From 270ec55ff692a1fe1133666a7b8831d5fba8e8e2 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 2 Apr 2026 07:13:49 -0600 Subject: [PATCH 01/63] added tokensmith basic config file; update env file Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 9 ++++++++ systemd/configs/tokensmith.json | 19 +++++++++++++++++ systemd/containers/tokensmith.container | 28 +++++++++++++++++++++++++ 3 files changed, 56 insertions(+) create mode 100644 systemd/configs/tokensmith.json create mode 100644 systemd/containers/tokensmith.container diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index efbe4ea..a4cb925 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -36,6 +36,15 @@ SMD_DBUSER=smd-user SMD_DBOPTS=sslmode=disable SMD_JWKS_URL=http://opaal:3333/keys +# Environemnt Variables +TOKENSMITH_ISSUER=https://tokensmith.openchami.dev +TOKENSMITH_CLUSTER_ID=demo-cluster +TOKENSMITH_OPENCHAMI_ID=demo-openchami +TOKENSMITH_CONFIG=/tokensmith/config.json +TOKENSMITH_KEY_DIR=/tmp/tokensmith/keys +TOKENSMITH_OIDC_PROVIDER=http://hydra:4444 +TOKENSMITH_PORT=8080 + # Environemnt Variables STEPPATH=/home/step DOCKER_STEPCA_INIT_NAME=OpenCHAMI diff --git a/systemd/configs/tokensmith.json b/systemd/configs/tokensmith.json new file mode 100644 index 0000000..09d4ed4 --- /dev/null +++ b/systemd/configs/tokensmith.json @@ -0,0 +1,19 @@ +{ + "groupScopes": { + "admin": [ + "admin", + "write", + "read" + ], + "operator": [ + "write", + "read" + ], + "user": [ + "read" + ], + "viewer": [ + "read" + ] + } +} \ No newline at end of file diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container new file mode 100644 index 0000000..5d23ab5 --- /dev/null +++ b/systemd/containers/tokensmith.container @@ -0,0 +1,28 @@ +[Unit] +Description=The tokensmith container +Wants=hydra-gen-jwks.service +After=hydra-gen-jwks.service +PartOf=openchami.target + +[Container] +ContainerName=tokensmith +HostName=tokensmith +Image=ghcr.io/openchami/tokensmith:pr-13 +EnvironmentFile=/etc/openchami/configs/openchami.env + +# Volumes +Volume=/etc/openchami/tokensmith.json:/tokensmith/config.json:Z + +# Networks for the Container to use +Network=openchami-internal.network +Network=openchami-jwt-internal.network + +# Extra hosts +PodmanArgs=--add-host='demo.openchami.cluster:172.16.0.254' +# Proxy settings +PodmanArgs=--http-proxy=false + +[Service] +Restart=always +# Run commands after container starts +ExecStartPost=sleep 10s \ No newline at end of file From 5783d19189619b9f35de78aefc6f57c2105452b5 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 7 Apr 2026 14:50:25 -0600 Subject: [PATCH 02/63] added tokensmith bootstrap token script Signed-off-by: Travis Cotton --- scripts/tokensmith_bootstrap_token.sh | 14 +++++++ systemd/containers/bss-init.container | 28 ------------- systemd/containers/bss.container | 36 ----------------- .../containers/cloud-init-server.container | 24 ----------- systemd/containers/hydra-gen-jwks.container | 26 ------------ systemd/containers/hydra-migrate.container | 32 --------------- systemd/containers/hydra.container | 40 ------------------- systemd/containers/opaal-idp.container | 26 ------------ systemd/containers/opaal.container | 33 --------------- 9 files changed, 14 insertions(+), 245 deletions(-) create mode 100644 scripts/tokensmith_bootstrap_token.sh delete mode 100644 systemd/containers/bss-init.container delete mode 100644 systemd/containers/bss.container delete mode 100644 systemd/containers/cloud-init-server.container delete mode 100644 systemd/containers/hydra-gen-jwks.container delete mode 100644 systemd/containers/hydra-migrate.container delete mode 100644 systemd/containers/hydra.container delete mode 100644 systemd/containers/opaal-idp.container delete mode 100644 systemd/containers/opaal.container diff --git a/scripts/tokensmith_bootstrap_token.sh b/scripts/tokensmith_bootstrap_token.sh new file mode 100644 index 0000000..f9f8083 --- /dev/null +++ b/scripts/tokensmith_bootstrap_token.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +CLIENT="${1}" +SERVICE="smd" + +TOKENSMITH_BOOTSTRAP_TOKEN=$(podman exec -e SERVICE=$SERVICE -e CLIENT=$CLIENT tokensmith /bin/sh -c "\ + /usr/local/bin/tokensmith mint-bootstrap-token \ + --key-file /tmp/tokensmith/keys/private.pem \ + --service-id ${CLIENT}-client \ + --target-service ${SERVICE} + ") +SECRET_NAME="${CLIENT}-bootstrap-token" +printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret rm ${SECRET_NAME} 2>/dev/null || true +printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret create ${SECRET_NAME} - \ No newline at end of file diff --git a/systemd/containers/bss-init.container b/systemd/containers/bss-init.container deleted file mode 100644 index 4bebd0c..0000000 --- a/systemd/containers/bss-init.container +++ /dev/null @@ -1,28 +0,0 @@ -[Unit] -Description=The bss-init container -Wants=smd.service -Requires=postgres.service -PartOf=openchami.target - -[Container] -ContainerName=bss-init -HostName=bss-init -Image=ghcr.io/openchami/bss:v1.32.2 - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Secrets -Secret=bss_postgres_password,type=env,target=BSS_DBPASS - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false -PodmanArgs=--entrypoint='["/bin/sh","-c","/usr/local/bin/bss-init "]' - -[Service] -Restart=on-failure -Type=oneshot -RemainAfterExit=yes diff --git a/systemd/containers/bss.container b/systemd/containers/bss.container deleted file mode 100644 index 044d69c..0000000 --- a/systemd/containers/bss.container +++ /dev/null @@ -1,36 +0,0 @@ -[Unit] -Description=The bss container -PartOf=openchami.target - -# Ensure the init job has started (and if it fails, BSS will fail): -Requires=bss-init.service -After=bss-init.service - -# Ensure SMD has started already -Wants=smd.service -After=smd.service - -# Hydraledger JWKS must be generated first: -Wants=hydra-gen-jwks.service -After=hydra-gen-jwks.service - - -[Container] -ContainerName=bss -HostName=bss -Image=ghcr.io/openchami/bss:v1.32.2 - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Secrets -Secret=bss_postgres_password,type=env,target=BSS_DBPASS - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/cloud-init-server.container b/systemd/containers/cloud-init-server.container deleted file mode 100644 index fd914df..0000000 --- a/systemd/containers/cloud-init-server.container +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=The cloud-init-server container -Wants=smd.service -After=smd.service opaal.service -PartOf=openchami.target - -[Container] -ContainerName=cloud-init-server -HostName=cloud-init -Image=ghcr.io/openchami/cloud-init:v1.3.0 - -Volume=cloud-init-data:/cloud-init:rw,Z - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/hydra-gen-jwks.container b/systemd/containers/hydra-gen-jwks.container deleted file mode 100644 index e643bb5..0000000 --- a/systemd/containers/hydra-gen-jwks.container +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=The hydra-gen-jwks container -Wants=hydra.service -After=hydra.service -PartOf=openchami.target - -[Container] -ContainerName=hydra-gen-jwks -HostName=hydra-gen-jwks -Image=cgr.dev/chainguard/curl:latest - -# Command to run in container -Exec=--retry 10 --retry-delay 5 --retry-all-errors --verbose http://hydra:4444/.well-known/jwks.json - -# Networks for the Container to use -Network=openchami-jwt-internal.network - - -# Unsupported by generator options -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=on-failure -Type=oneshot -RemainAfterExit=yes diff --git a/systemd/containers/hydra-migrate.container b/systemd/containers/hydra-migrate.container deleted file mode 100644 index 9829126..0000000 --- a/systemd/containers/hydra-migrate.container +++ /dev/null @@ -1,32 +0,0 @@ -[Unit] -Description=The hydra-migrate container -Requires=postgres.service -After=postgres.service -PartOf=openchami.target - -[Container] -ContainerName=hydra-migrate -HostName=hydra-migrate -Image=docker.io/oryd/hydra:v2.3 - -# Volumes -Volume=/etc/openchami/configs/:/etc/config/hydra:Z - -# Secrets -Secret=hydra_system_secret,type=env,target=SECRETS_SYSTEM -Secret=hydra_postgres_password,type=env,target=HYDRA_POSTGRES_PASSWORD -Secret=hydra_dsn,type=env,target=DSN - -# Command to run in container -Exec=migrate -c /etc/config/hydra/hydra.yml sql -e --yes - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=on-failure -Type=oneshot -RemainAfterExit=yes diff --git a/systemd/containers/hydra.container b/systemd/containers/hydra.container deleted file mode 100644 index 4cd6461..0000000 --- a/systemd/containers/hydra.container +++ /dev/null @@ -1,40 +0,0 @@ -[Unit] -Description=The hydra container -PartOf=openchami.target - -# 1) Don’t start until hydra-migrate has successfully started: -Requires=hydra-migrate.service -After=hydra-migrate.service - -# 2) Also require Step-CA to be running first: -Wants=step-ca.service -After=step-ca.service - - -[Container] -ContainerName=hydra -HostName=hydra -Image=docker.io/oryd/hydra:v2.3 - -# Volumes -Volume=/etc/openchami/configs/:/etc/config/hydra:Z - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Secrets -Secret=hydra_system_secret,type=env,target=SECRETS_SYSTEM -Secret=hydra_dsn,type=env,target=DSN - -# Command to run in container -Exec=serve -c /etc/config/hydra/hydra.yml all --sqa-opt-out - -# Networks for the Container to use -Network=openchami-jwt-internal.network - - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/opaal-idp.container b/systemd/containers/opaal-idp.container deleted file mode 100644 index cccba39..0000000 --- a/systemd/containers/opaal-idp.container +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=The opaal-idp container -Wants=hydra-gen-jwks.service -After=hydra-gen-jwks.service -PartOf=openchami.target - -[Container] -ContainerName=opaal-idp -HostName=opaal-idp -Image=ghcr.io/openchami/opaal:v0.3.12 - -# Volumes -Volume=/etc/openchami/configs:/opaal/config/:Z - -# Command to run in container -Exec=/opaal/opaal serve --config /opaal/config/opaal.yaml - -EnvironmentFile=/etc/openchami/configs/openchami.env -# Networks for the Container to use -Network=openchami-jwt-internal - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/opaal.container b/systemd/containers/opaal.container deleted file mode 100644 index 700b72c..0000000 --- a/systemd/containers/opaal.container +++ /dev/null @@ -1,33 +0,0 @@ -[Unit] -Description=The opaal container -PartOf=openchami.target - -# Don’t start until the ID-P is running: -Wants=opaal-idp.service -After=opaal-idp.service - -[Container] -ContainerName=opaal -HostName=opaal -Image=ghcr.io/openchami/opaal:v0.3.12 - - -# Volumes -Volume=/etc/openchami/configs:/opaal/config/:Z - -# Command to run in container -Exec=/opaal/opaal login --config /opaal/config/opaal.yaml - -# Networks for the Container to use -Network=openchami-internal.network -Network=openchami-jwt-internal.network - -# Extra hosts -PodmanArgs=--add-host='demo.openchami.cluster:172.16.0.254' -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always -# Run commands after container starts -ExecStartPost=sleep 10s From d12a8d484906e870536f7ba0a9f45441c056d723 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 7 Apr 2026 14:50:51 -0600 Subject: [PATCH 03/63] removed old services; added new ones Signed-off-by: Travis Cotton --- systemd/containers/boot-service.service | 32 +++++++++++++++++++ systemd/containers/coresmd-coredhcp.container | 4 +-- systemd/containers/haproxy.container | 4 +-- systemd/containers/metadata-service.service | 24 ++++++++++++++ systemd/containers/tokensmith.container | 4 +-- 5 files changed, 61 insertions(+), 7 deletions(-) create mode 100644 systemd/containers/boot-service.service