From 78faa6622e152c13714bbe0439012c5e4f6c0a4e Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 2 Apr 2026 07:13:49 -0600 Subject: [PATCH 01/65] added tokensmith basic config file; update env file Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 9 ++++++++ systemd/configs/tokensmith.json | 19 +++++++++++++++++ systemd/containers/tokensmith.container | 28 +++++++++++++++++++++++++ 3 files changed, 56 insertions(+) create mode 100644 systemd/configs/tokensmith.json create mode 100644 systemd/containers/tokensmith.container diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index efbe4ea..a4cb925 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -36,6 +36,15 @@ SMD_DBUSER=smd-user SMD_DBOPTS=sslmode=disable SMD_JWKS_URL=http://opaal:3333/keys +# Environemnt Variables +TOKENSMITH_ISSUER=https://tokensmith.openchami.dev +TOKENSMITH_CLUSTER_ID=demo-cluster +TOKENSMITH_OPENCHAMI_ID=demo-openchami +TOKENSMITH_CONFIG=/tokensmith/config.json +TOKENSMITH_KEY_DIR=/tmp/tokensmith/keys +TOKENSMITH_OIDC_PROVIDER=http://hydra:4444 +TOKENSMITH_PORT=8080 + # Environemnt Variables STEPPATH=/home/step DOCKER_STEPCA_INIT_NAME=OpenCHAMI diff --git a/systemd/configs/tokensmith.json b/systemd/configs/tokensmith.json new file mode 100644 index 0000000..09d4ed4 --- /dev/null +++ b/systemd/configs/tokensmith.json @@ -0,0 +1,19 @@ +{ + "groupScopes": { + "admin": [ + "admin", + "write", + "read" + ], + "operator": [ + "write", + "read" + ], + "user": [ + "read" + ], + "viewer": [ + "read" + ] + } +} \ No newline at end of file diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container new file mode 100644 index 0000000..5d23ab5 --- /dev/null +++ b/systemd/containers/tokensmith.container @@ -0,0 +1,28 @@ +[Unit] +Description=The tokensmith container +Wants=hydra-gen-jwks.service +After=hydra-gen-jwks.service +PartOf=openchami.target + +[Container] +ContainerName=tokensmith +HostName=tokensmith +Image=ghcr.io/openchami/tokensmith:pr-13 +EnvironmentFile=/etc/openchami/configs/openchami.env + +# Volumes +Volume=/etc/openchami/tokensmith.json:/tokensmith/config.json:Z + +# Networks for the Container to use +Network=openchami-internal.network +Network=openchami-jwt-internal.network + +# Extra hosts +PodmanArgs=--add-host='demo.openchami.cluster:172.16.0.254' +# Proxy settings +PodmanArgs=--http-proxy=false + +[Service] +Restart=always +# Run commands after container starts +ExecStartPost=sleep 10s \ No newline at end of file From 9521654b008fb9014dcfe8aa68ca106266039985 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 7 Apr 2026 14:50:25 -0600 Subject: [PATCH 02/65] added tokensmith bootstrap token script Signed-off-by: Travis Cotton --- scripts/tokensmith_bootstrap_token.sh | 14 +++++++ systemd/containers/bss-init.container | 28 ------------- systemd/containers/bss.container | 36 ----------------- .../containers/cloud-init-server.container | 24 ----------- systemd/containers/hydra-gen-jwks.container | 26 ------------ systemd/containers/hydra-migrate.container | 32 --------------- systemd/containers/hydra.container | 40 ------------------- systemd/containers/opaal-idp.container | 26 ------------ systemd/containers/opaal.container | 33 --------------- 9 files changed, 14 insertions(+), 245 deletions(-) create mode 100644 scripts/tokensmith_bootstrap_token.sh delete mode 100644 systemd/containers/bss-init.container delete mode 100644 systemd/containers/bss.container delete mode 100644 systemd/containers/cloud-init-server.container delete mode 100644 systemd/containers/hydra-gen-jwks.container delete mode 100644 systemd/containers/hydra-migrate.container delete mode 100644 systemd/containers/hydra.container delete mode 100644 systemd/containers/opaal-idp.container delete mode 100644 systemd/containers/opaal.container diff --git a/scripts/tokensmith_bootstrap_token.sh b/scripts/tokensmith_bootstrap_token.sh new file mode 100644 index 0000000..f9f8083 --- /dev/null +++ b/scripts/tokensmith_bootstrap_token.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +CLIENT="${1}" +SERVICE="smd" + +TOKENSMITH_BOOTSTRAP_TOKEN=$(podman exec -e SERVICE=$SERVICE -e CLIENT=$CLIENT tokensmith /bin/sh -c "\ + /usr/local/bin/tokensmith mint-bootstrap-token \ + --key-file /tmp/tokensmith/keys/private.pem \ + --service-id ${CLIENT}-client \ + --target-service ${SERVICE} + ") +SECRET_NAME="${CLIENT}-bootstrap-token" +printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret rm ${SECRET_NAME} 2>/dev/null || true +printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret create ${SECRET_NAME} - \ No newline at end of file diff --git a/systemd/containers/bss-init.container b/systemd/containers/bss-init.container deleted file mode 100644 index 4bebd0c..0000000 --- a/systemd/containers/bss-init.container +++ /dev/null @@ -1,28 +0,0 @@ -[Unit] -Description=The bss-init container -Wants=smd.service -Requires=postgres.service -PartOf=openchami.target - -[Container] -ContainerName=bss-init -HostName=bss-init -Image=ghcr.io/openchami/bss:v1.32.2 - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Secrets -Secret=bss_postgres_password,type=env,target=BSS_DBPASS - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false -PodmanArgs=--entrypoint='["/bin/sh","-c","/usr/local/bin/bss-init "]' - -[Service] -Restart=on-failure -Type=oneshot -RemainAfterExit=yes diff --git a/systemd/containers/bss.container b/systemd/containers/bss.container deleted file mode 100644 index 044d69c..0000000 --- a/systemd/containers/bss.container +++ /dev/null @@ -1,36 +0,0 @@ -[Unit] -Description=The bss container -PartOf=openchami.target - -# Ensure the init job has started (and if it fails, BSS will fail): -Requires=bss-init.service -After=bss-init.service - -# Ensure SMD has started already -Wants=smd.service -After=smd.service - -# Hydraledger JWKS must be generated first: -Wants=hydra-gen-jwks.service -After=hydra-gen-jwks.service - - -[Container] -ContainerName=bss -HostName=bss -Image=ghcr.io/openchami/bss:v1.32.2 - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Secrets -Secret=bss_postgres_password,type=env,target=BSS_DBPASS - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/cloud-init-server.container b/systemd/containers/cloud-init-server.container deleted file mode 100644 index fd914df..0000000 --- a/systemd/containers/cloud-init-server.container +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=The cloud-init-server container -Wants=smd.service -After=smd.service opaal.service -PartOf=openchami.target - -[Container] -ContainerName=cloud-init-server -HostName=cloud-init -Image=ghcr.io/openchami/cloud-init:v1.3.0 - -Volume=cloud-init-data:/cloud-init:rw,Z - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/hydra-gen-jwks.container b/systemd/containers/hydra-gen-jwks.container deleted file mode 100644 index e643bb5..0000000 --- a/systemd/containers/hydra-gen-jwks.container +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=The hydra-gen-jwks container -Wants=hydra.service -After=hydra.service -PartOf=openchami.target - -[Container] -ContainerName=hydra-gen-jwks -HostName=hydra-gen-jwks -Image=cgr.dev/chainguard/curl:latest - -# Command to run in container -Exec=--retry 10 --retry-delay 5 --retry-all-errors --verbose http://hydra:4444/.well-known/jwks.json - -# Networks for the Container to use -Network=openchami-jwt-internal.network - - -# Unsupported by generator options -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=on-failure -Type=oneshot -RemainAfterExit=yes diff --git a/systemd/containers/hydra-migrate.container b/systemd/containers/hydra-migrate.container deleted file mode 100644 index 9829126..0000000 --- a/systemd/containers/hydra-migrate.container +++ /dev/null @@ -1,32 +0,0 @@ -[Unit] -Description=The hydra-migrate container -Requires=postgres.service -After=postgres.service -PartOf=openchami.target - -[Container] -ContainerName=hydra-migrate -HostName=hydra-migrate -Image=docker.io/oryd/hydra:v2.3 - -# Volumes -Volume=/etc/openchami/configs/:/etc/config/hydra:Z - -# Secrets -Secret=hydra_system_secret,type=env,target=SECRETS_SYSTEM -Secret=hydra_postgres_password,type=env,target=HYDRA_POSTGRES_PASSWORD -Secret=hydra_dsn,type=env,target=DSN - -# Command to run in container -Exec=migrate -c /etc/config/hydra/hydra.yml sql -e --yes - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=on-failure -Type=oneshot -RemainAfterExit=yes diff --git a/systemd/containers/hydra.container b/systemd/containers/hydra.container deleted file mode 100644 index 4cd6461..0000000 --- a/systemd/containers/hydra.container +++ /dev/null @@ -1,40 +0,0 @@ -[Unit] -Description=The hydra container -PartOf=openchami.target - -# 1) Don’t start until hydra-migrate has successfully started: -Requires=hydra-migrate.service -After=hydra-migrate.service - -# 2) Also require Step-CA to be running first: -Wants=step-ca.service -After=step-ca.service - - -[Container] -ContainerName=hydra -HostName=hydra -Image=docker.io/oryd/hydra:v2.3 - -# Volumes -Volume=/etc/openchami/configs/:/etc/config/hydra:Z - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Secrets -Secret=hydra_system_secret,type=env,target=SECRETS_SYSTEM -Secret=hydra_dsn,type=env,target=DSN - -# Command to run in container -Exec=serve -c /etc/config/hydra/hydra.yml all --sqa-opt-out - -# Networks for the Container to use -Network=openchami-jwt-internal.network - - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/opaal-idp.container b/systemd/containers/opaal-idp.container deleted file mode 100644 index cccba39..0000000 --- a/systemd/containers/opaal-idp.container +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=The opaal-idp container -Wants=hydra-gen-jwks.service -After=hydra-gen-jwks.service -PartOf=openchami.target - -[Container] -ContainerName=opaal-idp -HostName=opaal-idp -Image=ghcr.io/openchami/opaal:v0.3.12 - -# Volumes -Volume=/etc/openchami/configs:/opaal/config/:Z - -# Command to run in container -Exec=/opaal/opaal serve --config /opaal/config/opaal.yaml - -EnvironmentFile=/etc/openchami/configs/openchami.env -# Networks for the Container to use -Network=openchami-jwt-internal - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/opaal.container b/systemd/containers/opaal.container deleted file mode 100644 index 700b72c..0000000 --- a/systemd/containers/opaal.container +++ /dev/null @@ -1,33 +0,0 @@ -[Unit] -Description=The opaal container -PartOf=openchami.target - -# Don’t start until the ID-P is running: -Wants=opaal-idp.service -After=opaal-idp.service - -[Container] -ContainerName=opaal -HostName=opaal -Image=ghcr.io/openchami/opaal:v0.3.12 - - -# Volumes -Volume=/etc/openchami/configs:/opaal/config/:Z - -# Command to run in container -Exec=/opaal/opaal login --config /opaal/config/opaal.yaml - -# Networks for the Container to use -Network=openchami-internal.network -Network=openchami-jwt-internal.network - -# Extra hosts -PodmanArgs=--add-host='demo.openchami.cluster:172.16.0.254' -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always -# Run commands after container starts -ExecStartPost=sleep 10s From 639f1dce01cc1b6527e12f44f393f1f4f3ea77cd Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 7 Apr 2026 14:50:51 -0600 Subject: [PATCH 03/65] removed old services; added new ones Signed-off-by: Travis Cotton --- systemd/containers/boot-service.service | 32 +++++++++++++++++++ systemd/containers/coresmd-coredhcp.container | 4 +-- systemd/containers/haproxy.container | 4 +-- systemd/containers/metadata-service.service | 24 ++++++++++++++ systemd/containers/tokensmith.container | 4 +-- 5 files changed, 61 insertions(+), 7 deletions(-) create mode 100644 systemd/containers/boot-service.service create mode 100644 systemd/containers/metadata-service.service diff --git a/systemd/containers/boot-service.service b/systemd/containers/boot-service.service new file mode 100644 index 0000000..22b0b5a --- /dev/null +++ b/systemd/containers/boot-service.service @@ -0,0 +1,32 @@ +[Unit] +Description=The bss container +#PartOf=openchami.target + +# Ensure the init job has started (and if it fails, BSS will fail): +Requires=tokensmith.service smd.service +After=tokensmith.service smd.service + +[Container] +ContainerName=boot-service +HostName=boot-service +Image=boot-service:test + +# Environment Variables +#EnvironmentFile=/etc/openchami/configs/openchami.env + +#Volume=/etc/openchami/configs/boot-service.yaml:/etc/boot-service/config.yaml:ro,Z + +# Secrets +Secret=bss-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN + +# Networks for the Container to use +Network=openchami-internal.network + +# Proxy settings +PodmanArgs=--http-proxy=false + +Exec=serve --enable-auth --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd + +[Service] +ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh bss +Restart=always diff --git a/systemd/containers/coresmd-coredhcp.container b/systemd/containers/coresmd-coredhcp.container index 9030c90..50f0644 100644 --- a/systemd/containers/coresmd-coredhcp.container +++ b/systemd/containers/coresmd-coredhcp.container @@ -1,7 +1,7 @@ [Unit] Description=The CoreSMD CoreDHCP container -Wants=haproxy.service -After=haproxy.service +Wants=tokensmith.service +After=tokensmith.service PartOf=openchami.target [Container] diff --git a/systemd/containers/haproxy.container b/systemd/containers/haproxy.container index ac1c0f0..0c91ded 100644 --- a/systemd/containers/haproxy.container +++ b/systemd/containers/haproxy.container @@ -1,7 +1,7 @@ [Unit] Description=The haproxy container -Wants=bss.service cloud-init-server.service smd.service acme-deploy.service -After=openchami-external-network.service opaal.service smd.service bss.service acme-deploy.service cloud-init-server.service +Wants=boot-service.service metadata-service.service smd.service acme-deploy.service +After=openchami-external-network.service smd.service boot-service.service acme-deploy.service metadata-service.service Requires=openchami-external-network.service acme-deploy.service PartOf=openchami.target diff --git a/systemd/containers/metadata-service.service b/systemd/containers/metadata-service.service new file mode 100644 index 0000000..a02451a --- /dev/null +++ b/systemd/containers/metadata-service.service @@ -0,0 +1,24 @@ +[Unit] +Description=The metadata-service container +Wants=smd.service +After=smd.service tokensmith.service +PartOf=openchami.target + +[Container] +ContainerName=metadata-service +HostName=cloud-init +Image=metadata-service:test + +Volume=cloud-init-data:/cloud-init:rw,Z + +# Environment Variables +EnvironmentFile=/etc/openchami/configs/openchami.env + +# Networks for the Container to use +Network=openchami-internal.network + +# Proxy settings +PodmanArgs=--http-proxy=false + +[Service] +Restart=always \ No newline at end of file diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index 5d23ab5..bfa2e0d 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -1,13 +1,11 @@ [Unit] Description=The tokensmith container -Wants=hydra-gen-jwks.service -After=hydra-gen-jwks.service PartOf=openchami.target [Container] ContainerName=tokensmith HostName=tokensmith -Image=ghcr.io/openchami/tokensmith:pr-13 +Image=ghcr.io/openchami/tokensmith:pr-19 EnvironmentFile=/etc/openchami/configs/openchami.env # Volumes From df2ed75eeadb8cc692d0b59f81ce02fab614b124 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 7 Apr 2026 15:49:03 -0600 Subject: [PATCH 04/65] updating some container files Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 16 ---------------- systemd/containers/boot-service.service | 16 +++++++--------- systemd/containers/coresmd-coredhcp.container | 4 ++-- systemd/containers/metadata-service.service | 7 +++++-- 4 files changed, 14 insertions(+), 29 deletions(-) diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index a4cb925..f216bec 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -14,20 +14,6 @@ URLS_LOGOUT=https://${SYSTEM_URL}/logout # Environemnt Variables POSTGRES_USER=ochami -# Environemnt Variables -BSS_USESQL=true -BSS_INSECURE=true -BSS_DEBUG=true -BSS_DBHOST=postgres -BSS_DBPORT=5432 -BSS_DBNAME=bssdb -BSS_DBUSER=bss-user -BSS_JWKS_URL=http://opaal:3333/keys -BSS_OAUTH2_ADMIN_BASE_URL=http://opaal:3333 -BSS_OAUTH2_PUBLIC_BASE_URL=http://opaal:3333 -BSS_IPXE_SERVER=${SYSTEM_URL} -BSS_CHAIN_PROTO=https - # Environemnt Variables SMD_DBHOST=postgres SMD_DBPORT=5432 @@ -62,6 +48,4 @@ ANSIBLE_HOST_KEY_CHECKING=False # Environemnt Variables for cloud-init LISTEN=:27777 SMD_URL=http://smd:27779 -OPAAL_URL=http://opaal:3333 -JWKS_URL=http://opaal:3333/keys IMPERSONATION=true diff --git a/systemd/containers/boot-service.service b/systemd/containers/boot-service.service index 22b0b5a..cc79678 100644 --- a/systemd/containers/boot-service.service +++ b/systemd/containers/boot-service.service @@ -1,10 +1,10 @@ [Unit] Description=The bss container -#PartOf=openchami.target +PartOf=openchami.target -# Ensure the init job has started (and if it fails, BSS will fail): -Requires=tokensmith.service smd.service -After=tokensmith.service smd.service +# Ensure SMD has started already +Wants=smd.service tokensmith.service +After=smd.service tokensmith.service [Container] ContainerName=boot-service @@ -12,12 +12,10 @@ HostName=boot-service Image=boot-service:test # Environment Variables -#EnvironmentFile=/etc/openchami/configs/openchami.env - -#Volume=/etc/openchami/configs/boot-service.yaml:/etc/boot-service/config.yaml:ro,Z +EnvironmentFile=/etc/openchami/configs/openchami.env # Secrets -Secret=bss-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN +Secret=boot-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN # Networks for the Container to use Network=openchami-internal.network @@ -28,5 +26,5 @@ PodmanArgs=--http-proxy=false Exec=serve --enable-auth --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd [Service] -ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh bss +ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh boot-service Restart=always diff --git a/systemd/containers/coresmd-coredhcp.container b/systemd/containers/coresmd-coredhcp.container index 50f0644..c76739a 100644 --- a/systemd/containers/coresmd-coredhcp.container +++ b/systemd/containers/coresmd-coredhcp.container @@ -1,7 +1,7 @@ [Unit] Description=The CoreSMD CoreDHCP container -Wants=tokensmith.service -After=tokensmith.service +Wants=tokensmith.service smd.service +After=tokensmith.service smd.service PartOf=openchami.target [Container] diff --git a/systemd/containers/metadata-service.service b/systemd/containers/metadata-service.service index a02451a..4031d45 100644 --- a/systemd/containers/metadata-service.service +++ b/systemd/containers/metadata-service.service @@ -6,14 +6,16 @@ PartOf=openchami.target [Container] ContainerName=metadata-service -HostName=cloud-init +HostName=metadata-service Image=metadata-service:test -Volume=cloud-init-data:/cloud-init:rw,Z +Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN # Environment Variables EnvironmentFile=/etc/openchami/configs/openchami.env +Exec=serve --tokensmith-url=http://tokensmith:8080 + # Networks for the Container to use Network=openchami-internal.network @@ -21,4 +23,5 @@ Network=openchami-internal.network PodmanArgs=--http-proxy=false [Service] +ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh metadata-service Restart=always \ No newline at end of file From c1020f312ce227cb75bd6fddd81b0305c3c85169 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:08:53 -0600 Subject: [PATCH 05/65] renamed .service files to .container Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 30 +++++++++++++++++++ systemd/containers/metadata-service.container | 27 +++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 systemd/containers/boot-service.container create mode 100644 systemd/containers/metadata-service.container diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container new file mode 100644 index 0000000..cc79678 --- /dev/null +++ b/systemd/containers/boot-service.container @@ -0,0 +1,30 @@ +[Unit] +Description=The bss container +PartOf=openchami.target + +# Ensure SMD has started already +Wants=smd.service tokensmith.service +After=smd.service tokensmith.service + +[Container] +ContainerName=boot-service +HostName=boot-service +Image=boot-service:test + +# Environment Variables +EnvironmentFile=/etc/openchami/configs/openchami.env + +# Secrets +Secret=boot-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN + +# Networks for the Container to use +Network=openchami-internal.network + +# Proxy settings +PodmanArgs=--http-proxy=false + +Exec=serve --enable-auth --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd + +[Service] +ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh boot-service +Restart=always diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container new file mode 100644 index 0000000..4031d45 --- /dev/null +++ b/systemd/containers/metadata-service.container @@ -0,0 +1,27 @@ +[Unit] +Description=The metadata-service container +Wants=smd.service +After=smd.service tokensmith.service +PartOf=openchami.target + +[Container] +ContainerName=metadata-service +HostName=metadata-service +Image=metadata-service:test + +Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN + +# Environment Variables +EnvironmentFile=/etc/openchami/configs/openchami.env + +Exec=serve --tokensmith-url=http://tokensmith:8080 + +# Networks for the Container to use +Network=openchami-internal.network + +# Proxy settings +PodmanArgs=--http-proxy=false + +[Service] +ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh metadata-service +Restart=always \ No newline at end of file From 6f3eb1cfd707537ac17fe80c55fb443163a1e6dc Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:10:24 -0600 Subject: [PATCH 06/65] actually remove the .service files Signed-off-by: Travis Cotton --- systemd/containers/boot-service.service | 30 --------------------- systemd/containers/metadata-service.service | 27 ------------------- 2 files changed, 57 deletions(-) delete mode 100644 systemd/containers/boot-service.service delete mode 100644 systemd/containers/metadata-service.service diff --git a/systemd/containers/boot-service.service b/systemd/containers/boot-service.service deleted file mode 100644 index cc79678..0000000 --- a/systemd/containers/boot-service.service +++ /dev/null @@ -1,30 +0,0 @@ -[Unit] -Description=The bss container -PartOf=openchami.target - -# Ensure SMD has started already -Wants=smd.service tokensmith.service -After=smd.service tokensmith.service - -[Container] -ContainerName=boot-service -HostName=boot-service -Image=boot-service:test - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Secrets -Secret=boot-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -Exec=serve --enable-auth --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd - -[Service] -ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh boot-service -Restart=always diff --git a/systemd/containers/metadata-service.service b/systemd/containers/metadata-service.service deleted file mode 100644 index 4031d45..0000000 --- a/systemd/containers/metadata-service.service +++ /dev/null @@ -1,27 +0,0 @@ -[Unit] -Description=The metadata-service container -Wants=smd.service -After=smd.service tokensmith.service -PartOf=openchami.target - -[Container] -ContainerName=metadata-service -HostName=metadata-service -Image=metadata-service:test - -Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -Exec=serve --tokensmith-url=http://tokensmith:8080 - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh metadata-service -Restart=always \ No newline at end of file From 2c05c17a2499795d8716e370da6637bc06389e57 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:13:21 -0600 Subject: [PATCH 07/65] update boot-service description Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index cc79678..84c4e96 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -1,5 +1,5 @@ [Unit] -Description=The bss container +Description=The boot-service container PartOf=openchami.target # Ensure SMD has started already From 4988684429144450378d4faedd2e1f0dd754844e Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:16:13 -0600 Subject: [PATCH 08/65] remove hydra dependency Signed-off-by: Travis Cotton --- systemd/containers/smd.container | 4 ---- 1 file changed, 4 deletions(-) diff --git a/systemd/containers/smd.container b/systemd/containers/smd.container index 7e73cba..7e63430 100644 --- a/systemd/containers/smd.container +++ b/systemd/containers/smd.container @@ -6,10 +6,6 @@ PartOf=openchami.target Requires=smd-init.service After=smd-init.service -# Don’t start until JWKS is ready: -Wants=hydra-gen-jwks.service -After=hydra-gen-jwks.service - [Container] ContainerName=smd HostName=smd From f16b0842c827e1b093076124008e630661ee1b1d Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:16:29 -0600 Subject: [PATCH 09/65] update SMD env vars Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index f216bec..ed858bd 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -20,7 +20,10 @@ SMD_DBPORT=5432 SMD_DBNAME=hmsds SMD_DBUSER=smd-user SMD_DBOPTS=sslmode=disable -SMD_JWKS_URL=http://opaal:3333/keys +SMD_JWKS_URL=http://tokensmith:8080/.well-known/jwks.json +SMD_AUTH_BACKEND=tokensmith +SMD_AUTH_ISSUER=https://tokensmith.openchami.dev +SMD_AUTH_AUDIENCES=smd # Environemnt Variables TOKENSMITH_ISSUER=https://tokensmith.openchami.dev From b5591a4d7c588f04d10c4402832b9b63905023f0 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:17:54 -0600 Subject: [PATCH 10/65] update where tokesmith config file is mounted from Signed-off-by: Travis Cotton --- systemd/containers/tokensmith.