
+
     # Forward all other queries to Google's DNS servers
     forward . 8.8.8.8
-} 
+}