create mode 100644 systemd/containers/metadata-service.service diff --git a/systemd/containers/boot-service.service b/systemd/containers/boot-service.service new file mode 100644 index 0000000..22b0b5a --- /dev/null +++ b/systemd/containers/boot-service.service @@ -0,0 +1,32 @@ +[Unit] +Description=The bss container +#PartOf=openchami.target + +# Ensure the init job has started (and if it fails, BSS will fail): +Requires=tokensmith.service smd.service +After=tokensmith.service smd.service + +[Container] +ContainerName=boot-service +HostName=boot-service +Image=boot-service:test + +# Environment Variables +#EnvironmentFile=/etc/openchami/configs/openchami.env + +#Volume=/etc/openchami/configs/boot-service.yaml:/etc/boot-service/config.yaml:ro,Z + +# Secrets +Secret=bss-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN + +# Networks for the Container to use +Network=openchami-internal.network + +# Proxy settings +PodmanArgs=--http-proxy=false + +Exec=serve --enable-auth --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd + +[Service] +ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh bss +Restart=always diff --git a/systemd/containers/coresmd-coredhcp.container b/systemd/containers/coresmd-coredhcp.container index 9030c90..50f0644 100644 --- a/systemd/containers/coresmd-coredhcp.container +++ b/systemd/containers/coresmd-coredhcp.container @@ -1,7 +1,7 @@ [Unit] Description=The CoreSMD CoreDHCP container -Wants=haproxy.service -After=haproxy.service +Wants=tokensmith.service +After=tokensmith.service PartOf=openchami.target [Container] diff --git a/systemd/containers/haproxy.container b/systemd/containers/haproxy.container index ac1c0f0..0c91ded 100644 --- a/systemd/containers/haproxy.container +++ b/systemd/containers/haproxy.container @@ -1,7 +1,7 @@ [Unit] Description=The haproxy container -Wants=bss.service cloud-init-server.service smd.service acme-deploy.service -After=openchami-external-network.service opaal.service smd.service bss.service acme-deploy.service cloud-init-server.service +Wants=boot-service.service metadata-service.service smd.service acme-deploy.service +After=openchami-external-network.service smd.service boot-service.service acme-deploy.service metadata-service.service Requires=openchami-external-network.service acme-deploy.service PartOf=openchami.target diff --git a/systemd/containers/metadata-service.service b/systemd/containers/metadata-service.service new file mode 100644 index 0000000..a02451a --- /dev/null +++ b/systemd/containers/metadata-service.service @@ -0,0 +1,24 @@ +[Unit] +Description=The metadata-service container +Wants=smd.service +After=smd.service tokensmith.service +PartOf=openchami.target + +[Container] +ContainerName=metadata-service +HostName=cloud-init +Image=metadata-service:test + +Volume=cloud-init-data:/cloud-init:rw,Z + +# Environment Variables +EnvironmentFile=/etc/openchami/configs/openchami.env + +# Networks for the Container to use +Network=openchami-internal.network + +# Proxy settings +PodmanArgs=--http-proxy=false + +[Service] +Restart=always \ No newline at end of file diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index 5d23ab5..bfa2e0d 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -1,13 +1,11 @@ [Unit] Description=The tokensmith container -Wants=hydra-gen-jwks.service -After=hydra-gen-jwks.service PartOf=openchami.target [Container] ContainerName=tokensmith HostName=tokensmith -Image=ghcr.io/openchami/tokensmith:pr-13 +Image=ghcr.io/openchami/tokensmith:pr-19 EnvironmentFile=/etc/openchami/configs/openchami.env # Volumes From f279c32686b6f09d2946892968cec9ae15b38e5c Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 7 Apr 2026 15:49:03 -0600 Subject: [PATCH 04/63] updating some container files Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 16 ---------------- systemd/containers/boot-service.service | 16 +++++++--------- systemd/containers/coresmd-coredhcp.container | 4 ++-- systemd/containers/metadata-service.service | 7 +++++-- 4 files changed, 14 insertions(+), 29 deletions(-) diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index a4cb925..f216bec 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -14,20 +14,6 @@ URLS_LOGOUT=https://${SYSTEM_URL}/logout # Environemnt Variables POSTGRES_USER=ochami -# Environemnt Variables -BSS_USESQL=true -BSS_INSECURE=true -BSS_DEBUG=true -BSS_DBHOST=postgres -BSS_DBPORT=5432 -BSS_DBNAME=bssdb -BSS_DBUSER=bss-user -BSS_JWKS_URL=http://opaal:3333/keys -BSS_OAUTH2_ADMIN_BASE_URL=http://opaal:3333 -BSS_OAUTH2_PUBLIC_BASE_URL=http://opaal:3333 -BSS_IPXE_SERVER=${SYSTEM_URL} -BSS_CHAIN_PROTO=https - # Environemnt Variables SMD_DBHOST=postgres SMD_DBPORT=5432 @@ -62,6 +48,4 @@ ANSIBLE_HOST_KEY_CHECKING=False # Environemnt Variables for cloud-init LISTEN=:27777 SMD_URL=http://smd:27779 -OPAAL_URL=http://opaal:3333 -JWKS_URL=http://opaal:3333/keys IMPERSONATION=true diff --git a/systemd/containers/boot-service.service b/systemd/containers/boot-service.service index 22b0b5a..cc79678 100644 --- a/systemd/containers/boot-service.service +++ b/systemd/containers/boot-service.service @@ -1,10 +1,10 @@ [Unit] Description=The bss container -#PartOf=openchami.target +PartOf=openchami.target -# Ensure the init job has started (and if it fails, BSS will fail): -Requires=tokensmith.service smd.service -After=tokensmith.service smd.service +# Ensure SMD has started already +Wants=smd.service tokensmith.service +After=smd.service tokensmith.service [Container] ContainerName=boot-service @@ -12,12 +12,10 @@ HostName=boot-service Image=boot-service:test # Environment Variables -#EnvironmentFile=/etc/openchami/configs/openchami.env - -#Volume=/etc/openchami/configs/boot-service.yaml:/etc/boot-service/config.yaml:ro,Z +EnvironmentFile=/etc/openchami/configs/openchami.env # Secrets -Secret=bss-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN +Secret=boot-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN # Networks for the Container to use Network=openchami-internal.network @@ -28,5 +26,5 @@ PodmanArgs=--http-proxy=false Exec=serve --enable-auth --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd [Service] -ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh bss +ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh boot-service Restart=always diff --git a/systemd/containers/coresmd-coredhcp.container b/systemd/containers/coresmd-coredhcp.container index 50f0644..c76739a 100644 --- a/systemd/containers/coresmd-coredhcp.container +++ b/systemd/containers/coresmd-coredhcp.container @@ -1,7 +1,7 @@ [Unit] Description=The CoreSMD CoreDHCP container -Wants=tokensmith.service -After=tokensmith.service +Wants=tokensmith.service smd.service +After=tokensmith.service smd.service PartOf=openchami.target [Container] diff --git a/systemd/containers/metadata-service.service b/systemd/containers/metadata-service.service index a02451a..4031d45 100644 --- a/systemd/containers/metadata-service.service +++ b/systemd/containers/metadata-service.service @@ -6,14 +6,16 @@ PartOf=openchami.target [Container] ContainerName=metadata-service -HostName=cloud-init +HostName=metadata-service Image=metadata-service:test -Volume=cloud-init-data:/cloud-init:rw,Z +Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN # Environment Variables EnvironmentFile=/etc/openchami/configs/openchami.env +Exec=serve --tokensmith-url=http://tokensmith:8080 + # Networks for the Container to use Network=openchami-internal.network @@ -21,4 +23,5 @@ Network=openchami-internal.network PodmanArgs=--http-proxy=false [Service] +ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh metadata-service Restart=always \ No newline at end of file From 99b50cd05c193b6071f346726b07ae9cfdfa3a4f Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:08:53 -0600 Subject: [PATCH 05/63] renamed .service files to .container Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 30 +++++++++++++++++++ systemd/containers/metadata-service.container | 27 +++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 systemd/containers/boot-service.container create mode 100644 systemd/containers/metadata-service.container diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container new file mode 100644 index 0000000..cc79678 --- /dev/null +++ b/systemd/containers/boot-service.container @@ -0,0 +1,30 @@ +[Unit] +Description=The bss container +PartOf=openchami.target + +# Ensure SMD has started already +Wants=smd.service tokensmith.service +After=smd.service tokensmith.service + +[Container] +ContainerName=boot-service +HostName=boot-service +Image=boot-service:test + +# Environment Variables +EnvironmentFile=/etc/openchami/configs/openchami.env + +# Secrets +Secret=boot-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN + +# Networks for the Container to use +Network=openchami-internal.network + +# Proxy settings +PodmanArgs=--http-proxy=false + +Exec=serve --enable-auth --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd + +[Service] +ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh boot-service +Restart=always diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container new file mode 100644 index 0000000..4031d45 --- /dev/null +++ b/systemd/containers/metadata-service.container @@ -0,0 +1,27 @@ +[Unit] +Description=The metadata-service container +Wants=smd.service +After=smd.service tokensmith.service +PartOf=openchami.target + +[Container] +ContainerName=metadata-service +HostName=metadata-service +Image=metadata-service:test + +Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN + +# Environment Variables +EnvironmentFile=/etc/openchami/configs/openchami.env + +Exec=serve --tokensmith-url=http://tokensmith:8080 + +# Networks for the Container to use +Network=openchami-internal.network + +# Proxy settings +PodmanArgs=--http-proxy=false + +[Service] +ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh metadata-service +Restart=always \ No newline at end of file From 3cd7c47951c43dacca157ddd60a5ba41960f2343 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:10:24 -0600 Subject: [PATCH 06/63] actually remove the .service files Signed-off-by: Travis Cotton --- systemd/containers/boot-service.service | 30 --------------------- systemd/containers/metadata-service.service | 27 ------------------- 2 files changed, 57 deletions(-) delete mode 100644 systemd/containers/boot-service.service delete mode 100644 systemd/containers/metadata-service.service diff --git a/systemd/containers/boot-service.service b/systemd/containers/boot-service.service deleted file mode 100644 index cc79678..0000000 --- a/systemd/containers/boot-service.service +++ /dev/null @@ -1,30 +0,0 @@ -[Unit] -Description=The bss container -PartOf=openchami.target - -# Ensure SMD has started already -Wants=smd.service tokensmith.service -After=smd.service tokensmith.service - -[Container] -ContainerName=boot-service -HostName=boot-service -Image=boot-service:test - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Secrets -Secret=boot-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -Exec=serve --enable-auth --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd - -[Service] -ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh boot-service -Restart=always diff --git a/systemd/containers/metadata-service.service b/systemd/containers/metadata-service.service deleted file mode 100644 index 4031d45..0000000 --- a/systemd/containers/metadata-service.service +++ /dev/null @@ -1,27 +0,0 @@ -[Unit] -Description=The metadata-service container -Wants=smd.service -After=smd.service tokensmith.service -PartOf=openchami.target - -[Container] -ContainerName=metadata-service -HostName=metadata-service -Image=metadata-service:test - -Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -Exec=serve --tokensmith-url=http://tokensmith:8080 - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh metadata-service -Restart=always \ No newline at end of file From 68808adb4849e4d88d837ec8398ef25fe2724cd3 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:13:21 -0600 Subject: [PATCH 07/63] update boot-service description Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index cc79678..84c4e96 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -1,5 +1,5 @@ [Unit] -Description=The bss container +Description=The boot-service container PartOf=openchami.target # Ensure SMD has started already From 932494f7cab403fef10d63314f103ad214911391 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:16:13 -0600 Subject: [PATCH 08/63] remove hydra dependency Signed-off-by: Travis Cotton --- systemd/containers/smd.container | 4 ---- 1 file changed, 4 deletions(-) diff --git a/systemd/containers/smd.container b/systemd/containers/smd.container index 7e73cba..7e63430 100644 --- a/systemd/containers/smd.container +++ b/systemd/containers/smd.container @@ -6,10 +6,6 @@ PartOf=openchami.target Requires=smd-init.service After=smd-init.service -# Don’t start until JWKS is ready: -Wants=hydra-gen-jwks.service -After=hydra-gen-jwks.service - [Container] ContainerName=smd HostName=smd From a073bd5c20aea09c430c2a7a5dbaf4de356fec5c Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:16:29 -0600 Subject: [PATCH 09/63] update SMD env vars Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index f216bec..ed858bd 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -20,7 +20,10 @@ SMD_DBPORT=5432 SMD_DBNAME=hmsds SMD_DBUSER=smd-user SMD_DBOPTS=sslmode=disable -SMD_JWKS_URL=http://opaal:3333/keys +SMD_JWKS_URL=http://tokensmith:8080/.well-known/jwks.json +SMD_AUTH_BACKEND=tokensmith +SMD_AUTH_ISSUER=https://tokensmith.openchami.dev +SMD_AUTH_AUDIENCES=smd # Environemnt Variables TOKENSMITH_ISSUER=https://tokensmith.openchami.dev From 44af32474f6b33eed3f4d4cb5c6891d778f2b384 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:17:54 -0600 Subject: [PATCH 10/63] update where tokesmith config file is mounted from Signed-off-by: Travis Cotton --- systemd/containers/tokensmith.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index bfa2e0d..3ccc441 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -9,7 +9,7 @@ Image=ghcr.io/openchami/tokensmith:pr-19 EnvironmentFile=/etc/openchami/configs/openchami.env # Volumes -Volume=/etc/openchami/tokensmith.json:/tokensmith/config.json:Z +Volume=/etc/openchami/configs/tokensmith.json:/tokensmith/config.json:Z # Networks for the Container to use Network=openchami-internal.network From 9e0b71985be78ad6c1f10be6a58916d204a906fe Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:24:15 -0600 Subject: [PATCH 11/63] updated spec file to include tokensmith bootstrap script Signed-off-by: Travis Cotton --- openchami.spec | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/openchami.spec b/openchami.spec index 0f2fb87..be1b63c 100644 --- a/openchami.spec +++ b/openchami.spec @@ -36,23 +36,25 @@ mkdir -p %{buildroot}/etc/openchami/configs \ %{buildroot}/etc/profile.d \ %{buildroot}/usr/libexec/openchami -cp -r systemd/configs/* %{buildroot}/etc/openchami/configs/ -cp -r systemd/containers/* %{buildroot}/etc/containers/systemd/ -cp -r systemd/volumes/* %{buildroot}/etc/containers/systemd/ -cp -r systemd/networks/* %{buildroot}/etc/containers/systemd/ -cp -r systemd/targets/* %{buildroot}/etc/systemd/system/ -cp -r systemd/system/* %{buildroot}/etc/systemd/system/ -cp scripts/bootstrap_openchami.sh %{buildroot}/usr/libexec/openchami/ -cp scripts/openchami-certificate-update %{buildroot}/usr/bin/ -cp scripts/openchami_profile.sh %{buildroot}/etc/profile.d/openchami.sh -cp scripts/multi-psql-db.sh %{buildroot}/etc/openchami/pg-init/multi-psql-db.sh -cp scripts/ohpc-nodes.sh %{buildroot}/usr/libexec/openchami/ +cp -r systemd/configs/* %{buildroot}/etc/openchami/configs/ +cp -r systemd/containers/* %{buildroot}/etc/containers/systemd/ +cp -r systemd/volumes/* %{buildroot}/etc/containers/systemd/ +cp -r systemd/networks/* %{buildroot}/etc/containers/systemd/ +cp -r systemd/targets/* %{buildroot}/etc/systemd/system/ +cp -r systemd/system/* %{buildroot}/etc/systemd/system/ +cp scripts/bootstrap_openchami.sh %{buildroot}/usr/libexec/openchami/ +cp scripts/openchami-certificate-update %{buildroot}/usr/bin/ +cp scripts/openchami_profile.sh %{buildroot}/etc/profile.d/openchami.sh +cp scripts/multi-psql-db.sh %{buildroot}/etc/openchami/pg-init/multi-psql-db.sh +cp scripts/ohpc-nodes.sh %{buildroot}/usr/libexec/openchami/ +cp scripts/tokensmith_bootstrap_token.sh %{buildroot}/usr/sbin/ chmod +x %{buildroot}/usr/libexec/openchami/bootstrap_openchami.sh chmod +x %{buildroot}/usr/libexec/openchami/ohpc-nodes.sh chmod +x %{buildroot}/usr/libexec/openchami/bootstrap_openchami.sh chmod +x %{buildroot}/usr/bin/openchami-certificate-update chmod +x %{buildroot}/usr/libexec/openchami/ohpc-nodes.sh +chmod 0700 %{buildroot}/usr/sbin/tokensmith_bootstrap_token.sh chmod 600 %{buildroot}/etc/openchami/configs/openchami.env chmod 644 %{buildroot}/etc/openchami/configs/* From b6d70e54d8769aa6a6a7cbe34dd0d8d417b90b8b Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:25:59 -0600 Subject: [PATCH 12/63] update spec again and renamed script to remove .sh ending Signed-off-by: Travis Cotton --- openchami.spec | 4 ++-- ...kensmith_bootstrap_token.sh => tokensmith_bootstrap_token} | 0 2 files changed, 2 insertions(+), 2 deletions(-) rename scripts/{tokensmith_bootstrap_token.sh => tokensmith_bootstrap_token} (100%) diff --git a/openchami.spec b/openchami.spec index be1b63c..032ec73 100644 --- a/openchami.spec +++ b/openchami.spec @@ -47,14 +47,14 @@ cp scripts/openchami-certificate-update %{buildroot}/usr/bin/ cp scripts/openchami_profile.sh %{buildroot}/etc/profile.d/openchami.sh cp scripts/multi-psql-db.sh %{buildroot}/etc/openchami/pg-init/multi-psql-db.sh cp scripts/ohpc-nodes.sh %{buildroot}/usr/libexec/openchami/ -cp scripts/tokensmith_bootstrap_token.sh %{buildroot}/usr/sbin/ +cp scripts/tokensmith_bootstrap_token %{buildroot}/usr/sbin/ chmod +x %{buildroot}/usr/libexec/openchami/bootstrap_openchami.sh chmod +x %{buildroot}/usr/libexec/openchami/ohpc-nodes.sh chmod +x %{buildroot}/usr/libexec/openchami/bootstrap_openchami.sh chmod +x %{buildroot}/usr/bin/openchami-certificate-update chmod +x %{buildroot}/usr/libexec/openchami/ohpc-nodes.sh -chmod 0700 %{buildroot}/usr/sbin/tokensmith_bootstrap_token.sh +chmod 0700 %{buildroot}/usr/sbin/tokensmith_bootstrap_token chmod 600 %{buildroot}/etc/openchami/configs/openchami.env chmod 644 %{buildroot}/etc/openchami/configs/* diff --git a/scripts/tokensmith_bootstrap_token.sh b/scripts/tokensmith_bootstrap_token similarity index 100% rename from scripts/tokensmith_bootstrap_token.sh rename to scripts/tokensmith_bootstrap_token From dfb6146ede44b6fd42e96e05402e97758d893ea6 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:28:50 -0600 Subject: [PATCH 13/63] update spec to hopefully fix rpm not building Signed-off-by: Travis Cotton --- openchami.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openchami.spec b/openchami.spec index 032ec73..fa8027f 100644 --- a/openchami.spec +++ b/openchami.spec @@ -33,6 +33,7 @@ mkdir -p %{buildroot}/etc/openchami/configs \ %{buildroot}/etc/containers/systemd \ %{buildroot}/etc/systemd/system \ %{buildroot}/usr/bin \ + %{buildroot}/usr/sbin \ %{buildroot}/etc/profile.d \ %{buildroot}/usr/libexec/openchami @@ -47,7 +48,7 @@ cp scripts/openchami-certificate-update %{buildroot}/usr/bin/ cp scripts/openchami_profile.sh %{buildroot}/etc/profile.d/openchami.sh cp scripts/multi-psql-db.sh %{buildroot}/etc/openchami/pg-init/multi-psql-db.sh cp scripts/ohpc-nodes.sh %{buildroot}/usr/libexec/openchami/ -cp scripts/tokensmith_bootstrap_token %{buildroot}/usr/sbin/ +cp scripts/tokensmith_bootstrap_token %{buildroot}/usr/sbin/ chmod +x %{buildroot}/usr/libexec/openchami/bootstrap_openchami.sh chmod +x %{buildroot}/usr/libexec/openchami/ohpc-nodes.sh From aa62bcad5256c38d974554a4e735dd489aef5319 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:33:35 -0600 Subject: [PATCH 14/63] update spec yet again to add tokensmith_bootstrap_token to the config list Signed-off-by: Travis Cotton --- openchami.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/openchami.spec b/openchami.spec index fa8027f..dbf50c3 100644 --- a/openchami.spec +++ b/openchami.spec @@ -73,6 +73,7 @@ chmod 644 %{buildroot}/etc/openchami/configs/* /etc/profile.d/openchami.sh /etc/openchami/pg-init/multi-psql-db.sh /usr/bin/openchami-certificate-update +/usr/sbin/tokensmith_bootstrap_token %pre if [ -f /etc/containers/systemd/coresmd.container ]; then From 72b8fc7dc6035304c0168110e10666edcf5a8ab2 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:41:59 -0600 Subject: [PATCH 15/63] update ExecStartPre to use renamed tokensmith bootstrap script Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index 84c4e96..b41bb43 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -26,5 +26,5 @@ PodmanArgs=--http-proxy=false Exec=serve --enable-auth --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd [Service] -ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh boot-service +ExecStartPre=/usr/sbin/tokensmith_bootstrap_token boot-service Restart=always From 2ef822497d35037e0f371fc2bf0edb031ced3db6 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:42:50 -0600 Subject: [PATCH 16/63] added boostrap secret to metadata-service Signed-off-by: Travis Cotton --- systemd/containers/metadata-service.container | 3 +++ 1 file changed, 3 insertions(+) diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index 4031d45..342cabf 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -14,6 +14,9 @@ Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOK # Environment Variables EnvironmentFile=/etc/openchami/configs/openchami.env +# Secrets +Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN + Exec=serve --tokensmith-url=http://tokensmith:8080 # Networks for the Container to use From 8851776382fed2173f0b7ba0d860c0fbc5f93eb6 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:50:52 -0600 Subject: [PATCH 17/63] updated openchami.target with new services; removed old ones Signed-off-by: Travis Cotton --- systemd/targets/openchami.target | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/targets/openchami.target b/systemd/targets/openchami.target index 200ad60..202f481 100644 --- a/systemd/targets/openchami.target +++ b/systemd/targets/openchami.target @@ -1,5 +1,5 @@ [Unit] Description=Group of OpenCHAMI-related services -Requires=bss.service smd.service opaal.service cloud-init-server.service coresmd-coredhcp.service step-ca.service haproxy.service +Requires=boot-service.service smd.service tokensmith.service metadata-service.service coresmd-coredhcp.service step-ca.service haproxy.service Wants=coresmd-coredns.service -After=bss-init.service smd-init.service postgres.service coresmd-coredns.service +After=smd-init.service postgres.service coresmd-coredns.service From 300ee61854bf971f3396f192a5bc1f39afdf92ec Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Wed, 15 Apr 2026 06:47:05 -0600 Subject: [PATCH 18/63] updated tokensmith_bootstrap_token script to match updated tokensmith flags Signed-off-by: Travis Cotton --- scripts/tokensmith_bootstrap_token | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/scripts/tokensmith_bootstrap_token b/scripts/tokensmith_bootstrap_token index f9f8083..766e05e 100644 --- a/scripts/tokensmith_bootstrap_token +++ b/scripts/tokensmith_bootstrap_token @@ -1,14 +1,17 @@ #!