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index bfa2e0d..3ccc441 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -9,7 +9,7 @@ Image=ghcr.io/openchami/tokensmith:pr-19 EnvironmentFile=/etc/openchami/configs/openchami.env # Volumes -Volume=/etc/openchami/tokensmith.json:/tokensmith/config.json:Z +Volume=/etc/openchami/configs/tokensmith.json:/tokensmith/config.json:Z # Networks for the Container to use Network=openchami-internal.network From 794f992948d87808d1f1bd5bc7b7a55b82558279 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:24:15 -0600 Subject: [PATCH 11/65] updated spec file to include tokensmith bootstrap script Signed-off-by: Travis Cotton --- openchami.spec | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/openchami.spec b/openchami.spec index 0f2fb87..be1b63c 100644 --- a/openchami.spec +++ b/openchami.spec @@ -36,23 +36,25 @@ mkdir -p %{buildroot}/etc/openchami/configs \ %{buildroot}/etc/profile.d \ %{buildroot}/usr/libexec/openchami -cp -r systemd/configs/* %{buildroot}/etc/openchami/configs/ -cp -r systemd/containers/* %{buildroot}/etc/containers/systemd/ -cp -r systemd/volumes/* %{buildroot}/etc/containers/systemd/ -cp -r systemd/networks/* %{buildroot}/etc/containers/systemd/ -cp -r systemd/targets/* %{buildroot}/etc/systemd/system/ -cp -r systemd/system/* %{buildroot}/etc/systemd/system/ -cp scripts/bootstrap_openchami.sh %{buildroot}/usr/libexec/openchami/ -cp scripts/openchami-certificate-update %{buildroot}/usr/bin/ -cp scripts/openchami_profile.sh %{buildroot}/etc/profile.d/openchami.sh -cp scripts/multi-psql-db.sh %{buildroot}/etc/openchami/pg-init/multi-psql-db.sh -cp scripts/ohpc-nodes.sh %{buildroot}/usr/libexec/openchami/ +cp -r systemd/configs/* %{buildroot}/etc/openchami/configs/ +cp -r systemd/containers/* %{buildroot}/etc/containers/systemd/ +cp -r systemd/volumes/* %{buildroot}/etc/containers/systemd/ +cp -r systemd/networks/* %{buildroot}/etc/containers/systemd/ +cp -r systemd/targets/* %{buildroot}/etc/systemd/system/ +cp -r systemd/system/* %{buildroot}/etc/systemd/system/ +cp scripts/bootstrap_openchami.sh %{buildroot}/usr/libexec/openchami/ +cp scripts/openchami-certificate-update %{buildroot}/usr/bin/ +cp scripts/openchami_profile.sh %{buildroot}/etc/profile.d/openchami.sh +cp scripts/multi-psql-db.sh %{buildroot}/etc/openchami/pg-init/multi-psql-db.sh +cp scripts/ohpc-nodes.sh %{buildroot}/usr/libexec/openchami/ +cp scripts/tokensmith_bootstrap_token.sh %{buildroot}/usr/sbin/ chmod +x %{buildroot}/usr/libexec/openchami/bootstrap_openchami.sh chmod +x %{buildroot}/usr/libexec/openchami/ohpc-nodes.sh chmod +x %{buildroot}/usr/libexec/openchami/bootstrap_openchami.sh chmod +x %{buildroot}/usr/bin/openchami-certificate-update chmod +x %{buildroot}/usr/libexec/openchami/ohpc-nodes.sh +chmod 0700 %{buildroot}/usr/sbin/tokensmith_bootstrap_token.sh chmod 600 %{buildroot}/etc/openchami/configs/openchami.env chmod 644 %{buildroot}/etc/openchami/configs/* From 29d317759143e211458ca4bdad0c5b2cf0d1eb17 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:25:59 -0600 Subject: [PATCH 12/65] update spec again and renamed script to remove .sh ending Signed-off-by: Travis Cotton --- openchami.spec | 4 ++-- ...kensmith_bootstrap_token.sh => tokensmith_bootstrap_token} | 0 2 files changed, 2 insertions(+), 2 deletions(-) rename scripts/{tokensmith_bootstrap_token.sh => tokensmith_bootstrap_token} (100%) diff --git a/openchami.spec b/openchami.spec index be1b63c..032ec73 100644 --- a/openchami.spec +++ b/openchami.spec @@ -47,14 +47,14 @@ cp scripts/openchami-certificate-update %{buildroot}/usr/bin/ cp scripts/openchami_profile.sh %{buildroot}/etc/profile.d/openchami.sh cp scripts/multi-psql-db.sh %{buildroot}/etc/openchami/pg-init/multi-psql-db.sh cp scripts/ohpc-nodes.sh %{buildroot}/usr/libexec/openchami/ -cp scripts/tokensmith_bootstrap_token.sh %{buildroot}/usr/sbin/ +cp scripts/tokensmith_bootstrap_token %{buildroot}/usr/sbin/ chmod +x %{buildroot}/usr/libexec/openchami/bootstrap_openchami.sh chmod +x %{buildroot}/usr/libexec/openchami/ohpc-nodes.sh chmod +x %{buildroot}/usr/libexec/openchami/bootstrap_openchami.sh chmod +x %{buildroot}/usr/bin/openchami-certificate-update chmod +x %{buildroot}/usr/libexec/openchami/ohpc-nodes.sh -chmod 0700 %{buildroot}/usr/sbin/tokensmith_bootstrap_token.sh +chmod 0700 %{buildroot}/usr/sbin/tokensmith_bootstrap_token chmod 600 %{buildroot}/etc/openchami/configs/openchami.env chmod 644 %{buildroot}/etc/openchami/configs/* diff --git a/scripts/tokensmith_bootstrap_token.sh b/scripts/tokensmith_bootstrap_token similarity index 100% rename from scripts/tokensmith_bootstrap_token.sh rename to scripts/tokensmith_bootstrap_token From d45e3a054bfde8bfc5da69756c254b09d78d5be7 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:28:50 -0600 Subject: [PATCH 13/65] update spec to hopefully fix rpm not building Signed-off-by: Travis Cotton --- openchami.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openchami.spec b/openchami.spec index 032ec73..fa8027f 100644 --- a/openchami.spec +++ b/openchami.spec @@ -33,6 +33,7 @@ mkdir -p %{buildroot}/etc/openchami/configs \ %{buildroot}/etc/containers/systemd \ %{buildroot}/etc/systemd/system \ %{buildroot}/usr/bin \ + %{buildroot}/usr/sbin \ %{buildroot}/etc/profile.d \ %{buildroot}/usr/libexec/openchami @@ -47,7 +48,7 @@ cp scripts/openchami-certificate-update %{buildroot}/usr/bin/ cp scripts/openchami_profile.sh %{buildroot}/etc/profile.d/openchami.sh cp scripts/multi-psql-db.sh %{buildroot}/etc/openchami/pg-init/multi-psql-db.sh cp scripts/ohpc-nodes.sh %{buildroot}/usr/libexec/openchami/ -cp scripts/tokensmith_bootstrap_token %{buildroot}/usr/sbin/ +cp scripts/tokensmith_bootstrap_token %{buildroot}/usr/sbin/ chmod +x %{buildroot}/usr/libexec/openchami/bootstrap_openchami.sh chmod +x %{buildroot}/usr/libexec/openchami/ohpc-nodes.sh From 0a4adaff42bcd94c92907cc26015d2b35a58e32b Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:33:35 -0600 Subject: [PATCH 14/65] update spec yet again to add tokensmith_bootstrap_token to the config list Signed-off-by: Travis Cotton --- openchami.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/openchami.spec b/openchami.spec index fa8027f..dbf50c3 100644 --- a/openchami.spec +++ b/openchami.spec @@ -73,6 +73,7 @@ chmod 644 %{buildroot}/etc/openchami/configs/* /etc/profile.d/openchami.sh /etc/openchami/pg-init/multi-psql-db.sh /usr/bin/openchami-certificate-update +/usr/sbin/tokensmith_bootstrap_token %pre if [ -f /etc/containers/systemd/coresmd.container ]; then From 91b1c46a40ffe76001646a58970c1657ddcb6b31 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:41:59 -0600 Subject: [PATCH 15/65] update ExecStartPre to use renamed tokensmith bootstrap script Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index 84c4e96..b41bb43 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -26,5 +26,5 @@ PodmanArgs=--http-proxy=false Exec=serve --enable-auth --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd [Service] -ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh boot-service +ExecStartPre=/usr/sbin/tokensmith_bootstrap_token boot-service Restart=always From d030f20ef4975c380af4eb38aea8fa9f390b9c72 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:42:50 -0600 Subject: [PATCH 16/65] added boostrap secret to metadata-service Signed-off-by: Travis Cotton --- systemd/containers/metadata-service.container | 3 +++ 1 file changed, 3 insertions(+) diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index 4031d45..342cabf 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -14,6 +14,9 @@ Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOK # Environment Variables EnvironmentFile=/etc/openchami/configs/openchami.env +# Secrets +Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN + Exec=serve --tokensmith-url=http://tokensmith:8080 # Networks for the Container to use From 00eb5cdb74c8ae42edf5931c2c67bceee957f82b Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 14 Apr 2026 08:50:52 -0600 Subject: [PATCH 17/65] updated openchami.target with new services; removed old ones Signed-off-by: Travis Cotton --- systemd/targets/openchami.target | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/targets/openchami.target b/systemd/targets/openchami.target index 1f1b2ad..15468f8 100644 --- a/systemd/targets/openchami.target +++ b/systemd/targets/openchami.target @@ -1,8 +1,8 @@ [Unit] Description=Group of OpenCHAMI-related services -Requires=bss.service smd.service opaal.service cloud-init-server.service coresmd-coredhcp.service step-ca.service haproxy.service network-online.target +Requires=boot-service.service smd.service tokensmith.service metadata-service.service coresmd-coredhcp.service step-ca.service haproxy.service Wants=coresmd-coredns.service -After=bss-init.service smd-init.service postgres.service coresmd-coredns.service network-online.target +After=smd-init.service postgres.service coresmd-coredns.service [Install] WantedBy=multi-user.target From 39d40052b7c31fc1433b5f559f2d9d5ce1256279 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Wed, 15 Apr 2026 06:47:05 -0600 Subject: [PATCH 18/65] updated tokensmith_bootstrap_token script to match updated tokensmith flags Signed-off-by: Travis Cotton --- scripts/tokensmith_bootstrap_token | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/scripts/tokensmith_bootstrap_token b/scripts/tokensmith_bootstrap_token index f9f8083..766e05e 100644 --- a/scripts/tokensmith_bootstrap_token +++ b/scripts/tokensmith_bootstrap_token @@ -1,14 +1,17 @@ #!/bin/bash CLIENT="${1}" -SERVICE="smd" +SERVICE="hsm" TOKENSMITH_BOOTSTRAP_TOKEN=$(podman exec -e SERVICE=$SERVICE -e CLIENT=$CLIENT tokensmith /bin/sh -c "\ - /usr/local/bin/tokensmith mint-bootstrap-token \ - --key-file /tmp/tokensmith/keys/private.pem \ - --service-id ${CLIENT}-client \ - --target-service ${SERVICE} - ") + /usr/local/bin/tokensmith bootstrap-token create \ + --bootstrap-store /tmp/tokensmith/bootstrap \ + --subject \${CLIENT} \ + --audience \${SERVICE} \ + --scopes "read" \ + --output-format json | jq -r '.bootstrap_token' + ") + SECRET_NAME="${CLIENT}-bootstrap-token" printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret rm ${SECRET_NAME} 2>/dev/null || true printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret create ${SECRET_NAME} - \ No newline at end of file From 3b7d2729c03c959c0dcefc85e3ccc28cc0e63bf7 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Wed, 15 Apr 2026 11:59:09 -0600 Subject: [PATCH 19/65] use v0.4.0 for tokensmith Signed-off-by: Travis Cotton --- systemd/containers/tokensmith.