OpenCHAMI · travisbcotton · Apr 2, 2026 · Apr 7, 2026 · Apr 7, 2026 · Apr 7, 2026
diff --git a/openchami.spec b/openchami.spec
@@ -33,26 +33,29 @@ mkdir -p %{buildroot}/etc/openchami/configs \
          %{buildroot}/etc/containers/systemd \
          %{buildroot}/etc/systemd/system \
          %{buildroot}/usr/bin \
+         %{buildroot}/usr/sbin \
          %{buildroot}/etc/profile.d \
          %{buildroot}/usr/libexec/openchami
 
-cp -r systemd/configs/*                 %{buildroot}/etc/openchami/configs/
-cp -r systemd/containers/*              %{buildroot}/etc/containers/systemd/
-cp -r systemd/volumes/*                 %{buildroot}/etc/containers/systemd/
-cp -r systemd/networks/*                %{buildroot}/etc/containers/systemd/
-cp -r systemd/targets/*                 %{buildroot}/etc/systemd/system/
-cp -r systemd/system/*                  %{buildroot}/etc/systemd/system/
-cp scripts/bootstrap_openchami.sh       %{buildroot}/usr/libexec/openchami/
-cp scripts/openchami-certificate-update %{buildroot}/usr/bin/
-cp scripts/openchami_profile.sh         %{buildroot}/etc/profile.d/openchami.sh
-cp scripts/multi-psql-db.sh             %{buildroot}/etc/openchami/pg-init/multi-psql-db.sh
-cp scripts/ohpc-nodes.sh          %{buildroot}/usr/libexec/openchami/
+cp -r systemd/configs/*                     %{buildroot}/etc/openchami/configs/
+cp -r systemd/containers/*                  %{buildroot}/etc/containers/systemd/
+cp -r systemd/volumes/*                     %{buildroot}/etc/containers/systemd/
+cp -r systemd/networks/*                    %{buildroot}/etc/containers/systemd/
+cp -r systemd/targets/*                     %{buildroot}/etc/systemd/system/
+cp -r systemd/system/*                      %{buildroot}/etc/systemd/system/
+cp scripts/bootstrap_openchami.sh           %{buildroot}/usr/libexec/openchami/
+cp scripts/openchami-certificate-update     %{buildroot}/usr/bin/
+cp scripts/openchami_profile.sh             %{buildroot}/etc/profile.d/openchami.sh
+cp scripts/multi-psql-db.sh                 %{buildroot}/etc/openchami/pg-init/multi-psql-db.sh
+cp scripts/ohpc-nodes.sh                    %{buildroot}/usr/libexec/openchami/
+cp scripts/tokensmith_bootstrap_token       %{buildroot}/usr/sbin/
 
 chmod +x %{buildroot}/usr/libexec/openchami/bootstrap_openchami.sh
 chmod +x %{buildroot}/usr/libexec/openchami/ohpc-nodes.sh
 chmod +x %{buildroot}/usr/libexec/openchami/bootstrap_openchami.sh
 chmod +x %{buildroot}/usr/bin/openchami-certificate-update
 chmod +x %{buildroot}/usr/libexec/openchami/ohpc-nodes.sh
+chmod 0700 %{buildroot}/usr/sbin/tokensmith_bootstrap_token
 
 chmod 600 %{buildroot}/etc/openchami/configs/openchami.env
 chmod 644 %{buildroot}/etc/openchami/configs/*
@@ -70,6 +73,7 @@ chmod 644 %{buildroot}/etc/openchami/configs/*
 /etc/profile.d/openchami.sh
 /etc/openchami/pg-init/multi-psql-db.sh
 /usr/bin/openchami-certificate-update
+/usr/sbin/tokensmith_bootstrap_token
 
 %pre
 if [ -f /etc/containers/systemd/coresmd.container ]; then

diff --git a/scripts/bootstrap_openchami.sh b/scripts/bootstrap_openchami.sh
@@ -46,7 +46,6 @@ acme_correction() {
   sed -i "s/^ContainerName=.*/ContainerName=${system_fqdn}/" /etc/containers/systemd/acme-register.container
   sed -i "s/^HostName=.*/HostName=${system_fqdn}/" /etc/containers/systemd/acme-register.container
   sed -i "s|-d .* \\\\|-d ${system_fqdn} \\\\|" /etc/containers/systemd/acme-register.container
-  sed -i "s|--add-host='demo\.openchami\.cluster:[0-9\.]*'|--add-host='${system_fqdn}:${primary_ip}'|" /etc/containers/systemd/opaal.container
 }
 
 # Check and create secrets with random passwords if needed
@@ -55,32 +54,17 @@ acme_correction() {
 postgres_password=$(generate_random_password)
 create_secret_if_not_exists "postgres_password" "$postgres_password"
 
-# BSS Postgres Password
-bss_postgres_password=$(generate_random_password)
-create_secret_if_not_exists "bss_postgres_password" "$bss_postgres_password"
-
 # SMD Postgres Password
 smd_postgres_password=$(generate_random_password)
 create_secret_if_not_exists "smd_postgres_password" "$smd_postgres_password"
 