/bin/bash CLIENT="${1}" -SERVICE="smd" +SERVICE="hsm" TOKENSMITH_BOOTSTRAP_TOKEN=$(podman exec -e SERVICE=$SERVICE -e CLIENT=$CLIENT tokensmith /bin/sh -c "\ - /usr/local/bin/tokensmith mint-bootstrap-token \ - --key-file /tmp/tokensmith/keys/private.pem \ - --service-id ${CLIENT}-client \ - --target-service ${SERVICE} - ") + /usr/local/bin/tokensmith bootstrap-token create \ + --bootstrap-store /tmp/tokensmith/bootstrap \ + --subject \${CLIENT} \ + --audience \${SERVICE} \ + --scopes "read" \ + --output-format json | jq -r '.bootstrap_token' + ") + SECRET_NAME="${CLIENT}-bootstrap-token" printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret rm ${SECRET_NAME} 2>/dev/null || true printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret create ${SECRET_NAME} - \ No newline at end of file From 59341ce02d0a90f518a6e889e7ef023f48ec4d6b Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Wed, 15 Apr 2026 11:59:09 -0600 Subject: [PATCH 19/63] use v0.4.0 for tokensmith Signed-off-by: Travis Cotton --- systemd/containers/tokensmith.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index 3ccc441..aac4741 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -5,7 +5,7 @@ PartOf=openchami.target [Container] ContainerName=tokensmith HostName=tokensmith -Image=ghcr.io/openchami/tokensmith:pr-19 +Image=ghcr.io/openchami/tokensmith:v0.4.0 EnvironmentFile=/etc/openchami/configs/openchami.env # Volumes From e0e806d1ff63e423b90b2f71decdb74ca56cd2ca Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Wed, 15 Apr 2026 14:17:13 -0600 Subject: [PATCH 20/63] update tokensmith container Signed-off-by: Travis Cotton --- systemd/containers/tokensmith.container | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index aac4741..8af4ee0 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -6,10 +6,14 @@ PartOf=openchami.target ContainerName=tokensmith HostName=tokensmith Image=ghcr.io/openchami/tokensmith:v0.4.0 + EnvironmentFile=/etc/openchami/configs/openchami.env +Exec=serve --oidc-issuer="$TOKENSMITH_OIDC_PROVIDER" --issuer="$TOKENSMITH_ISSUER" --port="$TOKENSMITH_PORT" --cluster-id="$TOKENSMITH_CLUSTER_ID" --openchami-id="$TOKENSMITH_OPENCHAMI_ID" --config="$TOKENSMITH_CONFIG" --key-dir="$TOKENSMITH_KEY_DIR" --rfc8693-bootstrap-store="$TOKENSMITH_RFC8693_BOOTSTRAP_STORE" --rfc8693-refresh-store="$TOKENSMITH_RFC8693_REFRESH_STORE" --enable-local-user-mint + # Volumes -Volume=/etc/openchami/configs/tokensmith.json:/tokensmith/config.json:Z +Volume=/etc/openchami/tokensmith/config.json:/tokensmith/config.json:Z + # Networks for the Container to use Network=openchami-internal.network @@ -21,6 +25,4 @@ PodmanArgs=--add-host='demo.openchami.cluster:172.16.0.254' PodmanArgs=--http-proxy=false [Service] -Restart=always -# Run commands after container starts -ExecStartPost=sleep 10s \ No newline at end of file +Restart=always \ No newline at end of file From 2c829883aed6be31814d10de95d3a3297519d95b Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 06:29:29 -0600 Subject: [PATCH 21/63] update bootstrap_token to read the container env for token directory Signed-off-by: Travis Cotton --- scripts/tokensmith_bootstrap_token | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/tokensmith_bootstrap_token b/scripts/tokensmith_bootstrap_token index 766e05e..9127168 100644 --- a/scripts/tokensmith_bootstrap_token +++ b/scripts/tokensmith_bootstrap_token @@ -5,7 +5,7 @@ SERVICE="hsm" TOKENSMITH_BOOTSTRAP_TOKEN=$(podman exec -e SERVICE=$SERVICE -e CLIENT=$CLIENT tokensmith /bin/sh -c "\ /usr/local/bin/tokensmith bootstrap-token create \ - --bootstrap-store /tmp/tokensmith/bootstrap \ + --bootstrap-store \${TOKENSMITH_RFC8693_BOOTSTRAP_STORE} \ --subject \${CLIENT} \ --audience \${SERVICE} \ --scopes "read" \ From 91e65461a26933a8deb427ebf02e8b421955e10a Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 06:29:56 -0600 Subject: [PATCH 22/63] make boot-service require tokensmith Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 1 + 1 file changed, 1 insertion(+) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index b41bb43..3d14be6 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -5,6 +5,7 @@ PartOf=openchami.target # Ensure SMD has started already Wants=smd.service tokensmith.service After=smd.service tokensmith.service +Requires=tokensmith.service [Container] ContainerName=boot-service From 37c44c0f6b4b8aa05a92ff59590b26e3e08df1ff Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 06:30:21 -0600 Subject: [PATCH 23/63] add persistent volume for tokensmith data Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 2 +- systemd/containers/tokensmith.container | 3 ++- systemd/volumes/tokensmith.volume | 5 +++++ 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 systemd/volumes/tokensmith.volume diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index ed858bd..7a7c7f3 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -29,7 +29,7 @@ SMD_AUTH_AUDIENCES=smd TOKENSMITH_ISSUER=https://tokensmith.openchami.dev TOKENSMITH_CLUSTER_ID=demo-cluster TOKENSMITH_OPENCHAMI_ID=demo-openchami -TOKENSMITH_CONFIG=/tokensmith/config.json +TOKENSMITH_CONFIG=/etc/tokensmith/config.json TOKENSMITH_KEY_DIR=/tmp/tokensmith/keys TOKENSMITH_OIDC_PROVIDER=http://hydra:4444 TOKENSMITH_PORT=8080 diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index 8af4ee0..df5a5d0 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -12,7 +12,8 @@ EnvironmentFile=/etc/openchami/configs/openchami.env Exec=serve --oidc-issuer="$TOKENSMITH_OIDC_PROVIDER" --issuer="$TOKENSMITH_ISSUER" --port="$TOKENSMITH_PORT" --cluster-id="$TOKENSMITH_CLUSTER_ID" --openchami-id="$TOKENSMITH_OPENCHAMI_ID" --config="$TOKENSMITH_CONFIG" --key-dir="$TOKENSMITH_KEY_DIR" --rfc8693-bootstrap-store="$TOKENSMITH_RFC8693_BOOTSTRAP_STORE" --rfc8693-refresh-store="$TOKENSMITH_RFC8693_REFRESH_STORE" --enable-local-user-mint # Volumes -Volume=/etc/openchami/tokensmith/config.json:/tokensmith/config.json:Z +Volume=tokensmith-data:/tokensmith:Z +Volume=/etc/openchami/tokensmith/config.json:/etc/tokensmith/config.json:Z # Networks for the Container to use diff --git a/systemd/volumes/tokensmith.volume b/systemd/volumes/tokensmith.volume new file mode 100644 index 0000000..e6fcde5 --- /dev/null +++ b/systemd/volumes/tokensmith.volume @@ -0,0 +1,5 @@ +[Unit] +Description=tokensmith Volume + +[Volume] +VolumeName=tokensmith-data \ No newline at end of file From d4415814efa934cbe65bcc26b84cf13c4da60644 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 08:04:01 -0600 Subject: [PATCH 24/63] updated tokensmith Exec, boot-service exec, some dependencies Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 17 +++++++++-------- systemd/containers/smd.container | 2 +- systemd/containers/tokensmith.container | 5 ++--- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index 3d14be6..d930b00 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -1,20 +1,21 @@ [Unit] -Description=The boot-service container +Description=The bss container PartOf=openchami.target # Ensure SMD has started already -Wants=smd.service tokensmith.service -After=smd.service tokensmith.service -Requires=tokensmith.service +Wants=tokensmith.service smd.service +After=tokensmith.service smd.service [Container] ContainerName=boot-service HostName=boot-service -Image=boot-service:test +Image=ghcr.io/openchami/boot-service:v0.1.1 # Environment Variables EnvironmentFile=/etc/openchami/configs/openchami.env +#Volume=/etc/openchami/configs/boot-service.yaml:/etc/boot-service/config.yaml:ro,Z + # Secrets Secret=boot-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN @@ -24,8 +25,8 @@ Network=openchami-internal.network # Proxy settings PodmanArgs=--http-proxy=false -Exec=serve --enable-auth --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd +Exec=serve --enable-legacy-api=false --enable-auth=true --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd --port 8081 [Service] -ExecStartPre=/usr/sbin/tokensmith_bootstrap_token boot-service -Restart=always +ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh boot-service +Restart=always \ No newline at end of file diff --git a/systemd/containers/smd.container b/systemd/containers/smd.container index 7e63430..660488e 100644 --- a/systemd/containers/smd.container +++ b/systemd/containers/smd.container @@ -9,7 +9,7 @@ After=smd-init.service [Container] ContainerName=smd HostName=smd -Image=ghcr.io/openchami/smd:v2.19.3 +Image=ghcr.io/openchami/smd:v2.20.0 # Environment Variables EnvironmentFile=/etc/openchami/configs/openchami.env diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index df5a5d0..b5a26df 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -6,14 +6,13 @@ PartOf=openchami.target ContainerName=tokensmith HostName=tokensmith Image=ghcr.io/openchami/tokensmith:v0.4.0 - +#Image=tokensmith:test EnvironmentFile=/etc/openchami/configs/openchami.env Exec=serve --oidc-issuer="$TOKENSMITH_OIDC_PROVIDER" --issuer="$TOKENSMITH_ISSUER" --port="$TOKENSMITH_PORT" --cluster-id="$TOKENSMITH_CLUSTER_ID" --openchami-id="$TOKENSMITH_OPENCHAMI_ID" --config="$TOKENSMITH_CONFIG" --key-dir="$TOKENSMITH_KEY_DIR" --rfc8693-bootstrap-store="$TOKENSMITH_RFC8693_BOOTSTRAP_STORE" --rfc8693-refresh-store="$TOKENSMITH_RFC8693_REFRESH_STORE" --enable-local-user-mint # Volumes -Volume=tokensmith-data:/tokensmith:Z -Volume=/etc/openchami/tokensmith/config.json:/etc/tokensmith/config.json:Z +Volume=/etc/openchami/tokensmith/config.json:/tokensmith/config.json:Z # Networks for the Container to use From 0eaa23fe342e0b11812d569c4ba601f3c63ba7df Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 08:37:58 -0600 Subject: [PATCH 25/63] remove opaal stuff from bootstrap_openchami.sh Signed-off-by: Travis Cotton --- scripts/bootstrap_openchami.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/bootstrap_openchami.sh b/scripts/bootstrap_openchami.sh index 4a854f6..7a45c62 100644 --- a/scripts/bootstrap_openchami.sh +++ b/scripts/bootstrap_openchami.sh @@ -46,7 +46,6 @@ acme_correction() { sed -i "s/^ContainerName=.*/ContainerName=${system_fqdn}/" /etc/containers/systemd/acme-register.container sed -i "s/^HostName=.*/HostName=${system_fqdn}/" /etc/containers/systemd/acme-register.container sed -i "s|-d .* \\\\|-d ${system_fqdn} \\\\|" /etc/containers/systemd/acme-register.container - sed -i "s|--add-host='demo\.openchami\.cluster:[0-9\.]*'|--add-host='${system_fqdn}:${primary_ip}'|" /etc/containers/systemd/opaal.container } # Check and create secrets with random passwords if needed From 4f988fe5dd913ab2dc814123d19694d8d2abbff8 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 08:42:29 -0600 Subject: [PATCH 26/63] update tokensmith container to mount the correct config file path Signed-off-by: Travis Cotton --- systemd/containers/tokensmith.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index b5a26df..96776ba 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -12,7 +12,7 @@ EnvironmentFile=/etc/openchami/configs/openchami.env Exec=serve --oidc-issuer="$TOKENSMITH_OIDC_PROVIDER" --issuer="$TOKENSMITH_ISSUER" --port="$TOKENSMITH_PORT" --cluster-id="$TOKENSMITH_CLUSTER_ID" --openchami-id="$TOKENSMITH_OPENCHAMI_ID" --config="$TOKENSMITH_CONFIG" --key-dir="$TOKENSMITH_KEY_DIR" --rfc8693-bootstrap-store="$TOKENSMITH_RFC8693_BOOTSTRAP_STORE" --rfc8693-refresh-store="$TOKENSMITH_RFC8693_REFRESH_STORE" --enable-local-user-mint # Volumes -Volume=/etc/openchami/tokensmith/config.json:/tokensmith/config.json:Z +Volume=/etc/openchami/tokensmith.json:/tokensmith/config.json:Z # Networks for the Container to use From 1a4b9b8c06be4c21545540a031013db2a4309a70 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 08:46:41 -0600 Subject: [PATCH 27/63] update tokensmith container to mount the correct config file path for real this time Signed-off-by: Travis Cotton --- systemd/containers/tokensmith.