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index 3ccc441..aac4741 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -5,7 +5,7 @@ PartOf=openchami.target [Container] ContainerName=tokensmith HostName=tokensmith -Image=ghcr.io/openchami/tokensmith:pr-19 +Image=ghcr.io/openchami/tokensmith:v0.4.0 EnvironmentFile=/etc/openchami/configs/openchami.env # Volumes From a0d59ee05c42c745d4944f6a0d9f5df05c9c4218 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Wed, 15 Apr 2026 14:17:13 -0600 Subject: [PATCH 20/65] update tokensmith container Signed-off-by: Travis Cotton --- systemd/containers/tokensmith.container | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index aac4741..8af4ee0 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -6,10 +6,14 @@ PartOf=openchami.target ContainerName=tokensmith HostName=tokensmith Image=ghcr.io/openchami/tokensmith:v0.4.0 + EnvironmentFile=/etc/openchami/configs/openchami.env +Exec=serve --oidc-issuer="$TOKENSMITH_OIDC_PROVIDER" --issuer="$TOKENSMITH_ISSUER" --port="$TOKENSMITH_PORT" --cluster-id="$TOKENSMITH_CLUSTER_ID" --openchami-id="$TOKENSMITH_OPENCHAMI_ID" --config="$TOKENSMITH_CONFIG" --key-dir="$TOKENSMITH_KEY_DIR" --rfc8693-bootstrap-store="$TOKENSMITH_RFC8693_BOOTSTRAP_STORE" --rfc8693-refresh-store="$TOKENSMITH_RFC8693_REFRESH_STORE" --enable-local-user-mint + # Volumes -Volume=/etc/openchami/configs/tokensmith.json:/tokensmith/config.json:Z +Volume=/etc/openchami/tokensmith/config.json:/tokensmith/config.json:Z + # Networks for the Container to use Network=openchami-internal.network @@ -21,6 +25,4 @@ PodmanArgs=--add-host='demo.openchami.cluster:172.16.0.254' PodmanArgs=--http-proxy=false [Service] -Restart=always -# Run commands after container starts -ExecStartPost=sleep 10s \ No newline at end of file +Restart=always \ No newline at end of file From 1789faa89542af7fe58f7d52b578fee95360634c Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 06:29:29 -0600 Subject: [PATCH 21/65] update bootstrap_token to read the container env for token directory Signed-off-by: Travis Cotton --- scripts/tokensmith_bootstrap_token | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/tokensmith_bootstrap_token b/scripts/tokensmith_bootstrap_token index 766e05e..9127168 100644 --- a/scripts/tokensmith_bootstrap_token +++ b/scripts/tokensmith_bootstrap_token @@ -5,7 +5,7 @@ SERVICE="hsm" TOKENSMITH_BOOTSTRAP_TOKEN=$(podman exec -e SERVICE=$SERVICE -e CLIENT=$CLIENT tokensmith /bin/sh -c "\ /usr/local/bin/tokensmith bootstrap-token create \ - --bootstrap-store /tmp/tokensmith/bootstrap \ + --bootstrap-store \${TOKENSMITH_RFC8693_BOOTSTRAP_STORE} \ --subject \${CLIENT} \ --audience \${SERVICE} \ --scopes "read" \ From 3813f90386233fedd4c2abf73ca7a780423bc924 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 06:29:56 -0600 Subject: [PATCH 22/65] make boot-service require tokensmith Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 1 + 1 file changed, 1 insertion(+) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index b41bb43..3d14be6 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -5,6 +5,7 @@ PartOf=openchami.target # Ensure SMD has started already Wants=smd.service tokensmith.service After=smd.service tokensmith.service +Requires=tokensmith.service [Container] ContainerName=boot-service From 2fbbbb85fc5418196fadfada24337799da777dbe Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 06:30:21 -0600 Subject: [PATCH 23/65] add persistent volume for tokensmith data Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 2 +- systemd/containers/tokensmith.container | 3 ++- systemd/volumes/tokensmith.volume | 5 +++++ 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 systemd/volumes/tokensmith.volume diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index ed858bd..7a7c7f3 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -29,7 +29,7 @@ SMD_AUTH_AUDIENCES=smd TOKENSMITH_ISSUER=https://tokensmith.openchami.dev TOKENSMITH_CLUSTER_ID=demo-cluster TOKENSMITH_OPENCHAMI_ID=demo-openchami -TOKENSMITH_CONFIG=/tokensmith/config.json +TOKENSMITH_CONFIG=/etc/tokensmith/config.json TOKENSMITH_KEY_DIR=/tmp/tokensmith/keys TOKENSMITH_OIDC_PROVIDER=http://hydra:4444 TOKENSMITH_PORT=8080 diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index 8af4ee0..df5a5d0 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -12,7 +12,8 @@ EnvironmentFile=/etc/openchami/configs/openchami.env Exec=serve --oidc-issuer="$TOKENSMITH_OIDC_PROVIDER" --issuer="$TOKENSMITH_ISSUER" --port="$TOKENSMITH_PORT" --cluster-id="$TOKENSMITH_CLUSTER_ID" --openchami-id="$TOKENSMITH_OPENCHAMI_ID" --config="$TOKENSMITH_CONFIG" --key-dir="$TOKENSMITH_KEY_DIR" --rfc8693-bootstrap-store="$TOKENSMITH_RFC8693_BOOTSTRAP_STORE" --rfc8693-refresh-store="$TOKENSMITH_RFC8693_REFRESH_STORE" --enable-local-user-mint # Volumes -Volume=/etc/openchami/tokensmith/config.json:/tokensmith/config.json:Z +Volume=tokensmith-data:/tokensmith:Z +Volume=/etc/openchami/tokensmith/config.json:/etc/tokensmith/config.json:Z # Networks for the Container to use diff --git a/systemd/volumes/tokensmith.volume b/systemd/volumes/tokensmith.volume new file mode 100644 index 0000000..e6fcde5 --- /dev/null +++ b/systemd/volumes/tokensmith.volume @@ -0,0 +1,5 @@ +[Unit] +Description=tokensmith Volume + +[Volume] +VolumeName=tokensmith-data \ No newline at end of file From e13035e51145a8bb825b5262fd0650afe876d857 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 08:04:01 -0600 Subject: [PATCH 24/65] updated tokensmith Exec, boot-service exec, some dependencies Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 17 +++++++++-------- systemd/containers/smd.container | 2 +- systemd/containers/tokensmith.container | 5 ++--- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index 3d14be6..d930b00 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -1,20 +1,21 @@ [Unit] -Description=The boot-service container +Description=The bss container PartOf=openchami.target # Ensure SMD has started already -Wants=smd.service tokensmith.service -After=smd.service tokensmith.service -Requires=tokensmith.service +Wants=tokensmith.service smd.service +After=tokensmith.service smd.service [Container] ContainerName=boot-service HostName=boot-service -Image=boot-service:test +Image=ghcr.io/openchami/boot-service:v0.1.1 # Environment Variables EnvironmentFile=/etc/openchami/configs/openchami.env +#Volume=/etc/openchami/configs/boot-service.yaml:/etc/boot-service/config.yaml:ro,Z + # Secrets Secret=boot-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN @@ -24,8 +25,8 @@ Network=openchami-internal.network # Proxy settings PodmanArgs=--http-proxy=false -Exec=serve --enable-auth --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd +Exec=serve --enable-legacy-api=false --enable-auth=true --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd --port 8081 [Service] -ExecStartPre=/usr/sbin/tokensmith_bootstrap_token boot-service -Restart=always +ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh boot-service +Restart=always \ No newline at end of file diff --git a/systemd/containers/smd.container b/systemd/containers/smd.container index 7e63430..660488e 100644 --- a/systemd/containers/smd.container +++ b/systemd/containers/smd.container @@ -9,7 +9,7 @@ After=smd-init.service [Container] ContainerName=smd HostName=smd -Image=ghcr.io/openchami/smd:v2.19.3 +Image=ghcr.io/openchami/smd:v2.20.0 # Environment Variables EnvironmentFile=/etc/openchami/configs/openchami.env diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index df5a5d0..b5a26df 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -6,14 +6,13 @@ PartOf=openchami.target ContainerName=tokensmith HostName=tokensmith Image=ghcr.io/openchami/tokensmith:v0.4.0 - +#Image=tokensmith:test EnvironmentFile=/etc/openchami/configs/openchami.env Exec=serve --oidc-issuer="$TOKENSMITH_OIDC_PROVIDER" --issuer="$TOKENSMITH_ISSUER" --port="$TOKENSMITH_PORT" --cluster-id="$TOKENSMITH_CLUSTER_ID" --openchami-id="$TOKENSMITH_OPENCHAMI_ID" --config="$TOKENSMITH_CONFIG" --key-dir="$TOKENSMITH_KEY_DIR" --rfc8693-bootstrap-store="$TOKENSMITH_RFC8693_BOOTSTRAP_STORE" --rfc8693-refresh-store="$TOKENSMITH_RFC8693_REFRESH_STORE" --enable-local-user-mint # Volumes -Volume=tokensmith-data:/tokensmith:Z -Volume=/etc/openchami/tokensmith/config.json:/etc/tokensmith/config.json:Z +Volume=/etc/openchami/tokensmith/config.json:/tokensmith/config.json:Z # Networks for the Container to use From 474577626c91e9b4b047cb341ab82a601ffdcb33 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 08:37:58 -0600 Subject: [PATCH 25/65] remove opaal stuff from bootstrap_openchami.sh Signed-off-by: Travis Cotton --- scripts/bootstrap_openchami.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/bootstrap_openchami.sh b/scripts/bootstrap_openchami.sh index 4a854f6..7a45c62 100644 --- a/scripts/bootstrap_openchami.sh +++ b/scripts/bootstrap_openchami.sh @@ -46,7 +46,6 @@ acme_correction() { sed -i "s/^ContainerName=.*/ContainerName=${system_fqdn}/" /etc/containers/systemd/acme-register.container sed -i "s/^HostName=.*/HostName=${system_fqdn}/" /etc/containers/systemd/acme-register.container sed -i "s|-d .* \\\\|-d ${system_fqdn} \\\\|" /etc/containers/systemd/acme-register.container - sed -i "s|--add-host='demo\.openchami\.cluster:[0-9\.]*'|--add-host='${system_fqdn}:${primary_ip}'|" /etc/containers/systemd/opaal.container } # Check and create secrets with random passwords if needed From 2eb8996ae29a8c1750876959487046df654fd259 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 08:42:29 -0600 Subject: [PATCH 26/65] update tokensmith container to mount the correct config file path Signed-off-by: Travis Cotton --- systemd/containers/tokensmith.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index b5a26df..96776ba 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -12,7 +12,7 @@ EnvironmentFile=/etc/openchami/configs/openchami.env Exec=serve --oidc-issuer="$TOKENSMITH_OIDC_PROVIDER" --issuer="$TOKENSMITH_ISSUER" --port="$TOKENSMITH_PORT" --cluster-id="$TOKENSMITH_CLUSTER_ID" --openchami-id="$TOKENSMITH_OPENCHAMI_ID" --config="$TOKENSMITH_CONFIG" --key-dir="$TOKENSMITH_KEY_DIR" --rfc8693-bootstrap-store="$TOKENSMITH_RFC8693_BOOTSTRAP_STORE" --rfc8693-refresh-store="$TOKENSMITH_RFC8693_REFRESH_STORE" --enable-local-user-mint # Volumes -Volume=/etc/openchami/tokensmith/config.json:/tokensmith/config.json:Z +Volume=/etc/openchami/tokensmith.json:/tokensmith/config.json:Z # Networks for the Container to use From 88c10b02307850cb2ab0a40d47ec7be64c64e786 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 08:46:41 -0600 Subject: [PATCH 27/65] update tokensmith container to mount the correct config file path for real this time Signed-off-by: Travis Cotton --- systemd/containers/tokensmith.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index 96776ba..eaa9fc7 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -12,7 +12,7 @@ EnvironmentFile=/etc/openchami/configs/openchami.env Exec=serve --oidc-issuer="$TOKENSMITH_OIDC_PROVIDER" --issuer="$TOKENSMITH_ISSUER" --port="$TOKENSMITH_PORT" --cluster-id="$TOKENSMITH_CLUSTER_ID" --openchami-id="$TOKENSMITH_OPENCHAMI_ID" --config="$TOKENSMITH_CONFIG" --key-dir="$TOKENSMITH_KEY_DIR" --rfc8693-bootstrap-store="$TOKENSMITH_RFC8693_BOOTSTRAP_STORE" --rfc8693-refresh-store="$TOKENSMITH_RFC8693_REFRESH_STORE" --enable-local-user-mint # Volumes -Volume=/etc/openchami/tokensmith.json:/tokensmith/config.json:Z +Volume=/etc/openchami/configs/tokensmith.json:/tokensmith/config.json:Z # Networks for the Container to use From 13e4e48bde81ea4c53b57d9aebec9b0d785f258d Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 08:49:36 -0600 Subject: [PATCH 28/65] =?UTF-8?q?ok=20now=20set=20the=20correct=20path=20f?= =?UTF-8?q?or=20mounting=20inside=20the=20tokensmith=20container=20?= =?UTF-8?q?=F0=9F=98=94?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Travis Cotton --- systemd/containers/tokensmith.