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index 96776ba..eaa9fc7 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -12,7 +12,7 @@ EnvironmentFile=/etc/openchami/configs/openchami.env Exec=serve --oidc-issuer="$TOKENSMITH_OIDC_PROVIDER" --issuer="$TOKENSMITH_ISSUER" --port="$TOKENSMITH_PORT" --cluster-id="$TOKENSMITH_CLUSTER_ID" --openchami-id="$TOKENSMITH_OPENCHAMI_ID" --config="$TOKENSMITH_CONFIG" --key-dir="$TOKENSMITH_KEY_DIR" --rfc8693-bootstrap-store="$TOKENSMITH_RFC8693_BOOTSTRAP_STORE" --rfc8693-refresh-store="$TOKENSMITH_RFC8693_REFRESH_STORE" --enable-local-user-mint # Volumes -Volume=/etc/openchami/tokensmith.json:/tokensmith/config.json:Z +Volume=/etc/openchami/configs/tokensmith.json:/tokensmith/config.json:Z # Networks for the Container to use From 7076d10d8df580c9ddfabf04b5f34babd999d214 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 08:49:36 -0600 Subject: [PATCH 28/63] =?UTF-8?q?ok=20now=20set=20the=20correct=20path=20f?= =?UTF-8?q?or=20mounting=20inside=20the=20tokensmith=20container=20?= =?UTF-8?q?=F0=9F=98=94?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Travis Cotton --- systemd/containers/tokensmith.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index eaa9fc7..ca30c91 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -12,7 +12,7 @@ EnvironmentFile=/etc/openchami/configs/openchami.env Exec=serve --oidc-issuer="$TOKENSMITH_OIDC_PROVIDER" --issuer="$TOKENSMITH_ISSUER" --port="$TOKENSMITH_PORT" --cluster-id="$TOKENSMITH_CLUSTER_ID" --openchami-id="$TOKENSMITH_OPENCHAMI_ID" --config="$TOKENSMITH_CONFIG" --key-dir="$TOKENSMITH_KEY_DIR" --rfc8693-bootstrap-store="$TOKENSMITH_RFC8693_BOOTSTRAP_STORE" --rfc8693-refresh-store="$TOKENSMITH_RFC8693_REFRESH_STORE" --enable-local-user-mint # Volumes -Volume=/etc/openchami/configs/tokensmith.json:/tokensmith/config.json:Z +Volume=/etc/openchami/configs/tokensmith.json:/etc/tokensmith/config.json:Z # Networks for the Container to use From 968c3ff5b7ae3f9f9e59eb722134d8751cc7501c Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 09:26:21 -0600 Subject: [PATCH 29/63] try to fix volume mount BS Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 4 +++- systemd/containers/tokensmith.container | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index 7a7c7f3..3516508 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -30,7 +30,9 @@ TOKENSMITH_ISSUER=https://tokensmith.openchami.dev TOKENSMITH_CLUSTER_ID=demo-cluster TOKENSMITH_OPENCHAMI_ID=demo-openchami TOKENSMITH_CONFIG=/etc/tokensmith/config.json -TOKENSMITH_KEY_DIR=/tmp/tokensmith/keys +TOKENSMITH_KEY_DIR=/tokensmith/data/keys +TOKENSMITH_RFC8693_BOOTSTRAP_STORE=/tokensmith/data/bootstrap +TOKENSMITH_RFC8693_REFRESH_STORE=/tokensmith/data/refresh TOKENSMITH_OIDC_PROVIDER=http://hydra:4444 TOKENSMITH_PORT=8080 diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index ca30c91..572e6bc 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -13,7 +13,7 @@ Exec=serve --oidc-issuer="$TOKENSMITH_OIDC_PROVIDER" --issuer="$TOKENSMITH_ISSUE # Volumes Volume=/etc/openchami/configs/tokensmith.json:/etc/tokensmith/config.json:Z - +Volume=tokensmith-data:/tokensmith/data:Z,U # Networks for the Container to use Network=openchami-internal.network From 23dad020f0ec4020225028a1c1669839db530b69 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 13:18:11 -0600 Subject: [PATCH 30/63] use correct path for tokensmith bootstrap script in boot-service and metadata-service Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 2 +- systemd/containers/metadata-service.container | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index d930b00..32beebf 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -28,5 +28,5 @@ PodmanArgs=--http-proxy=false Exec=serve --enable-legacy-api=false --enable-auth=true --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd --port 8081 [Service] -ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh boot-service +ExecStartPre=/usr/sbin/tokensmith_bootstrap_token boot-service Restart=always \ No newline at end of file diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index 342cabf..15b3aef 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -26,5 +26,5 @@ Network=openchami-internal.network PodmanArgs=--http-proxy=false [Service] -ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh metadata-service +ExecStartPre=/usr/sbin/tokensmith_bootstrap_token metadata-service Restart=always \ No newline at end of file From 0edff232274f474be6863a94e8eba1e588f339c4 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 13:25:22 -0600 Subject: [PATCH 31/63] use pr-7 for metadata Signed-off-by: Travis Cotton --- systemd/containers/metadata-service.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index 15b3aef..bbf01d3 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -7,7 +7,7 @@ PartOf=openchami.target [Container] ContainerName=metadata-service HostName=metadata-service -Image=metadata-service:test +Image=ghcr.io/openchami/metadata-service:pr-7 Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN From 0b3bad13fd796e6fe3cc91de908c56c7d565db93 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 13:47:51 -0600 Subject: [PATCH 32/63] update haproxy config Signed-off-by: Travis Cotton --- systemd/configs/haproxy.cfg | 71 +++++++++++++++++++++++-------------- 1 file changed, 45 insertions(+), 26 deletions(-) diff --git a/systemd/configs/haproxy.cfg b/systemd/configs/haproxy.cfg index a1b683e..7a1d8de 100644 --- a/systemd/configs/haproxy.cfg +++ b/systemd/configs/haproxy.cfg @@ -25,48 +25,67 @@ frontend openchami acl PATH_smd path_beg -i /hsm/v2 - acl PATH_bss path_beg -i /boot/v1 - acl PATH_bss path_beg -i /apis/bss/ + # acl PATH_bss path_beg -i /boot/v1 + # acl PATH_bss path_beg -i /apis/bss/ - acl PATH_opaal path_beg -i /token - acl PATH_opaal path_beg -i /login - acl PATH_opaal path_beg -i /oidc/callback +# acl PATH_opaal path_beg -i /token +# acl PATH_opaal path_beg -i /login +# acl PATH_opaal path_beg -i /oidc/callback - acl PATH_opaal-idp path_beg -i /.well-known/openid-configuration - acl PATH_opaal-idp path_beg -i /.well-known/jwks.json - acl PATH_opaal-idp path_beg -i /browser/login - acl PATH_opaal-idp path_beg -i /api/login - acl PATH_opaal-idp path_beg -i /oauth2/authorize - acl PATH_opaal-idp path_beg -i /oauth2/token +# acl PATH_opaal-idp path_beg -i /.well-known/openid-configuration +# acl PATH_opaal-idp path_beg -i /.well-known/jwks.json +# acl PATH_opaal-idp path_beg -i /browser/login +# acl PATH_opaal-idp path_beg -i /api/login +# acl PATH_opaal-idp path_beg -i /oauth2/authorize +# acl PATH_opaal-idp path_beg -i /oauth2/token - acl PATH_cloud-init path_beg -i /cloud-init +# acl PATH_cloud-init path_beg -i /cloud-init acl PATH_configurator path_beg -i /generate acl PATH_configurator path_beg -i /configurator - use_backend opaal if PATH_opaal - use_backend opaal-idp if PATH_opaal-idp + # add new services + acl PATH_boot-service path_beg -i /boot-service + acl PATH_metadata-service path_beg -i /metadata + acl PATH_tokensmith path_beg -i /tokensmith + +# use_backend opaal if PATH_opaal +# use_backend opaal-idp if PATH_opaal-idp use_backend smd if PATH_smd - use_backend bss if PATH_bss - use_backend cloud-init if PATH_cloud-init +# use_backend bss if PATH_bss +# use_backend cloud-init if PATH_cloud-init use_backend configurator if PATH_configurator -backend opaal - server opaal opaal:3333 + use_backend boot-service if PATH_boot-service + use_backend metadata-service if PATH_metadata-service + use_backend tokensmith if PATH_tokensmith + +# backend opaal +# server opaal opaal:3333 -backend opaal-idp - server opaal-idp opaal-idp:3332 +# backend opaal-idp +# server opaal-idp opaal-idp:3332 backend smd server smd smd:27779 -backend bss - server bss bss:27778 - http-request replace-path ^/apis/bss/(.*) /\1 +# backend bss +# server bss bss:27778 +# http-request replace-path ^/apis/bss/(.*) /\1 -backend cloud-init - server cloud-init-server cloud-init-server:27777 - http-request replace-path ^/cloud-init(/.*) \1 +# backend cloud-init +# server cloud-init-server cloud-init-server:27777 +# http-request replace-path ^/cloud-init(/.*) \1 backend configurator server configurator configurator:3334 init-addr none + +backend boot-service + server boot-service boot-service:8080 +# http-request replace-path ^/boot(/.*) \1 + +backend metadata-service + server metadata-service metadata-service:8888 + +backend tokensmith + server tokensmith tokensmith:8080 \ No newline at end of file From 51314c9e436cdb9abb85443ea884b7276ea5cb66 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 13:56:14 -0600 Subject: [PATCH 33/63] haproxy.cfg needs a newline at the end of the file? removed commented out lines too Signed-off-by: Travis Cotton --- systemd/configs/haproxy.cfg | 38 ++----------------------------------- 1 file changed, 2 insertions(+), 36 deletions(-) diff --git a/systemd/configs/haproxy.cfg b/systemd/configs/haproxy.cfg index 7a1d8de..9b37d4c 100644 --- a/systemd/configs/haproxy.cfg +++ b/systemd/configs/haproxy.cfg @@ -25,22 +25,6 @@ frontend openchami acl PATH_smd path_beg -i /hsm/v2 - # acl PATH_bss path_beg -i /boot/v1 - # acl PATH_bss path_beg -i /apis/bss/ - -# acl PATH_opaal path_beg -i /token -# acl PATH_opaal path_beg -i /login -# acl PATH_opaal path_beg -i /oidc/callback - -# acl PATH_opaal-idp path_beg -i /.well-known/openid-configuration -# acl PATH_opaal-idp path_beg -i /.well-known/jwks.json -# acl PATH_opaal-idp path_beg -i /browser/login -# acl PATH_opaal-idp path_beg -i /api/login -# acl PATH_opaal-idp path_beg -i /oauth2/authorize -# acl PATH_opaal-idp path_beg -i /oauth2/token - -# acl PATH_cloud-init path_beg -i /cloud-init - acl PATH_configurator path_beg -i /generate acl PATH_configurator path_beg -i /configurator @@ -49,43 +33,25 @@ frontend openchami acl PATH_metadata-service path_beg -i /metadata acl PATH_tokensmith path_beg -i /tokensmith -# use_backend opaal if PATH_opaal -# use_backend opaal-idp if PATH_opaal-idp use_backend smd if PATH_smd -# use_backend bss if PATH_bss -# use_backend cloud-init if PATH_cloud-init + use_backend configurator if PATH_configurator use_backend boot-service if PATH_boot-service use_backend metadata-service if PATH_metadata-service use_backend tokensmith if PATH_tokensmith -# backend opaal -# server opaal opaal:3333 - -# backend opaal-idp -# server opaal-idp opaal-idp:3332 - backend smd server smd smd:27779 -# backend bss -# server bss bss:27778 -# http-request replace-path ^/apis/bss/(.*) /\1 - -# backend cloud-init -# server cloud-init-server cloud-init-server:27777 -# http-request replace-path ^/cloud-init(/.*) \1 - backend configurator server configurator configurator:3334 init-addr none backend boot-service server boot-service boot-service:8080 -# http-request replace-path ^/boot(/.*) \1 backend metadata-service server metadata-service metadata-service:8888 backend tokensmith - server tokensmith tokensmith:8080 \ No newline at end of file + server tokensmith tokensmith:8080 From d0666f6e722c7241c9fb7394f98cf3f6ef9e587f Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Mon, 20 Apr 2026 06:48:46 -0600 Subject: [PATCH 34/63] work on making bootstrap token scrit better Signed-off-by: Travis Cotton --- scripts/tokensmith_bootstrap_token | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/scripts/tokensmith_bootstrap_token b/scripts/tokensmith_bootstrap_token index 9127168..7ca967c 100644 --- a/scripts/tokensmith_bootstrap_token +++ b/scripts/tokensmith_bootstrap_token @@ -3,6 +3,13 @@ CLIENT="${1}" SERVICE="hsm" +if [[ -z "$CLIENT" ]] +then + echo "Empty client" + exit 1 +fi + +echo "Generating bootstrap token for service client ${CLIENT}" TOKENSMITH_BOOTSTRAP_TOKEN=$(podman exec -e SERVICE=$SERVICE -e CLIENT=$CLIENT tokensmith /bin/sh -c "\ /usr/local/bin/tokensmith bootstrap-token create \ --bootstrap-store \${TOKENSMITH_RFC8693_BOOTSTRAP_STORE} \ @@ -13,5 +20,6 @@ TOKENSMITH_BOOTSTRAP_TOKEN=$(podman exec -e SERVICE=$SERVICE -e CLIENT=$CLIENT t ") SECRET_NAME="${CLIENT}-bootstrap-token" -printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret rm ${SECRET_NAME} 2>/dev/null || true +echo "Creating secret ${CLIENT}-bootstrap-token" +printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret rm -i ${SECRET_NAME} 2>/dev/null || true printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret create ${SECRET_NAME} - \ No newline at end of file From 81bc22cdfcc59a8253145e155ec3a93632adf5e0 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Mon, 20 Apr 2026 06:49:16 -0600 Subject: [PATCH 35/63] minor updates to container files Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 4 ++-- systemd/containers/smd.container | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index 32beebf..206eb3d 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -1,8 +1,8 @@ [Unit] -Description=The bss container +Description=The boot-service container PartOf=openchami.target -# Ensure SMD has started already +# Ensure dependent services have started Wants=tokensmith.service smd.service After=tokensmith.service smd.service diff --git a/systemd/containers/smd.container b/systemd/containers/smd.container index 660488e..01b08f5 100644 --- a/systemd/containers/smd.container +++ b/systemd/containers/smd.container @@ -4,7 +4,7 @@ PartOf=openchami.target # Don’t start until its init has run (and propagate failures): Requires=smd-init.service -After=smd-init.service +After=smd-init.service tokensmith.service [Container] ContainerName=smd From 79b08c59747e1b4aa2c97a53fb602c99eeec2c43 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Mon, 20 Apr 2026 08:06:11 -0600 Subject: [PATCH 36/63] update haproxy.cfg Signed-off-by: Travis Cotton --- systemd/configs/haproxy.cfg | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/systemd/configs/haproxy.cfg b/systemd/configs/haproxy.cfg index 9b37d4c..cc72700 100644 --- a/systemd/configs/haproxy.cfg +++ b/systemd/configs/haproxy.cfg @@ -23,20 +23,14 @@ frontend openchami bind :443 ssl crt /etc/haproxy/certs/ strict-sni option forwardfor - acl PATH_smd path_beg -i /hsm/v2 - - acl PATH_configurator path_beg -i /generate - acl PATH_configurator path_beg -i /configurator - - # add new services - acl PATH_boot-service path_beg -i /boot-service - acl PATH_metadata-service path_beg -i /metadata - acl PATH_tokensmith path_beg -i /tokensmith + acl PATH_smd path_beg -i /hsm/v2 + acl PATH_configurator path_beg -i /configurator /generate + acl PATH_boot-service path_beg -i /boot-service/ + acl PATH_metadata-service path_beg -i /metadata/ + acl PATH_tokensmith path_beg -i /tokensmith/ use_backend smd if PATH_smd - use_backend configurator if PATH_configurator - use_backend boot-service if PATH_boot-service use_backend metadata-service if PATH_metadata-service use_backend tokensmith if PATH_tokensmith @@ -48,10 +42,13 @@ backend configurator server configurator configurator:3334 init-addr none backend boot-service - server boot-service boot-service:8080 + http-request set-path %[path,regsub(^/boot-service/,/)] + server boot-service boot-service:8081 backend metadata-service + http-request set-path %[path,regsub(^/metadata/,/)] server metadata-service metadata-service:8888 backend tokensmith + http-request set-path %[path,regsub(^/tokensmith/,/)] server tokensmith tokensmith:8080 From 71da3e3e9ec1c29604dec8b1b617d7a4f987b7e9 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Mon, 20 Apr 2026 08:06:45 -0600 Subject: [PATCH 37/63] update openchami.target Signed-off-by: Travis Cotton --- systemd/targets/openchami.target | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/systemd/targets/openchami.target b/systemd/targets/openchami.target index 202f481..b904c1a 100644 --- a/systemd/targets/openchami.target +++ b/systemd/targets/openchami.target @@ -1,5 +1,4 @@ [Unit] Description=Group of OpenCHAMI-related services -Requires=boot-service.service smd.service tokensmith.service metadata-service.service coresmd-coredhcp.service step-ca.service haproxy.service -Wants=coresmd-coredns.service +Wants=coresmd-coredns.service boot-service.service smd.service tokensmith.service metadata-service.service coresmd-coredhcp.service step-ca.service haproxy.service After=smd-init.service postgres.service coresmd-coredns.service From b7a00b7525d9e4f0fe08cfab1535081f4e6eab93 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Mon, 20 Apr 2026 08:15:48 -0600 Subject: [PATCH 38/63] updated haproxy.cfg, removed more references to opaal Signed-off-by: Travis Cotton --- systemd/configs/haproxy.cfg | 4 ++-- systemd/configs/openchami.env | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/systemd/configs/haproxy.cfg b/systemd/configs/haproxy.cfg index cc72700..8fdd4d6 100644 --- a/systemd/configs/haproxy.cfg +++ b/systemd/configs/haproxy.cfg @@ -26,7 +26,7 @@ frontend openchami acl PATH_smd path_beg -i /hsm/v2 acl PATH_configurator path_beg -i /configurator /generate acl PATH_boot-service path_beg -i /boot-service/ - acl PATH_metadata-service path_beg -i /metadata/ + acl PATH_metadata-service path_beg -i /metadata-service/ acl PATH_tokensmith path_beg -i /tokensmith/ use_backend smd if PATH_smd @@ -46,7 +46,7 @@ backend boot-service server boot-service boot-service:8081 backend metadata-service - http-request set-path %[path,regsub(^/metadata/,/)] + http-request set-path %[path,regsub(^/metadata-service/,/)] server metadata-service metadata-service:8888 backend tokensmith diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index 3516508..2134675 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -46,7 +46,6 @@ DOCKER_STEPCA_INIT_PROVISIONER_NAME="Admin" DOCKER_STEPCA_INIT_PROVISIONER_PASSWORD="provisionerpassword" # Environemnt Variables -OPAAL_URL=http://opaal:3333 HSM_URL=http://smd:27779 ANSIBLE_HOST_KEY_CHECKING=False From f83176ed7ad7cb33a3adfb980018a1b65fe49691 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Mon, 20 Apr 2026 08:16:11 -0600 Subject: [PATCH 39/63] update some quadlet dependencies Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 4 ++-- systemd/containers/metadata-service.container | 3 ++- systemd/containers/smd.container | 1 + 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index 206eb3d..7c10cd8 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -3,8 +3,8 @@ Description=The boot-service container PartOf=openchami.target # Ensure dependent services have started -Wants=tokensmith.service smd.service -After=tokensmith.service smd.service +Wants=smd.service +After=smd.service [Container] ContainerName=boot-service diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index bbf01d3..7497eab 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -1,7 +1,8 @@ [Unit] Description=The metadata-service container +# Depends on SMD Wants=smd.service -After=smd.service tokensmith.service +After=smd.service PartOf=openchami.target [Container] diff --git a/systemd/containers/smd.container b/systemd/containers/smd.container index 01b08f5..3eafcdf 100644 --- a/systemd/containers/smd.container +++ b/systemd/containers/smd.container @@ -5,6 +5,7 @@ PartOf=openchami.target # Don’t start until its init has run (and propagate failures): Requires=smd-init.service After=smd-init.service tokensmith.service +Wants=smd-init.service tokensmith.service [Container] ContainerName=smd From 155e6b53dd63f6ded457943b353dd75d77b1d2d2 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 07:28:50 -0600 Subject: [PATCH 40/63] change target service from hsm to smd Signed-off-by: Travis Cotton --- scripts/tokensmith_bootstrap_token | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/tokensmith_bootstrap_token b/scripts/tokensmith_bootstrap_token index 7ca967c..9d4bca9 100644 --- a/scripts/tokensmith_bootstrap_token +++ b/scripts/tokensmith_bootstrap_token @@ -1,7 +1,7 @@ #!/bin/bash CLIENT="${1}" -SERVICE="hsm" +SERVICE="smd" if [[ -z "$CLIENT" ]] then From 4d70f654cebbb4afa64f01ece8d38414a5021a32 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 07:29:10 -0600 Subject: [PATCH 41/63] update boot-service container to use v0.1.5 Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index 7c10cd8..3c88578 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -9,7 +9,7 @@ After=smd.service [Container] ContainerName=boot-service HostName=boot-service -Image=ghcr.io/openchami/boot-service:v0.1.1 +Image=ghcr.io/openchami/boot-service:v0.1.5 # Environment Variables EnvironmentFile=/etc/openchami/configs/openchami.env From 9de9f7440fef0f639b268570cf0f247a8f674669 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 07:39:48 -0600 Subject: [PATCH 42/63] remove hydra stuff from bootstrap+openchami.sh Signed-off-by: Travis Cotton --- scripts/bootstrap_openchami.sh | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/scripts/bootstrap_openchami.sh b/scripts/bootstrap_openchami.sh index 7a45c62..13b53c8 100644 --- a/scripts/bootstrap_openchami.sh +++ b/scripts/bootstrap_openchami.sh @@ -62,20 +62,9 @@ create_secret_if_not_exists "bss_postgres_password" "$bss_postgres_password" smd_postgres_password=$(generate_random_password) create_secret_if_not_exists "smd_postgres_password" "$smd_postgres_password" -# Hydra Postgres Password -hydra_postgres_password=$(generate_random_password) -create_secret_if_not_exists "hydra_postgres_password" "$hydra_postgres_password" - -# Hydra System Secret -hydra_system_secret=$(generate_random_password) -create_secret_if_not_exists "hydra_system_secret" "$hydra_system_secret" - -# HYDRA_DSN -HYDRA_DSN="postgres://hydra-user:$(podman secret inspect hydra_postgres_password --showsecret | jq -r '.[0].SecretData')@postgres:5432/hydradb?sslmode=disable&max_conns=20&max_idle_conns=4" -create_secret_if_not_exists "hydra_dsn" "$HYDRA_DSN" # POSTGRES_MULTIPLE_DATABASES -POSTGRES_MULTIPLE_DATABASES="hmsds:smd-user:$(podman secret inspect smd_postgres_password --showsecret | jq -r '.[0].SecretData'),bssdb:bss-user:$(podman secret inspect bss_postgres_password --showsecret | jq -r '.[0].SecretData'),hydradb:hydra-user:$(podman secret inspect hydra_postgres_password --showsecret | jq -r '.[0].SecretData')" +POSTGRES_MULTIPLE_DATABASES="hmsds:smd-user:$(podman secret inspect smd_postgres_password --showsecret | jq -r '.[0].SecretData'),bssdb:bss-user:$(podman secret inspect bss_postgres_password --showsecret | jq -r '.[0].SecretData')" create_secret_if_not_exists "postgres_multiple_databases" "$POSTGRES_MULTIPLE_DATABASES" # openchami.env Configuration From ee54c40dd6cb8bf577524957a600039418647cf2 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 07:51:17 -0600 Subject: [PATCH 43/63] remove cloud-init vars, revisit when metadata-service is in a better state Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 5 ----- 1 file changed, 5 deletions(-) diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index 2134675..a9caf91 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -48,8 +48,3 @@ DOCKER_STEPCA_INIT_PROVISIONER_PASSWORD="provisionerpassword" # Environemnt Variables HSM_URL=http://smd:27779 ANSIBLE_HOST_KEY_CHECKING=False - -# Environemnt Variables for cloud-init -LISTEN=:27777 -SMD_URL=http://smd:27779 -IMPERSONATION=true From fdf1a1882923138513db7defb1883c89acf8d1d1 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 08:02:29 -0600 Subject: [PATCH 44/63] set metadata-service to use port 8080 in haproxy since it's the default Signed-off-by: Travis Cotton --- systemd/configs/haproxy.