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index eaa9fc7..ca30c91 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -12,7 +12,7 @@ EnvironmentFile=/etc/openchami/configs/openchami.env Exec=serve --oidc-issuer="$TOKENSMITH_OIDC_PROVIDER" --issuer="$TOKENSMITH_ISSUER" --port="$TOKENSMITH_PORT" --cluster-id="$TOKENSMITH_CLUSTER_ID" --openchami-id="$TOKENSMITH_OPENCHAMI_ID" --config="$TOKENSMITH_CONFIG" --key-dir="$TOKENSMITH_KEY_DIR" --rfc8693-bootstrap-store="$TOKENSMITH_RFC8693_BOOTSTRAP_STORE" --rfc8693-refresh-store="$TOKENSMITH_RFC8693_REFRESH_STORE" --enable-local-user-mint # Volumes -Volume=/etc/openchami/configs/tokensmith.json:/tokensmith/config.json:Z +Volume=/etc/openchami/configs/tokensmith.json:/etc/tokensmith/config.json:Z # Networks for the Container to use From b905e512516da79f8c19dbd7422fbdbe703a0162 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 09:26:21 -0600 Subject: [PATCH 29/65] try to fix volume mount BS Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 4 +++- systemd/containers/tokensmith.container | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index 7a7c7f3..3516508 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -30,7 +30,9 @@ TOKENSMITH_ISSUER=https://tokensmith.openchami.dev TOKENSMITH_CLUSTER_ID=demo-cluster TOKENSMITH_OPENCHAMI_ID=demo-openchami TOKENSMITH_CONFIG=/etc/tokensmith/config.json -TOKENSMITH_KEY_DIR=/tmp/tokensmith/keys +TOKENSMITH_KEY_DIR=/tokensmith/data/keys +TOKENSMITH_RFC8693_BOOTSTRAP_STORE=/tokensmith/data/bootstrap +TOKENSMITH_RFC8693_REFRESH_STORE=/tokensmith/data/refresh TOKENSMITH_OIDC_PROVIDER=http://hydra:4444 TOKENSMITH_PORT=8080 diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index ca30c91..572e6bc 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -13,7 +13,7 @@ Exec=serve --oidc-issuer="$TOKENSMITH_OIDC_PROVIDER" --issuer="$TOKENSMITH_ISSUE # Volumes Volume=/etc/openchami/configs/tokensmith.json:/etc/tokensmith/config.json:Z - +Volume=tokensmith-data:/tokensmith/data:Z,U # Networks for the Container to use Network=openchami-internal.network From 289849fd2c5947a44972b67a628b1088ad756952 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 13:18:11 -0600 Subject: [PATCH 30/65] use correct path for tokensmith bootstrap script in boot-service and metadata-service Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 2 +- systemd/containers/metadata-service.container | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index d930b00..32beebf 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -28,5 +28,5 @@ PodmanArgs=--http-proxy=false Exec=serve --enable-legacy-api=false --enable-auth=true --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd --port 8081 [Service] -ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh boot-service +ExecStartPre=/usr/sbin/tokensmith_bootstrap_token boot-service Restart=always \ No newline at end of file diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index 342cabf..15b3aef 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -26,5 +26,5 @@ Network=openchami-internal.network PodmanArgs=--http-proxy=false [Service] -ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh metadata-service +ExecStartPre=/usr/sbin/tokensmith_bootstrap_token metadata-service Restart=always \ No newline at end of file From 6a7e1a47f2d52ea72a01ff302131055fe3a36456 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 13:25:22 -0600 Subject: [PATCH 31/65] use pr-7 for metadata Signed-off-by: Travis Cotton --- systemd/containers/metadata-service.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index 15b3aef..bbf01d3 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -7,7 +7,7 @@ PartOf=openchami.target [Container] ContainerName=metadata-service HostName=metadata-service -Image=metadata-service:test +Image=ghcr.io/openchami/metadata-service:pr-7 Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN From 408e67a90cb1cbcfedd3e81cf22f46887db1290b Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 13:47:51 -0600 Subject: [PATCH 32/65] update haproxy config Signed-off-by: Travis Cotton --- systemd/configs/haproxy.cfg | 71 +++++++++++++++++++++++-------------- 1 file changed, 45 insertions(+), 26 deletions(-) diff --git a/systemd/configs/haproxy.cfg b/systemd/configs/haproxy.cfg index a1b683e..7a1d8de 100644 --- a/systemd/configs/haproxy.cfg +++ b/systemd/configs/haproxy.cfg @@ -25,48 +25,67 @@ frontend openchami acl PATH_smd path_beg -i /hsm/v2 - acl PATH_bss path_beg -i /boot/v1 - acl PATH_bss path_beg -i /apis/bss/ + # acl PATH_bss path_beg -i /boot/v1 + # acl PATH_bss path_beg -i /apis/bss/ - acl PATH_opaal path_beg -i /token - acl PATH_opaal path_beg -i /login - acl PATH_opaal path_beg -i /oidc/callback +# acl PATH_opaal path_beg -i /token +# acl PATH_opaal path_beg -i /login +# acl PATH_opaal path_beg -i /oidc/callback - acl PATH_opaal-idp path_beg -i /.well-known/openid-configuration - acl PATH_opaal-idp path_beg -i /.well-known/jwks.json - acl PATH_opaal-idp path_beg -i /browser/login - acl PATH_opaal-idp path_beg -i /api/login - acl PATH_opaal-idp path_beg -i /oauth2/authorize - acl PATH_opaal-idp path_beg -i /oauth2/token +# acl PATH_opaal-idp path_beg -i /.well-known/openid-configuration +# acl PATH_opaal-idp path_beg -i /.well-known/jwks.json +# acl PATH_opaal-idp path_beg -i /browser/login +# acl PATH_opaal-idp path_beg -i /api/login +# acl PATH_opaal-idp path_beg -i /oauth2/authorize +# acl PATH_opaal-idp path_beg -i /oauth2/token - acl PATH_cloud-init path_beg -i /cloud-init +# acl PATH_cloud-init path_beg -i /cloud-init acl PATH_configurator path_beg -i /generate acl PATH_configurator path_beg -i /configurator - use_backend opaal if PATH_opaal - use_backend opaal-idp if PATH_opaal-idp + # add new services + acl PATH_boot-service path_beg -i /boot-service + acl PATH_metadata-service path_beg -i /metadata + acl PATH_tokensmith path_beg -i /tokensmith + +# use_backend opaal if PATH_opaal +# use_backend opaal-idp if PATH_opaal-idp use_backend smd if PATH_smd - use_backend bss if PATH_bss - use_backend cloud-init if PATH_cloud-init +# use_backend bss if PATH_bss +# use_backend cloud-init if PATH_cloud-init use_backend configurator if PATH_configurator -backend opaal - server opaal opaal:3333 + use_backend boot-service if PATH_boot-service + use_backend metadata-service if PATH_metadata-service + use_backend tokensmith if PATH_tokensmith + +# backend opaal +# server opaal opaal:3333 -backend opaal-idp - server opaal-idp opaal-idp:3332 +# backend opaal-idp +# server opaal-idp opaal-idp:3332 backend smd server smd smd:27779 -backend bss - server bss bss:27778 - http-request replace-path ^/apis/bss/(.*) /\1 +# backend bss +# server bss bss:27778 +# http-request replace-path ^/apis/bss/(.*) /\1 -backend cloud-init - server cloud-init-server cloud-init-server:27777 - http-request replace-path ^/cloud-init(/.*) \1 +# backend cloud-init +# server cloud-init-server cloud-init-server:27777 +# http-request replace-path ^/cloud-init(/.*) \1 backend configurator server configurator configurator:3334 init-addr none + +backend boot-service + server boot-service boot-service:8080 +# http-request replace-path ^/boot(/.*) \1 + +backend metadata-service + server metadata-service metadata-service:8888 + +backend tokensmith + server tokensmith tokensmith:8080 \ No newline at end of file From 242773b63e189cd747f2d7bc9e13808990901172 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 16 Apr 2026 13:56:14 -0600 Subject: [PATCH 33/65] haproxy.cfg needs a newline at the end of the file? removed commented out lines too Signed-off-by: Travis Cotton --- systemd/configs/haproxy.cfg | 38 ++----------------------------------- 1 file changed, 2 insertions(+), 36 deletions(-) diff --git a/systemd/configs/haproxy.cfg b/systemd/configs/haproxy.cfg index 7a1d8de..9b37d4c 100644 --- a/systemd/configs/haproxy.cfg +++ b/systemd/configs/haproxy.cfg @@ -25,22 +25,6 @@ frontend openchami acl PATH_smd path_beg -i /hsm/v2 - # acl PATH_bss path_beg -i /boot/v1 - # acl PATH_bss path_beg -i /apis/bss/ - -# acl PATH_opaal path_beg -i /token -# acl PATH_opaal path_beg -i /login -# acl PATH_opaal path_beg -i /oidc/callback - -# acl PATH_opaal-idp path_beg -i /.well-known/openid-configuration -# acl PATH_opaal-idp path_beg -i /.well-known/jwks.json -# acl PATH_opaal-idp path_beg -i /browser/login -# acl PATH_opaal-idp path_beg -i /api/login -# acl PATH_opaal-idp path_beg -i /oauth2/authorize -# acl PATH_opaal-idp path_beg -i /oauth2/token - -# acl PATH_cloud-init path_beg -i /cloud-init - acl PATH_configurator path_beg -i /generate acl PATH_configurator path_beg -i /configurator @@ -49,43 +33,25 @@ frontend openchami acl PATH_metadata-service path_beg -i /metadata acl PATH_tokensmith path_beg -i /tokensmith -# use_backend opaal if PATH_opaal -# use_backend opaal-idp if PATH_opaal-idp use_backend smd if PATH_smd -# use_backend bss if PATH_bss -# use_backend cloud-init if PATH_cloud-init + use_backend configurator if PATH_configurator use_backend boot-service if PATH_boot-service use_backend metadata-service if PATH_metadata-service use_backend tokensmith if PATH_tokensmith -# backend opaal -# server opaal opaal:3333 - -# backend opaal-idp -# server opaal-idp opaal-idp:3332 - backend smd server smd smd:27779 -# backend bss -# server bss bss:27778 -# http-request replace-path ^/apis/bss/(.*) /\1 - -# backend cloud-init -# server cloud-init-server cloud-init-server:27777 -# http-request replace-path ^/cloud-init(/.*) \1 - backend configurator server configurator configurator:3334 init-addr none backend boot-service server boot-service boot-service:8080 -# http-request replace-path ^/boot(/.*) \1 backend metadata-service server metadata-service metadata-service:8888 backend tokensmith - server tokensmith tokensmith:8080 \ No newline at end of file + server tokensmith tokensmith:8080 From 920d1d590f74a97193fad8951b2663de9a394fe2 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Mon, 20 Apr 2026 06:48:46 -0600 Subject: [PATCH 34/65] work on making bootstrap token scrit better Signed-off-by: Travis Cotton --- scripts/tokensmith_bootstrap_token | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/scripts/tokensmith_bootstrap_token b/scripts/tokensmith_bootstrap_token index 9127168..7ca967c 100644 --- a/scripts/tokensmith_bootstrap_token +++ b/scripts/tokensmith_bootstrap_token @@ -3,6 +3,13 @@ CLIENT="${1}" SERVICE="hsm" +if [[ -z "$CLIENT" ]] +then + echo "Empty client" + exit 1 +fi + +echo "Generating bootstrap token for service client ${CLIENT}" TOKENSMITH_BOOTSTRAP_TOKEN=$(podman exec -e SERVICE=$SERVICE -e CLIENT=$CLIENT tokensmith /bin/sh -c "\ /usr/local/bin/tokensmith bootstrap-token create \ --bootstrap-store \${TOKENSMITH_RFC8693_BOOTSTRAP_STORE} \ @@ -13,5 +20,6 @@ TOKENSMITH_BOOTSTRAP_TOKEN=$(podman exec -e SERVICE=$SERVICE -e CLIENT=$CLIENT t ") SECRET_NAME="${CLIENT}-bootstrap-token" -printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret rm ${SECRET_NAME} 2>/dev/null || true +echo "Creating secret ${CLIENT}-bootstrap-token" +printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret rm -i ${SECRET_NAME} 2>/dev/null || true printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret create ${SECRET_NAME} - \ No newline at end of file From 7c54ae36174760a9c6a98afe91a79dfe1d69f2a2 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Mon, 20 Apr 2026 06:49:16 -0600 Subject: [PATCH 35/65] minor updates to container files Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 4 ++-- systemd/containers/smd.container | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index 32beebf..206eb3d 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -1,8 +1,8 @@ [Unit] -Description=The bss container +Description=The boot-service container PartOf=openchami.target -# Ensure SMD has started already +# Ensure dependent services have started Wants=tokensmith.service smd.service After=tokensmith.service smd.service diff --git a/systemd/containers/smd.container b/systemd/containers/smd.container index 660488e..01b08f5 100644 --- a/systemd/containers/smd.container +++ b/systemd/containers/smd.container @@ -4,7 +4,7 @@ PartOf=openchami.target # Don’t start until its init has run (and propagate failures): Requires=smd-init.service -After=smd-init.service +After=smd-init.service tokensmith.service [Container] ContainerName=smd From b21c9f9fd632127dfadd4a98607009cfeedca251 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Mon, 20 Apr 2026 08:06:11 -0600 Subject: [PATCH 36/65] update haproxy.cfg Signed-off-by: Travis Cotton --- systemd/configs/haproxy.cfg | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/systemd/configs/haproxy.cfg b/systemd/configs/haproxy.cfg index 9b37d4c..cc72700 100644 --- a/systemd/configs/haproxy.cfg +++ b/systemd/configs/haproxy.cfg @@ -23,20 +23,14 @@ frontend openchami bind :443 ssl crt /etc/haproxy/certs/ strict-sni option forwardfor - acl PATH_smd path_beg -i /hsm/v2 - - acl PATH_configurator path_beg -i /generate - acl PATH_configurator path_beg -i /configurator - - # add new services - acl PATH_boot-service path_beg -i /boot-service - acl PATH_metadata-service path_beg -i /metadata - acl PATH_tokensmith path_beg -i /tokensmith + acl PATH_smd path_beg -i /hsm/v2 + acl PATH_configurator path_beg -i /configurator /generate + acl PATH_boot-service path_beg -i /boot-service/ + acl PATH_metadata-service path_beg -i /metadata/ + acl PATH_tokensmith path_beg -i /tokensmith/ use_backend smd if PATH_smd - use_backend configurator if PATH_configurator - use_backend boot-service if PATH_boot-service use_backend metadata-service if PATH_metadata-service use_backend tokensmith if PATH_tokensmith @@ -48,10 +42,13 @@ backend configurator server configurator configurator:3334 init-addr none backend boot-service - server boot-service boot-service:8080 + http-request set-path %[path,regsub(^/boot-service/,/)] + server boot-service boot-service:8081 backend metadata-service + http-request set-path %[path,regsub(^/metadata/,/)] server metadata-service metadata-service:8888 backend tokensmith + http-request set-path %[path,regsub(^/tokensmith/,/)] server tokensmith tokensmith:8080 From d9d2e7fcac3beefe4046227c3c0cccd7c4cec42c Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Mon, 20 Apr 2026 08:06:45 -0600 Subject: [PATCH 37/65] update openchami.target Signed-off-by: Travis Cotton --- systemd/targets/openchami.target | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/systemd/targets/openchami.target b/systemd/targets/openchami.target index 15468f8..b34ca6d 100644 --- a/systemd/targets/openchami.target +++ b/systemd/targets/openchami.target @@ -1,7 +1,6 @@ [Unit] Description=Group of OpenCHAMI-related services -Requires=boot-service.service smd.service tokensmith.service metadata-service.service coresmd-coredhcp.service step-ca.service haproxy.service -Wants=coresmd-coredns.service +Wants=coresmd-coredns.service boot-service.service smd.service tokensmith.service metadata-service.service coresmd-coredhcp.service step-ca.service haproxy.service After=smd-init.service postgres.service coresmd-coredns.service [Install] From 6f4ce02b62c423cb2c9d878efea643acbdbf3a22 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Mon, 20 Apr 2026 08:15:48 -0600 Subject: [PATCH 38/65] updated haproxy.cfg, removed more references to opaal Signed-off-by: Travis Cotton --- systemd/configs/haproxy.cfg | 4 ++-- systemd/configs/openchami.env | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/systemd/configs/haproxy.cfg b/systemd/configs/haproxy.cfg index cc72700..8fdd4d6 100644 --- a/systemd/configs/haproxy.cfg +++ b/systemd/configs/haproxy.cfg @@ -26,7 +26,7 @@ frontend openchami acl PATH_smd path_beg -i /hsm/v2 acl PATH_configurator path_beg -i /configurator /generate acl PATH_boot-service path_beg -i /boot-service/ - acl PATH_metadata-service path_beg -i /metadata/ + acl PATH_metadata-service path_beg -i /metadata-service/ acl PATH_tokensmith path_beg -i /tokensmith/ use_backend smd if PATH_smd @@ -46,7 +46,7 @@ backend boot-service server boot-service boot-service:8081 backend metadata-service - http-request set-path %[path,regsub(^/metadata/,/)] + http-request set-path %[path,regsub(^/metadata-service/,/)] server metadata-service metadata-service:8888 backend tokensmith diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index 3516508..2134675 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -46,7 +46,6 @@ DOCKER_STEPCA_INIT_PROVISIONER_NAME="Admin" DOCKER_STEPCA_INIT_PROVISIONER_PASSWORD="provisionerpassword" # Environemnt Variables -OPAAL_URL=http://opaal:3333 HSM_URL=http://smd:27779 ANSIBLE_HOST_KEY_CHECKING=False From 8f937f3bab80864a0d635631d7ba8bbebfa79348 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Mon, 20 Apr 2026 08:16:11 -0600 Subject: [PATCH 39/65] update some quadlet dependencies Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 4 ++-- systemd/containers/metadata-service.container | 3 ++- systemd/containers/smd.container | 1 + 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index 206eb3d..7c10cd8 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -3,8 +3,8 @@ Description=The boot-service container PartOf=openchami.target # Ensure dependent services have started -Wants=tokensmith.service smd.service -After=tokensmith.service smd.service +Wants=smd.service +After=smd.service [Container] ContainerName=boot-service diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index bbf01d3..7497eab 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -1,7 +1,8 @@ [Unit] Description=The metadata-service container +# Depends on SMD Wants=smd.service -After=smd.service tokensmith.service +After=smd.service PartOf=openchami.target [Container] diff --git a/systemd/containers/smd.container b/systemd/containers/smd.container index 01b08f5..3eafcdf 100644 --- a/systemd/containers/smd.container +++ b/systemd/containers/smd.container @@ -5,6 +5,7 @@ PartOf=openchami.target # Don’t start until its init has run (and propagate failures): Requires=smd-init.service After=smd-init.service tokensmith.service +Wants=smd-init.service tokensmith.service [Container] ContainerName=smd From d01b94886ffa894997696d84025e79281f667221 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 07:28:50 -0600 Subject: [PATCH 40/65] change target service from hsm to smd Signed-off-by: Travis Cotton --- scripts/tokensmith_bootstrap_token | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/tokensmith_bootstrap_token b/scripts/tokensmith_bootstrap_token index 7ca967c..9d4bca9 100644 --- a/scripts/tokensmith_bootstrap_token +++ b/scripts/tokensmith_bootstrap_token @@ -1,7 +1,7 @@ #!/bin/bash CLIENT="${1}" -SERVICE="hsm" +SERVICE="smd" if [[ -z "$CLIENT" ]] then From 22776a175bb2c70fff547e74ab2c64b5061b1188 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 07:29:10 -0600 Subject: [PATCH 41/65] update boot-service container to use v0.1.5 Signed-off-by: Travis Cotton --- systemd/containers/boot-service.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index 7c10cd8..3c88578 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -9,7 +9,7 @@ After=smd.service [Container] ContainerName=boot-service HostName=boot-service -Image=ghcr.io/openchami/boot-service:v0.1.1 +Image=ghcr.io/openchami/boot-service:v0.1.5 # Environment Variables EnvironmentFile=/etc/openchami/configs/openchami.env From 03eeec3062f0082754b62f994ae1e025aae8d54f Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 07:39:48 -0600 Subject: [PATCH 42/65] remove hydra stuff from bootstrap+openchami.sh Signed-off-by: Travis Cotton --- scripts/bootstrap_openchami.sh | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/scripts/bootstrap_openchami.sh b/scripts/bootstrap_openchami.sh index 7a45c62..13b53c8 100644 --- a/scripts/bootstrap_openchami.sh +++ b/scripts/bootstrap_openchami.sh @@ -62,20 +62,9 @@ create_secret_if_not_exists "bss_postgres_password" "$bss_postgres_password" smd_postgres_password=$(generate_random_password) create_secret_if_not_exists "smd_postgres_password" "$smd_postgres_password" -# Hydra Postgres Password -hydra_postgres_password=$(generate_random_password) -create_secret_if_not_exists "hydra_postgres_password" "$hydra_postgres_password" - -# Hydra System Secret -hydra_system_secret=$(generate_random_password) -create_secret_if_not_exists "hydra_system_secret" "$hydra_system_secret" - -# HYDRA_DSN -HYDRA_DSN="postgres://hydra-user:$(podman secret inspect hydra_postgres_password --showsecret | jq -r '.[0].SecretData')@postgres:5432/hydradb?sslmode=disable&max_conns=20&max_idle_conns=4" -create_secret_if_not_exists "hydra_dsn" "$HYDRA_DSN" # POSTGRES_MULTIPLE_DATABASES -POSTGRES_MULTIPLE_DATABASES="hmsds:smd-user:$(podman secret inspect smd_postgres_password --showsecret | jq -r '.[0].SecretData'),bssdb:bss-user:$(podman secret inspect bss_postgres_password --showsecret | jq -r '.[0].SecretData'),hydradb:hydra-user:$(podman secret inspect hydra_postgres_password --showsecret | jq -r '.[0].SecretData')" +POSTGRES_MULTIPLE_DATABASES="hmsds:smd-user:$(podman secret inspect smd_postgres_password --showsecret | jq -r '.[0].SecretData'),bssdb:bss-user:$(podman secret inspect bss_postgres_password --showsecret | jq -r '.[0].SecretData')" create_secret_if_not_exists "postgres_multiple_databases" "$POSTGRES_MULTIPLE_DATABASES" # openchami.env Configuration From d7841928919051e35173142e08788a125bd687d2 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 07:51:17 -0600 Subject: [PATCH 43/65] remove cloud-init vars, revisit when metadata-service is in a better state Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 5 ----- 1 file changed, 5 deletions(-) diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index 2134675..a9caf91 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -48,8 +48,3 @@ DOCKER_STEPCA_INIT_PROVISIONER_PASSWORD="provisionerpassword" # Environemnt Variables HSM_URL=http://smd:27779 ANSIBLE_HOST_KEY_CHECKING=False - -# Environemnt Variables for cloud-init -LISTEN=:27777 -SMD_URL=http://smd:27779 -IMPERSONATION=true From a763e131f951e7c0b7edc56c370b99b2bc1b3653 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 08:02:29 -0600 Subject: [PATCH 44/65] set metadata-service to use port 8080 in haproxy since it's the default Signed-off-by: Travis Cotton --- systemd/configs/haproxy.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/configs/haproxy.cfg b/systemd/configs/haproxy.cfg index 8fdd4d6..df9a21c 100644 --- a/systemd/configs/haproxy.cfg +++ b/systemd/configs/haproxy.cfg @@ -47,7 +47,7 @@ backend boot-service backend metadata-service http-request set-path %[path,regsub(^/metadata-service/,/)] - server metadata-service metadata-service:8888 + server metadata-service metadata-service:8080 backend tokensmith http-request set-path %[path,regsub(^/tokensmith/,/)] From 0c8e3156b2854cc272e5930cac1f85da9141c82b Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 08:12:34 -0600 Subject: [PATCH 45/65] remove the tokensmith flag for now, use pr-8 for the image Signed-off-by: Travis Cotton --- systemd/containers/metadata-service.container | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index 7497eab..13a36c9 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -8,7 +8,7 @@ PartOf=openchami.target [Container] ContainerName=metadata-service HostName=metadata-service -Image=ghcr.io/openchami/metadata-service:pr-7 +Image=ghcr.io/openchami/metadata-service:pr-8 Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN @@ -18,7 +18,7 @@ EnvironmentFile=/etc/openchami/configs/openchami.env # Secrets Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN -Exec=serve --tokensmith-url=http://tokensmith:8080 +Exec=serve # Networks for the Container to use Network=openchami-internal.network From 4b7c78037ae6ab3261ca6a5da814f67b10a02de9 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 08:25:00 -0600 Subject: [PATCH 46/65] rename cloud-init-data volume to metadata-data, set metadata-service.container to use it Signed-off-by: Travis Cotton --- systemd/containers/metadata-service.container | 2 ++ systemd/volumes/cloud-init-data.volume | 5 ----- systemd/volumes/metadata-data.volume | 5 +++++ 3 files changed, 7 insertions(+), 5 deletions(-) delete mode 100644 systemd/volumes/cloud-init-data.volume create mode 100644 systemd/volumes/metadata-data.volume diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index 13a36c9..d96c9bb 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -18,6 +18,8 @@ EnvironmentFile=/etc/openchami/configs/openchami.env # Secrets Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN +Volume=metadata-service-data.volume:/data + Exec=serve # Networks for the Container to use diff --git a/systemd/volumes/cloud-init-data.volume b/systemd/volumes/cloud-init-data.volume deleted file mode 100644 index 6ad7204..0000000 --- a/systemd/volumes/cloud-init-data.volume +++ /dev/null @@ -1,5 +0,0 @@ -[Unit] -Description=cloud-init-server Data Volume - -[Volume] -VolumeName=cloud-init-data diff --git a/systemd/volumes/metadata-data.volume b/systemd/volumes/metadata-data.volume new file mode 100644 index 0000000..f4003ba --- /dev/null +++ b/systemd/volumes/metadata-data.volume @@ -0,0 +1,5 @@ +[Unit] +Description=metadata-service Data Volume + +[Volume] +VolumeName=metadata-service-data From 9633ca9841c61208da48d2dc171795433e19a668 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 08:34:50 -0600 Subject: [PATCH 47/65] fix volume name for metadata Signed-off-by: Travis Cotton --- systemd/containers/metadata-service.