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/configs/haproxy.cfg b/systemd/configs/haproxy.cfg index 8fdd4d6..df9a21c 100644 --- a/systemd/configs/haproxy.cfg +++ b/systemd/configs/haproxy.cfg @@ -47,7 +47,7 @@ backend boot-service backend metadata-service http-request set-path %[path,regsub(^/metadata-service/,/)] - server metadata-service metadata-service:8888 + server metadata-service metadata-service:8080 backend tokensmith http-request set-path %[path,regsub(^/tokensmith/,/)] From 49b8cc830e106a5cc7d943164893f95fbdabfbd1 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 08:12:34 -0600 Subject: [PATCH 45/63] remove the tokensmith flag for now, use pr-8 for the image Signed-off-by: Travis Cotton --- systemd/containers/metadata-service.container | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index 7497eab..13a36c9 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -8,7 +8,7 @@ PartOf=openchami.target [Container] ContainerName=metadata-service HostName=metadata-service -Image=ghcr.io/openchami/metadata-service:pr-7 +Image=ghcr.io/openchami/metadata-service:pr-8 Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN @@ -18,7 +18,7 @@ EnvironmentFile=/etc/openchami/configs/openchami.env # Secrets Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN -Exec=serve --tokensmith-url=http://tokensmith:8080 +Exec=serve # Networks for the Container to use Network=openchami-internal.network From 3625bcc736464cb9664f41704335d5ee90b31fd4 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 08:25:00 -0600 Subject: [PATCH 46/63] rename cloud-init-data volume to metadata-data, set metadata-service.container to use it Signed-off-by: Travis Cotton --- systemd/containers/metadata-service.container | 2 ++ systemd/volumes/cloud-init-data.volume | 5 ----- systemd/volumes/metadata-data.volume | 5 +++++ 3 files changed, 7 insertions(+), 5 deletions(-) delete mode 100644 systemd/volumes/cloud-init-data.volume create mode 100644 systemd/volumes/metadata-data.volume diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index 13a36c9..d96c9bb 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -18,6 +18,8 @@ EnvironmentFile=/etc/openchami/configs/openchami.env # Secrets Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN +Volume=metadata-service-data.volume:/data + Exec=serve # Networks for the Container to use diff --git a/systemd/volumes/cloud-init-data.volume b/systemd/volumes/cloud-init-data.volume deleted file mode 100644 index 6ad7204..0000000 --- a/systemd/volumes/cloud-init-data.volume +++ /dev/null @@ -1,5 +0,0 @@ -[Unit] -Description=cloud-init-server Data Volume - -[Volume] -VolumeName=cloud-init-data diff --git a/systemd/volumes/metadata-data.volume b/systemd/volumes/metadata-data.volume new file mode 100644 index 0000000..f4003ba --- /dev/null +++ b/systemd/volumes/metadata-data.volume @@ -0,0 +1,5 @@ +[Unit] +Description=metadata-service Data Volume + +[Volume] +VolumeName=metadata-service-data From f6ad8b22f7afdfd64e17dce6557c17a334614e64 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 08:34:50 -0600 Subject: [PATCH 47/63] fix volume name for metadata Signed-off-by: Travis Cotton --- systemd/containers/metadata-service.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index d96c9bb..9e42db4 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -18,7 +18,7 @@ EnvironmentFile=/etc/openchami/configs/openchami.env # Secrets Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN -Volume=metadata-service-data.volume:/data +Volume=metadata-data.volume:/data Exec=serve From 5d5abb24983ad6e5e5a68cf6a810fb37579da984 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 08:48:14 -0600 Subject: [PATCH 48/63] bump tokensmith version and update Exec in container file Signed-off-by: Travis Cotton --- systemd/containers/tokensmith.container | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index 572e6bc..ee18464 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -5,11 +5,11 @@ PartOf=openchami.target [Container] ContainerName=tokensmith HostName=tokensmith -Image=ghcr.io/openchami/tokensmith:v0.4.0 +Image=ghcr.io/openchami/tokensmith:v0.4.1 #Image=tokensmith:test EnvironmentFile=/etc/openchami/configs/openchami.env -Exec=serve --oidc-issuer="$TOKENSMITH_OIDC_PROVIDER" --issuer="$TOKENSMITH_ISSUER" --port="$TOKENSMITH_PORT" --cluster-id="$TOKENSMITH_CLUSTER_ID" --openchami-id="$TOKENSMITH_OPENCHAMI_ID" --config="$TOKENSMITH_CONFIG" --key-dir="$TOKENSMITH_KEY_DIR" --rfc8693-bootstrap-store="$TOKENSMITH_RFC8693_BOOTSTRAP_STORE" --rfc8693-refresh-store="$TOKENSMITH_RFC8693_REFRESH_STORE" --enable-local-user-mint +Exec=--enable-local-user-mint # Volumes Volume=/etc/openchami/configs/tokensmith.json:/etc/tokensmith/config.json:Z From 267ff45d32ccb421992ca2086b57cfeae3a41866 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 09:06:08 -0600 Subject: [PATCH 49/63] added SMD_URL=http://smd:27779 back since metadata-service seems to use it Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 1 + 1 file changed, 1 insertion(+) diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index a9caf91..627fa52 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -46,5 +46,6 @@ DOCKER_STEPCA_INIT_PROVISIONER_NAME="Admin" DOCKER_STEPCA_INIT_PROVISIONER_PASSWORD="provisionerpassword" # Environemnt Variables +SMD_URL=http://smd:27779 HSM_URL=http://smd:27779 ANSIBLE_HOST_KEY_CHECKING=False From 49b143d77d6acc9e9660d74c55b0b06eed5d2d5a Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 09:16:04 -0600 Subject: [PATCH 50/63] bump smd container version to v2.20.0 Signed-off-by: Travis Cotton --- systemd/containers/smd-init.container | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/systemd/containers/smd-init.container b/systemd/containers/smd-init.container index e5e26fc..d6d5f28 100644 --- a/systemd/containers/smd-init.container +++ b/systemd/containers/smd-init.container @@ -7,7 +7,8 @@ PartOf=openchami.target [Container] ContainerName=smd-init HostName=smd-init -Image=ghcr.io/openchami/smd:v2.19.3 +Image=ghcr.io/openchami/smd:v2.20.0 + # Environemnt Variables Environment=SMD_DBHOST=postgres From b3317c1b5386cee3d5a5339fc6977cde775b816c Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 09:31:52 -0600 Subject: [PATCH 51/63] removed opaal refernce from openchami-certificate-update Signed-off-by: Travis Cotton --- scripts/openchami-certificate-update | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/openchami-certificate-update b/scripts/openchami-certificate-update index 06d3caa..6331bf5 100755 --- a/scripts/openchami-certificate-update +++ b/scripts/openchami-certificate-update @@ -19,7 +19,6 @@ update_dns() { sed -i "s/^ContainerName=.*/ContainerName=${system_fqdn}/" /etc/containers/systemd/acme-register.container sed -i "s/^HostName=.*/HostName=${system_fqdn}/" /etc/containers/systemd/acme-register.container sed -i "s|-d .* \\\\|-d ${system_fqdn} \\\\|" /etc/containers/systemd/acme-register.container - sed -i "s|--add-host='.*|--add-host='${system_fqdn}:${primary_ip}'|" /etc/containers/systemd/opaal.container # Reload systemD after .container changes systemctl daemon-reload From d8cccdd19a753ab40cbdccfeb1fa9a046067db65 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 09:40:11 -0600 Subject: [PATCH 52/63] added comment about OIDC provider in openchami.env file Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 2 ++ 1 file changed, 2 insertions(+) diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index 627fa52..017ced9 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -33,6 +33,8 @@ TOKENSMITH_CONFIG=/etc/tokensmith/config.json TOKENSMITH_KEY_DIR=/tokensmith/data/keys TOKENSMITH_RFC8693_BOOTSTRAP_STORE=/tokensmith/data/bootstrap TOKENSMITH_RFC8693_REFRESH_STORE=/tokensmith/data/refresh +#TOKENSMITH_OIDC_PROVIDER should point to an actual OIDC provider if you intend to use a real provider +#The default is http://hydra:4444 so leaving it here for visibility TOKENSMITH_OIDC_PROVIDER=http://hydra:4444 TOKENSMITH_PORT=8080 From 048a116db2e68d74c287ba6927bdf1de019f3c9d Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 09:46:12 -0600 Subject: [PATCH 53/63] added usage to tokensmith_bootstrap_token, will print when missing client arg Signed-off-by: Travis Cotton --- scripts/tokensmith_bootstrap_token | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/tokensmith_bootstrap_token b/scripts/tokensmith_bootstrap_token index 9d4bca9..d955281 100644 --- a/scripts/tokensmith_bootstrap_token +++ b/scripts/tokensmith_bootstrap_token @@ -1,4 +1,9 @@ #!/bin/bash +usage() { + echo "usage: $0 CLIENT" + echo + echo 'CLIENT: name of client service to generate token for' +} CLIENT="${1}" SERVICE="smd" @@ -6,6 +11,7 @@ SERVICE="smd" if [[ -z "$CLIENT" ]] then echo "Empty client" + usage >&2 exit 1 fi From ea6663a4b12904929826c203e21a3c8a233b7648 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 09:49:35 -0600 Subject: [PATCH 54/63] set metadata-service container image version to v0.1.0 Signed-off-by: Travis Cotton --- systemd/containers/metadata-service.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index 9e42db4..39644a5 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -8,7 +8,7 @@ PartOf=openchami.target [Container] ContainerName=metadata-service HostName=metadata-service -Image=ghcr.io/openchami/metadata-service:pr-8 +Image=ghcr.io/openchami/metadata-service:v0.1.0 Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN From f343423fc77b65ab69859980accfc467fa67d28b Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Thu, 14 May 2026 10:41:19 -0600 Subject: [PATCH 55/63] update coredhcp.yaml to match CoreSMD rules in v0.6.* Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- systemd/configs/coredhcp.yaml | 106 +++++++++++++++++++++++++++++----- 1 file changed, 92 insertions(+), 14 deletions(-) diff --git a/systemd/configs/coredhcp.yaml b/systemd/configs/coredhcp.yaml index 1d80964..6477bfd 100644 --- a/systemd/configs/coredhcp.yaml +++ b/systemd/configs/coredhcp.yaml @@ -1,18 +1,96 @@ +# Based on https://github.com/coredhcp/coredhcp/blob/master/cmds/coredhcp/config.yml.example +# See there for more extensive CoreDHCP configuration documentation. + server4: -# You can configure the specific interfaces that you want OpenCHAMI to listen on by -# uncommenting the lines below and setting the interface - # listen: - # - "%virbr-openchami" + # Optionally define how CoreDHCP binds to an interface or address. If unset, + # the server will bind to all interfaces (0.0.0.0). + # + #listen: + # - "%virbr-openchami" plugins: -# You are able to set the IP address of the system in server_id as the place to look for a DHCP server -# DNS is able to be set to whatever you want but it is much easier if you keep it set to the server IP -# Router is also able to be set to whatever you network router address is - # - server_id: 172.16.0.254 - # - dns: 172.16.0.254 - # - router: 172.16.0.254 + # Set DHCP Server Identifier to help resolve situations when there are + # multiple DHCP servers on a network. + #- server_id: 172.16.0.254 + + # Advertise list of DNS resolvers to use for hosts on network. + #- dns: 172.16.0.254 + + # REQUIRED: Advertise address of default router on network. + #- router: 172.16.0.254 + + # Advertise network mask of assigned IPs on network. - netmask: 255.255.255.0 -# The lines below define where the system should assign ip addresses for systems that do not have -# mac addresses stored in SMD - # - coresmd: https://demo.openchami.cluster:8443 http://172.16.0.254:8081 /root_ca/root_ca.crt 30s 1h false - # - bootloop: /tmp/coredhcp.db default 5m 172.16.0.200 172.16.0.250 + + # + # OpenCHAMI CONFIGURATION + # + + # Assign IP addresses to devices known to OpenCHAMI based on MAC address. + #- coresmd: | + # /* Base URI for contacting SMD */ + # svc_base_uri=https://demo.openchami.cluster:8443 + # + # /* Base URI for contacting boot-service for boot scripts */ + # ipxe_base_uri=http://172.16.0.254:8081 + # + # /* + # * Path to root CA certificate in container to use for TLS + # * verification for communication with SMD + # */ + # ca_cert=/root_ca/root_ca.crt + # + # /* Refresh interval for CoreSMD's component cache */ + # cache_valid=30s + # + # /* Duration DHCP leases should be valid */ + # lease_time=1h + # + # /* Toggle TFTP single-port mode */ + # single_port=false + # + # /* + # * RICH RULES + # * + # * These are used to set DHCP options based on certain selectors. + # * See: https://github.com/OpenCHAMI/coresmd/blob/main/examples/coredhcp/rules.md + # */ + # + # /* Domain to append to set hostnames (able to be overridden) + # domain=openchami.cluster + # + # /* + # * Log level for rules. + # * + # * none: do not log + # * info: log rule matches + # * debug: log rule matches and non-matches + # */ + # rule_log=info + # + # /* Set hostname based on type (node or BMC, respectively) */ + # rule=type:Node,hostname:n{02d} + # rule=type:NodeBMC,hostname:bmc-s{02d} + + # Optional catch-all for extra devices. This plugin is meant to assign + # temporary IPs via a very short lease to devices not tracked in SMD, e.g. + # for BMCs to be discoverable via Redfish so they _can_ be added to SMD. + # Non-BMC devices are served an iPXE script that instructs them to reboot + # (by default, this is customizable, hence the name 'bootloop') so that + # they will constantly try to get a new lease. The idea is that once they + # are added to SMD, CoreSMD above will catch it. + #- bootloop: | + # /* Where to store leases (sqlite) + # lease_file=/tmp/coredhcp.db + # + # /* iPXE script to use ('default' reboots) + # script_path=default + # + # /* Duration of short-lived lease */ + # lease_time=5m + # + # /* Beginning IP of assignable IPv4 addresses */ + # ipv4_start=172.16.0.200 + # + # /* Ending IP of assignable IPv4 addresses */ + # ipv4_end=172.16.0.250 From 3c0a5453ca31ec8d185483769c598cbdc484d4bd Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Thu, 14 May 2026 10:43:44 -0600 Subject: [PATCH 56/63] bump coresmd to v0.6.1 Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- systemd/containers/coresmd-coredhcp.container | 2 +- systemd/containers/coresmd-coredns.container | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/containers/coresmd-coredhcp.container b/systemd/containers/coresmd-coredhcp.container index c76739a..48f0848 100644 --- a/systemd/containers/coresmd-coredhcp.container +++ b/systemd/containers/coresmd-coredhcp.container @@ -8,7 +8,7 @@ PartOf=openchami.target ContainerName=coresmd-coredhcp HostName=coresmd-coredhcp -Image=ghcr.io/openchami/coresmd:v0.4.3 +Image=ghcr.io/openchami/coresmd:v0.6.1 # Capabilities AddCapability=NET_ADMIN diff --git a/systemd/containers/coresmd-coredns.container b/systemd/containers/coresmd-coredns.container index 817479d..0b0b6d6 100644 --- a/systemd/containers/coresmd-coredns.container +++ b/systemd/containers/coresmd-coredns.container @@ -8,7 +8,7 @@ PartOf=openchami.target ContainerName=coresmd-coredns HostName=coresmd-coredns -Image=ghcr.io/openchami/coresmd:v0.4.3 +Image=ghcr.io/openchami/coresmd:v0.6.1 Exec=/coredns From db6e546d0585a89d8a823869b801dddb22a280a6 Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Thu, 14 May 2026 13:13:26 -0600 Subject: [PATCH 57/63] use xname for bmc hostname pattern Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- systemd/configs/coredhcp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/configs/coredhcp.yaml b/systemd/configs/coredhcp.yaml index 6477bfd..2a41be2 100644 --- a/systemd/configs/coredhcp.yaml +++ b/systemd/configs/coredhcp.yaml @@ -69,7 +69,7 @@ server4: # # /* Set hostname based on type (node or BMC, respectively) */ # rule=type:Node,hostname:n{02d} - # rule=type:NodeBMC,hostname:bmc-s{02d} + # rule=type:NodeBMC,hostname:{id} # Optional catch-all for extra devices. This plugin is meant to assign # temporary IPs via a very short lease to devices not tracked in SMD, e.g. From a29d7f6b2a77f649ccccfef0370e42ea3a1a931c Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Thu, 14 May 2026 16:24:30 -0600 Subject: [PATCH 58/63] bump smd to v2.20.3 Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- systemd/containers/smd-init.container | 2 +- systemd/containers/smd.container | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/containers/smd-init.container b/systemd/containers/smd-init.container index d6d5f28..027bccc 100644 --- a/systemd/containers/smd-init.container +++ b/systemd/containers/smd-init.container @@ -7,7 +7,7 @@ PartOf=openchami.target [Container] ContainerName=smd-init HostName=smd-init -Image=ghcr.io/openchami/smd:v2.20.0 +Image=ghcr.io/openchami/smd:v2.20.3 # Environemnt Variables diff --git a/systemd/containers/smd.container b/systemd/containers/smd.container index 3eafcdf..48e8c12 100644 --- a/systemd/containers/smd.container +++ b/systemd/containers/smd.container @@ -10,7 +10,7 @@ Wants=smd-init.service tokensmith.service [Container] ContainerName=smd HostName=smd -Image=ghcr.io/openchami/smd:v2.20.0 +Image=ghcr.io/openchami/smd:v2.20.3 # Environment Variables EnvironmentFile=/etc/openchami/configs/openchami.env From 43709850e76a63f362bb45c7077a6135488ee621 Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Thu, 14 May 2026 16:55:44 -0600 Subject: [PATCH 59/63] remove unused secrets Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- scripts/bootstrap_openchami.sh | 8 ++------ systemd/containers/postgres.container | 2 -- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/scripts/bootstrap_openchami.sh b/scripts/bootstrap_openchami.sh index 13b53c8..5dbe170 100644 --- a/scripts/bootstrap_openchami.sh +++ b/scripts/bootstrap_openchami.sh @@ -54,21 +54,17 @@ acme_correction() { postgres_password=$(generate_random_password) create_secret_if_not_exists "postgres_password" "$postgres_password" -# BSS Postgres Password -bss_postgres_password=$(generate_random_password) -create_secret_if_not_exists "bss_postgres_password" "$bss_postgres_password" - # SMD Postgres Password smd_postgres_password=$(generate_random_password) create_secret_if_not_exists "smd_postgres_password" "$smd_postgres_password" # POSTGRES_MULTIPLE_DATABASES -POSTGRES_MULTIPLE_DATABASES="hmsds:smd-user:$(podman secret inspect smd_postgres_password --showsecret | jq -r '.[0].SecretData'),bssdb:bss-user:$(podman secret inspect bss_postgres_password --showsecret | jq -r '.[0].SecretData')" +POSTGRES_MULTIPLE_DATABASES="hmsds:smd-user:$(podman secret inspect smd_postgres_password --showsecret | jq -r '.[0].SecretData')" create_secret_if_not_exists "postgres_multiple_databases" "$POSTGRES_MULTIPLE_DATABASES" # openchami.env Configuration generate_environment_file # Correct the ACME files -acme_correction \ No newline at end of file +acme_correction diff --git a/systemd/containers/postgres.container b/systemd/containers/postgres.container index 9cc50db..fdcfe44 100644 --- a/systemd/containers/postgres.container +++ b/systemd/containers/postgres.container @@ -18,9 +18,7 @@ EnvironmentFile=/etc/openchami/configs/openchami.env # Secrets Secret=postgres_password,type=env,target=POSTGRES_PASSWORD -Secret=bss_postgres_password,type=env,target=BSS_POSTGRES_PASSWORD Secret=smd_postgres_password,type=env,target=SMD_POSTGRES_PASSWORD -Secret=hydra_postgres_password,type=env,target=HYDRA_POSTGRES_PASSWORD Secret=postgres_multiple_databases,type=env,target=POSTGRES_MULTIPLE_DATABASES From 2379e95c116b3c9ddfd93458c9323202669de4f5 Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Thu, 14 May 2026 17:03:01 -0600 Subject: [PATCH 60/63] remove extra newline in coredhcp.yaml Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- systemd/configs/coredhcp.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/systemd/configs/coredhcp.yaml b/systemd/configs/coredhcp.yaml index 2a41be2..e54af04 100644 --- a/systemd/configs/coredhcp.yaml +++ b/systemd/configs/coredhcp.yaml @@ -93,4 +93,3 @@ server4: # # /* Ending IP of assignable IPv4 addresses */ # ipv4_end=172.16.0.250 - From e6c140f1d5bb724fd2f546022bb14b37ef0566b6 Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Thu, 28 May 2026 13:50:46 -0600 Subject: [PATCH 61/63] bump coresmd to v0.6.3 Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- systemd/containers/coresmd-coredhcp.container | 2 +- systemd/containers/coresmd-coredns.container | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/containers/coresmd-coredhcp.container b/systemd/containers/coresmd-coredhcp.container index 48f0848..2f15830 100644 --- a/systemd/containers/coresmd-coredhcp.container +++ b/systemd/containers/coresmd-coredhcp.container @@ -8,7 +8,7 @@ PartOf=openchami.target ContainerName=coresmd-coredhcp HostName=coresmd-coredhcp -Image=ghcr.io/openchami/coresmd:v0.6.1 +Image=ghcr.io/openchami/coresmd:v0.6.3 # Capabilities AddCapability=NET_ADMIN diff --git a/systemd/containers/coresmd-coredns.container b/systemd/containers/coresmd-coredns.container index 0b0b6d6..f9554e9 100644 --- a/systemd/containers/coresmd-coredns.container +++ b/systemd/containers/coresmd-coredns.container @@ -8,7 +8,7 @@ PartOf=openchami.target ContainerName=coresmd-coredns HostName=coresmd-coredns -Image=ghcr.io/openchami/coresmd:v0.6.1 +Image=ghcr.io/openchami/coresmd:v0.6.3 Exec=/coredns From 5c1ae0de970c5a2d43bb2357ba7862021ec66b00 Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Mon, 1 Jun 2026 09:45:41 -0600 Subject: [PATCH 62/63] bump boot-service to v0.1.6 for client debug messages Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- systemd/containers/boot-service.container | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index 3c88578..867256b 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -9,7 +9,7 @@ After=smd.service [Container] ContainerName=boot-service HostName=boot-service -Image=ghcr.io/openchami/boot-service:v0.1.5 +Image=ghcr.io/openchami/boot-service:v0.1.6 # Environment Variables EnvironmentFile=/etc/openchami/configs/openchami.env @@ -29,4 +29,4 @@ Exec=serve --enable-legacy-api=false --enable-auth=true --tokensmith_url=http:// [Service] ExecStartPre=/usr/sbin/tokensmith_bootstrap_token boot-service -Restart=always \ No newline at end of file +Restart=always From 52f0f37be0a408a36958516b5a19dfe9bca40951 Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Wed, 3 Jun 2026 13:16:07 -0600 Subject: [PATCH 63/63] bump metadata-service to v0.1.1 Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- systemd/containers/metadata-service.container | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index 39644a5..5725596 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -8,7 +8,7 @@ PartOf=openchami.target [Container] ContainerName=metadata-service HostName=metadata-service -Image=ghcr.io/openchami/metadata-service:v0.1.0 +Image=ghcr.io/openchami/metadata-service:v0.1.1 Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN @@ -30,4 +30,4 @@ PodmanArgs=--http-proxy=false [Service] ExecStartPre=/usr/sbin/tokensmith_bootstrap_token metadata-service -Restart=always \ No newline at end of file +Restart=always