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index d96c9bb..9e42db4 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -18,7 +18,7 @@ EnvironmentFile=/etc/openchami/configs/openchami.env # Secrets Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN -Volume=metadata-service-data.volume:/data +Volume=metadata-data.volume:/data Exec=serve From 302261690df5d5f160f58708825b88af5fd5400d Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 08:48:14 -0600 Subject: [PATCH 48/65] bump tokensmith version and update Exec in container file Signed-off-by: Travis Cotton --- systemd/containers/tokensmith.container | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index 572e6bc..ee18464 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -5,11 +5,11 @@ PartOf=openchami.target [Container] ContainerName=tokensmith HostName=tokensmith -Image=ghcr.io/openchami/tokensmith:v0.4.0 +Image=ghcr.io/openchami/tokensmith:v0.4.1 #Image=tokensmith:test EnvironmentFile=/etc/openchami/configs/openchami.env -Exec=serve --oidc-issuer="$TOKENSMITH_OIDC_PROVIDER" --issuer="$TOKENSMITH_ISSUER" --port="$TOKENSMITH_PORT" --cluster-id="$TOKENSMITH_CLUSTER_ID" --openchami-id="$TOKENSMITH_OPENCHAMI_ID" --config="$TOKENSMITH_CONFIG" --key-dir="$TOKENSMITH_KEY_DIR" --rfc8693-bootstrap-store="$TOKENSMITH_RFC8693_BOOTSTRAP_STORE" --rfc8693-refresh-store="$TOKENSMITH_RFC8693_REFRESH_STORE" --enable-local-user-mint +Exec=--enable-local-user-mint # Volumes Volume=/etc/openchami/configs/tokensmith.json:/etc/tokensmith/config.json:Z From 9309ecfe38d05531b31deea364b8d553e266d121 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 09:06:08 -0600 Subject: [PATCH 49/65] added SMD_URL=http://smd:27779 back since metadata-service seems to use it Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 1 + 1 file changed, 1 insertion(+) diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index a9caf91..627fa52 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -46,5 +46,6 @@ DOCKER_STEPCA_INIT_PROVISIONER_NAME="Admin" DOCKER_STEPCA_INIT_PROVISIONER_PASSWORD="provisionerpassword" # Environemnt Variables +SMD_URL=http://smd:27779 HSM_URL=http://smd:27779 ANSIBLE_HOST_KEY_CHECKING=False From 16ef00618ca1987620c2f2330888953cd4089c05 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 09:16:04 -0600 Subject: [PATCH 50/65] bump smd container version to v2.20.0 Signed-off-by: Travis Cotton --- systemd/containers/smd-init.container | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/systemd/containers/smd-init.container b/systemd/containers/smd-init.container index e5e26fc..d6d5f28 100644 --- a/systemd/containers/smd-init.container +++ b/systemd/containers/smd-init.container @@ -7,7 +7,8 @@ PartOf=openchami.target [Container] ContainerName=smd-init HostName=smd-init -Image=ghcr.io/openchami/smd:v2.19.3 +Image=ghcr.io/openchami/smd:v2.20.0 + # Environemnt Variables Environment=SMD_DBHOST=postgres From 6ec4562dd376f96c8c8956eaca800db254df4636 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 09:31:52 -0600 Subject: [PATCH 51/65] removed opaal refernce from openchami-certificate-update Signed-off-by: Travis Cotton --- scripts/openchami-certificate-update | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/openchami-certificate-update b/scripts/openchami-certificate-update index 06d3caa..6331bf5 100755 --- a/scripts/openchami-certificate-update +++ b/scripts/openchami-certificate-update @@ -19,7 +19,6 @@ update_dns() { sed -i "s/^ContainerName=.*/ContainerName=${system_fqdn}/" /etc/containers/systemd/acme-register.container sed -i "s/^HostName=.*/HostName=${system_fqdn}/" /etc/containers/systemd/acme-register.container sed -i "s|-d .* \\\\|-d ${system_fqdn} \\\\|" /etc/containers/systemd/acme-register.container - sed -i "s|--add-host='.*|--add-host='${system_fqdn}:${primary_ip}'|" /etc/containers/systemd/opaal.container # Reload systemD after .container changes systemctl daemon-reload From eda3d55e0ecf836f8a25cfc12fe30c99e9fa456c Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 09:40:11 -0600 Subject: [PATCH 52/65] added comment about OIDC provider in openchami.env file Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 2 ++ 1 file changed, 2 insertions(+) diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index 627fa52..017ced9 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -33,6 +33,8 @@ TOKENSMITH_CONFIG=/etc/tokensmith/config.json TOKENSMITH_KEY_DIR=/tokensmith/data/keys TOKENSMITH_RFC8693_BOOTSTRAP_STORE=/tokensmith/data/bootstrap TOKENSMITH_RFC8693_REFRESH_STORE=/tokensmith/data/refresh +#TOKENSMITH_OIDC_PROVIDER should point to an actual OIDC provider if you intend to use a real provider +#The default is http://hydra:4444 so leaving it here for visibility TOKENSMITH_OIDC_PROVIDER=http://hydra:4444 TOKENSMITH_PORT=8080 From 93f4bf3c7ae268365f20fc15c0e7d9f5a71c6a9e Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 09:46:12 -0600 Subject: [PATCH 53/65] added usage to tokensmith_bootstrap_token, will print when missing client arg Signed-off-by: Travis Cotton --- scripts/tokensmith_bootstrap_token | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/tokensmith_bootstrap_token b/scripts/tokensmith_bootstrap_token index 9d4bca9..d955281 100644 --- a/scripts/tokensmith_bootstrap_token +++ b/scripts/tokensmith_bootstrap_token @@ -1,4 +1,9 @@ #!/bin/bash +usage() { + echo "usage: $0 CLIENT" + echo + echo 'CLIENT: name of client service to generate token for' +} CLIENT="${1}" SERVICE="smd" @@ -6,6 +11,7 @@ SERVICE="smd" if [[ -z "$CLIENT" ]] then echo "Empty client" + usage >&2 exit 1 fi From 6767e880baf4b94c31e287125b8d6808d586fc1d Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 14 May 2026 09:49:35 -0600 Subject: [PATCH 54/65] set metadata-service container image version to v0.1.0 Signed-off-by: Travis Cotton --- systemd/containers/metadata-service.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index 9e42db4..39644a5 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -8,7 +8,7 @@ PartOf=openchami.target [Container] ContainerName=metadata-service HostName=metadata-service -Image=ghcr.io/openchami/metadata-service:pr-8 +Image=ghcr.io/openchami/metadata-service:v0.1.0 Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN From b663e65bc8b46eae9a3afacb1b9b002b54259507 Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Thu, 14 May 2026 10:41:19 -0600 Subject: [PATCH 55/65] update coredhcp.yaml to match CoreSMD rules in v0.6.* Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- systemd/configs/coredhcp.yaml | 106 +++++++++++++++++++++++++++++----- 1 file changed, 92 insertions(+), 14 deletions(-) diff --git a/systemd/configs/coredhcp.yaml b/systemd/configs/coredhcp.yaml index 1d80964..6477bfd 100644 --- a/systemd/configs/coredhcp.yaml +++ b/systemd/configs/coredhcp.yaml @@ -1,18 +1,96 @@ +# Based on https://github.com/coredhcp/coredhcp/blob/master/cmds/coredhcp/config.yml.example +# See there for more extensive CoreDHCP configuration documentation. + server4: -# You can configure the specific interfaces that you want OpenCHAMI to listen on by -# uncommenting the lines below and setting the interface - # listen: - # - "%virbr-openchami" + # Optionally define how CoreDHCP binds to an interface or address. If unset, + # the server will bind to all interfaces (0.0.0.0). + # + #listen: + # - "%virbr-openchami" plugins: -# You are able to set the IP address of the system in server_id as the place to look for a DHCP server -# DNS is able to be set to whatever you want but it is much easier if you keep it set to the server IP -# Router is also able to be set to whatever you network router address is - # - server_id: 172.16.0.254 - # - dns: 172.16.0.254 - # - router: 172.16.0.254 + # Set DHCP Server Identifier to help resolve situations when there are + # multiple DHCP servers on a network. + #- server_id: 172.16.0.254 + + # Advertise list of DNS resolvers to use for hosts on network. + #- dns: 172.16.0.254 + + # REQUIRED: Advertise address of default router on network. + #- router: 172.16.0.254 + + # Advertise network mask of assigned IPs on network. - netmask: 255.255.255.0 -# The lines below define where the system should assign ip addresses for systems that do not have -# mac addresses stored in SMD - # - coresmd: https://demo.openchami.cluster:8443 http://172.16.0.254:8081 /root_ca/root_ca.crt 30s 1h false - # - bootloop: /tmp/coredhcp.db default 5m 172.16.0.200 172.16.0.250 + + # + # OpenCHAMI CONFIGURATION + # + + # Assign IP addresses to devices known to OpenCHAMI based on MAC address. + #- coresmd: | + # /* Base URI for contacting SMD */ + # svc_base_uri=https://demo.openchami.cluster:8443 + # + # /* Base URI for contacting boot-service for boot scripts */ + # ipxe_base_uri=http://172.16.0.254:8081 + # + # /* + # * Path to root CA certificate in container to use for TLS + # * verification for communication with SMD + # */ + # ca_cert=/root_ca/root_ca.crt + # + # /* Refresh interval for CoreSMD's component cache */ + # cache_valid=30s + # + # /* Duration DHCP leases should be valid */ + # lease_time=1h + # + # /* Toggle TFTP single-port mode */ + # single_port=false + # + # /* + # * RICH RULES + # * + # * These are used to set DHCP options based on certain selectors. + # * See: https://github.com/OpenCHAMI/coresmd/blob/main/examples/coredhcp/rules.md + # */ + # + # /* Domain to append to set hostnames (able to be overridden) + # domain=openchami.cluster + # + # /* + # * Log level for rules. + # * + # * none: do not log + # * info: log rule matches + # * debug: log rule matches and non-matches + # */ + # rule_log=info + # + # /* Set hostname based on type (node or BMC, respectively) */ + # rule=type:Node,hostname:n{02d} + # rule=type:NodeBMC,hostname:bmc-s{02d} + + # Optional catch-all for extra devices. This plugin is meant to assign + # temporary IPs via a very short lease to devices not tracked in SMD, e.g. + # for BMCs to be discoverable via Redfish so they _can_ be added to SMD. + # Non-BMC devices are served an iPXE script that instructs them to reboot + # (by default, this is customizable, hence the name 'bootloop') so that + # they will constantly try to get a new lease. The idea is that once they + # are added to SMD, CoreSMD above will catch it. + #- bootloop: | + # /* Where to store leases (sqlite) + # lease_file=/tmp/coredhcp.db + # + # /* iPXE script to use ('default' reboots) + # script_path=default + # + # /* Duration of short-lived lease */ + # lease_time=5m + # + # /* Beginning IP of assignable IPv4 addresses */ + # ipv4_start=172.16.0.200 + # + # /* Ending IP of assignable IPv4 addresses */ + # ipv4_end=172.16.0.250 From 36956de3400e91107d5c1bc080edf6de5c72cdf3 Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Thu, 14 May 2026 10:43:44 -0600 Subject: [PATCH 56/65] bump coresmd to v0.6.1 Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- systemd/containers/coresmd-coredhcp.container | 2 +- systemd/containers/coresmd-coredns.container | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/containers/coresmd-coredhcp.container b/systemd/containers/coresmd-coredhcp.container index c76739a..48f0848 100644 --- a/systemd/containers/coresmd-coredhcp.container +++ b/systemd/containers/coresmd-coredhcp.container @@ -8,7 +8,7 @@ PartOf=openchami.target ContainerName=coresmd-coredhcp HostName=coresmd-coredhcp -Image=ghcr.io/openchami/coresmd:v0.4.3 +Image=ghcr.io/openchami/coresmd:v0.6.1 # Capabilities AddCapability=NET_ADMIN diff --git a/systemd/containers/coresmd-coredns.container b/systemd/containers/coresmd-coredns.container index 817479d..0b0b6d6 100644 --- a/systemd/containers/coresmd-coredns.container +++ b/systemd/containers/coresmd-coredns.container @@ -8,7 +8,7 @@ PartOf=openchami.target ContainerName=coresmd-coredns HostName=coresmd-coredns -Image=ghcr.io/openchami/coresmd:v0.4.3 +Image=ghcr.io/openchami/coresmd:v0.6.1 Exec=/coredns From 30ff0b5ab1d4ddac0871312195b7775d1e521ae9 Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Thu, 14 May 2026 13:13:26 -0600 Subject: [PATCH 57/65] use xname for bmc hostname pattern Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- systemd/configs/coredhcp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/configs/coredhcp.yaml b/systemd/configs/coredhcp.yaml index 6477bfd..2a41be2 100644 --- a/systemd/configs/coredhcp.yaml +++ b/systemd/configs/coredhcp.yaml @@ -69,7 +69,7 @@ server4: # # /* Set hostname based on type (node or BMC, respectively) */ # rule=type:Node,hostname:n{02d} - # rule=type:NodeBMC,hostname:bmc-s{02d} + # rule=type:NodeBMC,hostname:{id} # Optional catch-all for extra devices. This plugin is meant to assign # temporary IPs via a very short lease to devices not tracked in SMD, e.g. From 2e239c64229f066552b4fd94f96d573412050d60 Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Thu, 14 May 2026 16:24:30 -0600 Subject: [PATCH 58/65] bump smd to v2.20.3 Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- systemd/containers/smd-init.container | 2 +- systemd/containers/smd.container | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/containers/smd-init.container b/systemd/containers/smd-init.container index d6d5f28..027bccc 100644 --- a/systemd/containers/smd-init.container +++ b/systemd/containers/smd-init.container @@ -7,7 +7,7 @@ PartOf=openchami.target [Container] ContainerName=smd-init HostName=smd-init -Image=ghcr.io/openchami/smd:v2.20.0 +Image=ghcr.io/openchami/smd:v2.20.3 # Environemnt Variables diff --git a/systemd/containers/smd.container b/systemd/containers/smd.container index 3eafcdf..48e8c12 100644 --- a/systemd/containers/smd.container +++ b/systemd/containers/smd.container @@ -10,7 +10,7 @@ Wants=smd-init.service tokensmith.service [Container] ContainerName=smd HostName=smd -Image=ghcr.io/openchami/smd:v2.20.0 +Image=ghcr.io/openchami/smd:v2.20.3 # Environment Variables EnvironmentFile=/etc/openchami/configs/openchami.env From f4e572e882becc730995015610760ff5d58c1cea Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Thu, 14 May 2026 16:55:44 -0600 Subject: [PATCH 59/65] remove unused secrets Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- scripts/bootstrap_openchami.sh | 8 ++------ systemd/containers/postgres.container | 2 -- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/scripts/bootstrap_openchami.sh b/scripts/bootstrap_openchami.sh index 13b53c8..5dbe170 100644 --- a/scripts/bootstrap_openchami.sh +++ b/scripts/bootstrap_openchami.sh @@ -54,21 +54,17 @@ acme_correction() { postgres_password=$(generate_random_password) create_secret_if_not_exists "postgres_password" "$postgres_password" -# BSS Postgres Password -bss_postgres_password=$(generate_random_password) -create_secret_if_not_exists "bss_postgres_password" "$bss_postgres_password" - # SMD Postgres Password smd_postgres_password=$(generate_random_password) create_secret_if_not_exists "smd_postgres_password" "$smd_postgres_password" # POSTGRES_MULTIPLE_DATABASES -POSTGRES_MULTIPLE_DATABASES="hmsds:smd-user:$(podman secret inspect smd_postgres_password --showsecret | jq -r '.[0].SecretData'),bssdb:bss-user:$(podman secret inspect bss_postgres_password --showsecret | jq -r '.[0].SecretData')" +POSTGRES_MULTIPLE_DATABASES="hmsds:smd-user:$(podman secret inspect smd_postgres_password --showsecret | jq -r '.[0].SecretData')" create_secret_if_not_exists "postgres_multiple_databases" "$POSTGRES_MULTIPLE_DATABASES" # openchami.env Configuration generate_environment_file # Correct the ACME files -acme_correction \ No newline at end of file +acme_correction diff --git a/systemd/containers/postgres.container b/systemd/containers/postgres.container index 9cc50db..fdcfe44 100644 --- a/systemd/containers/postgres.container +++ b/systemd/containers/postgres.container @@ -18,9 +18,7 @@ EnvironmentFile=/etc/openchami/configs/openchami.env # Secrets Secret=postgres_password,type=env,target=POSTGRES_PASSWORD -Secret=bss_postgres_password,type=env,target=BSS_POSTGRES_PASSWORD Secret=smd_postgres_password,type=env,target=SMD_POSTGRES_PASSWORD -Secret=hydra_postgres_password,type=env,target=HYDRA_POSTGRES_PASSWORD Secret=postgres_multiple_databases,type=env,target=POSTGRES_MULTIPLE_DATABASES From 4bbf3250bef66b47df338c62f8709bfca52476a5 Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Thu, 14 May 2026 17:03:01 -0600 Subject: [PATCH 60/65] remove extra newline in coredhcp.yaml Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- systemd/configs/coredhcp.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/systemd/configs/coredhcp.yaml b/systemd/configs/coredhcp.yaml index 2a41be2..e54af04 100644 --- a/systemd/configs/coredhcp.yaml +++ b/systemd/configs/coredhcp.yaml @@ -93,4 +93,3 @@ server4: # # /* Ending IP of assignable IPv4 addresses */ # ipv4_end=172.16.0.250 - From 95ef2284bd6fcbbc988ffe85961c6e4c7cfd21b4 Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Thu, 28 May 2026 13:50:46 -0600 Subject: [PATCH 61/65] bump coresmd to v0.6.3 Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- systemd/containers/coresmd-coredhcp.container | 2 +- systemd/containers/coresmd-coredns.container | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/containers/coresmd-coredhcp.container b/systemd/containers/coresmd-coredhcp.container index 48f0848..2f15830 100644 --- a/systemd/containers/coresmd-coredhcp.container +++ b/systemd/containers/coresmd-coredhcp.container @@ -8,7 +8,7 @@ PartOf=openchami.target ContainerName=coresmd-coredhcp HostName=coresmd-coredhcp -Image=ghcr.io/openchami/coresmd:v0.6.1 +Image=ghcr.io/openchami/coresmd:v0.6.3 # Capabilities AddCapability=NET_ADMIN diff --git a/systemd/containers/coresmd-coredns.container b/systemd/containers/coresmd-coredns.container index 0b0b6d6..f9554e9 100644 --- a/systemd/containers/coresmd-coredns.container +++ b/systemd/containers/coresmd-coredns.container @@ -8,7 +8,7 @@ PartOf=openchami.target ContainerName=coresmd-coredns HostName=coresmd-coredns -Image=ghcr.io/openchami/coresmd:v0.6.1 +Image=ghcr.io/openchami/coresmd:v0.6.3 Exec=/coredns From 6442d3e0db9ec87dbe0e03ce509cff59aa8c5abc Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Mon, 1 Jun 2026 09:45:41 -0600 Subject: [PATCH 62/65] bump boot-service to v0.1.6 for client debug messages Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- systemd/containers/boot-service.container | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/containers/boot-service.container b/systemd/containers/boot-service.container index 3c88578..867256b 100644 --- a/systemd/containers/boot-service.container +++ b/systemd/containers/boot-service.container @@ -9,7 +9,7 @@ After=smd.service [Container] ContainerName=boot-service HostName=boot-service -Image=ghcr.io/openchami/boot-service:v0.1.5 +Image=ghcr.io/openchami/boot-service:v0.1.6 # Environment Variables EnvironmentFile=/etc/openchami/configs/openchami.env @@ -29,4 +29,4 @@ Exec=serve --enable-legacy-api=false --enable-auth=true --tokensmith_url=http:// [Service] ExecStartPre=/usr/sbin/tokensmith_bootstrap_token boot-service -Restart=always \ No newline at end of file +Restart=always From 9a99f8c52ecbe6608ccd3ad8ff1ecef463144cff Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Wed, 3 Jun 2026 13:16:07 -0600 Subject: [PATCH 63/65] bump metadata-service to v0.1.1 Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- systemd/containers/metadata-service.container | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index 39644a5..5725596 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -8,7 +8,7 @@ PartOf=openchami.target [Container] ContainerName=metadata-service HostName=metadata-service -Image=ghcr.io/openchami/metadata-service:v0.1.0 +Image=ghcr.io/openchami/metadata-service:v0.1.1 Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN @@ -30,4 +30,4 @@ PodmanArgs=--http-proxy=false [Service] ExecStartPre=/usr/sbin/tokensmith_bootstrap_token metadata-service -Restart=always \ No newline at end of file +Restart=always From 76177ffd4c2e5b0df31b91c9c83da6d48672ac17 Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Thu, 11 Jun 2026 16:19:47 -0600 Subject: [PATCH 64/65] add --tokensmith-url back to metadata-service Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- systemd/containers/metadata-service.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/containers/metadata-service.container b/systemd/containers/metadata-service.container index 5725596..28ef575 100644 --- a/systemd/containers/metadata-service.container +++ b/systemd/containers/metadata-service.container @@ -20,7 +20,7 @@ Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOK Volume=metadata-data.volume:/data -Exec=serve +Exec=serve --tokensmith-url=http://tokensmith:8080 # Networks for the Container to use Network=openchami-internal.network From 4f94aef492e82e1abccaefba868c493bf36259e4 Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Thu, 11 Jun 2026 16:34:36 -0600 Subject: [PATCH 65/65] gen_access_token: use tokensmith user-token Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- scripts/openchami_profile.sh | 38 ++++++++++++------------------------ 1 file changed, 12 insertions(+), 26 deletions(-) diff --git a/scripts/openchami_profile.sh b/scripts/openchami_profile.sh index 3d8c603..cd35133 100644 --- a/scripts/openchami_profile.sh +++ b/scripts/openchami_profile.sh @@ -23,32 +23,18 @@ container_curl() { ${CONTAINER_CMD:-docker} run -it --rm "${CURL_CONTAINER}:${CURL_TAG}" -s $url } -create_client_credentials() { - ${CONTAINER_CMD:-docker} exec hydra hydra create client \ - --endpoint http://hydra:4445/ \ - --format json \ - --grant-type client_credentials \ - --scope openid \ - --scope smd.read -} - -retrieve_access_token() { - local CLIENT_ID=$1 - local CLIENT_SECRET=$2 - - ${CONTAINER_CMD:-docker} run --http-proxy=false --rm --network openchami-jwt-internal "${CURL_CONTAINER}:${CURL_TAG}" curl -s -u "$CLIENT_ID:$CLIENT_SECRET" \ - -d grant_type=client_credentials \ - -d scope=openid+smd.read \ - http://hydra:4444/oauth2/token -} - gen_access_token() { - local CLIENT_CREDENTIALS - CLIENT_CREDENTIALS=$(create_client_credentials) - local CLIENT_ID=`echo $CLIENT_CREDENTIALS | jq -r '.client_id'` - local CLIENT_SECRET=`echo $CLIENT_CREDENTIALS | jq -r '.client_secret'` - local ACCESS_TOKEN=$(retrieve_access_token $CLIENT_ID $CLIENT_SECRET | jq -r .access_token) - echo $ACCESS_TOKEN + ${CONTAINER_CMD:-docker} exec tokensmith \ + /bin/sh \ + -c \ + "/usr/local/bin/tokensmith \ + user-token \ + create \ + --audience smd \ + --key-file /tokensmith/data/keys/private.pem \ + --subject 'admin@example.com' \ + --scopes 'admin' \ + --enable-local-user-mint" } @@ -107,4 +93,4 @@ create_podman_secret() { fi echo -n $secret | ${CONTAINER_CMD:-docker} secret create $name - -} \ No newline at end of file +}