-# Hydra Postgres Password
-hydra_postgres_password=$(generate_random_password)
-create_secret_if_not_exists "hydra_postgres_password" "$hydra_postgres_password"
-
-# Hydra System Secret
-hydra_system_secret=$(generate_random_password)
-create_secret_if_not_exists "hydra_system_secret" "$hydra_system_secret"
-
-# HYDRA_DSN
-HYDRA_DSN="postgres://hydra-user:$(podman secret inspect hydra_postgres_password --showsecret | jq -r '.[0].SecretData')@postgres:5432/hydradb?sslmode=disable&max_conns=20&max_idle_conns=4"
-create_secret_if_not_exists "hydra_dsn" "$HYDRA_DSN"
 
 # POSTGRES_MULTIPLE_DATABASES
-POSTGRES_MULTIPLE_DATABASES="hmsds:smd-user:$(podman secret inspect smd_postgres_password --showsecret | jq -r '.[0].SecretData'),bssdb:bss-user:$(podman secret inspect bss_postgres_password --showsecret | jq -r '.[0].SecretData'),hydradb:hydra-user:$(podman secret inspect hydra_postgres_password --showsecret | jq -r '.[0].SecretData')"
+POSTGRES_MULTIPLE_DATABASES="hmsds:smd-user:$(podman secret inspect smd_postgres_password --showsecret | jq -r '.[0].SecretData')"
 create_secret_if_not_exists "postgres_multiple_databases" "$POSTGRES_MULTIPLE_DATABASES"
 
 # openchami.env Configuration
 generate_environment_file
 
 # Correct the ACME files
-acme_correction
+acme_correction
diff --git a/scripts/openchami-certificate-update b/scripts/openchami-certificate-update
@@ -19,7 +19,6 @@ update_dns() {
     sed -i "s/^ContainerName=.*/ContainerName=${system_fqdn}/" /etc/containers/systemd/acme-register.container
     sed -i "s/^HostName=.*/HostName=${system_fqdn}/" /etc/containers/systemd/acme-register.container
     sed -i "s|-d .* \\\\|-d ${system_fqdn} \\\\|" /etc/containers/systemd/acme-register.container
-    sed -i "s|--add-host='.*|--add-host='${system_fqdn}:${primary_ip}'|" /etc/containers/systemd/opaal.container
 
     # Reload systemD after .container changes
     systemctl daemon-reload

diff --git a/scripts/openchami_profile.sh b/scripts/openchami_profile.sh
@@ -23,32 +23,18 @@ container_curl() {
     ${CONTAINER_CMD:-docker} run -it --rm "${CURL_CONTAINER}:${CURL_TAG}" -s $url
 }
 
-create_client_credentials() {
-   ${CONTAINER_CMD:-docker} exec hydra hydra create client \
-    --endpoint http://hydra:4445/ \
-    --format json \
-    --grant-type client_credentials \
-    --scope openid \
-    --scope smd.read 
-}
-
-retrieve_access_token() {
-    local CLIENT_ID=$1
-    local CLIENT_SECRET=$2
-
-    ${CONTAINER_CMD:-docker} run --http-proxy=false --rm --network openchami-jwt-internal "${CURL_CONTAINER}:${CURL_TAG}" curl -s -u "$CLIENT_ID:$CLIENT_SECRET" \
-    -d grant_type=client_credentials \
-    -d scope=openid+smd.read \
-    http://hydra:4444/oauth2/token
-}
-
 gen_access_token() {
-    local CLIENT_CREDENTIALS
-    CLIENT_CREDENTIALS=$(create_client_credentials)
-    local CLIENT_ID=`echo $CLIENT_CREDENTIALS | jq -r '.client_id'`
-    local CLIENT_SECRET=`echo $CLIENT_CREDENTIALS | jq -r '.client_secret'`
-    local ACCESS_TOKEN=$(retrieve_access_token $CLIENT_ID $CLIENT_SECRET | jq -r .access_token)
-    echo $ACCESS_TOKEN
+    ${CONTAINER_CMD:-docker} exec tokensmith \
+	    /bin/sh \
+	    -c \
+	    "/usr/local/bin/tokensmith \
+		user-token \
+		create \
+		--audience smd \
+		--key-file /tokensmith/data/keys/private.pem \
+		--subject 'admin@example.com' \
+		--scopes 'admin' \
+		--enable-local-user-mint"
 }
 
 
@@ -107,4 +93,4 @@ create_podman_secret() {
     fi
 
     echo -n $secret | ${CONTAINER_CMD:-docker} secret create $name -
-}
+}
diff --git a/scripts/tokensmith_bootstrap_token b/scripts/tokensmith_bootstrap_token
@@ -0,0 +1,31 @@
+#!/bin/bash
+usage() {
+  echo "usage: $0 CLIENT"
+  echo
+  echo 'CLIENT: name of client service to generate token for'
+}
+
+CLIENT="${1}"
+SERVICE="smd"
+
+if [[ -z "$CLIENT" ]]
+then
+	echo "Empty client"
+    usage >&2
+	exit 1
+fi
+
+echo "Generating bootstrap token for service client ${CLIENT}"
+TOKENSMITH_BOOTSTRAP_TOKEN=$(podman exec -e SERVICE=$SERVICE -e CLIENT=$CLIENT tokensmith /bin/sh -c "\
+                        /usr/local/bin/tokensmith bootstrap-token create \
+                        --bootstrap-store \${TOKENSMITH_RFC8693_BOOTSTRAP_STORE} \
+                        --subject \${CLIENT} \
+                        --audience \${SERVICE} \
+                        --scopes "read" \
+                        --output-format json | jq -r '.bootstrap_token'
+                        ")
+
+SECRET_NAME="${CLIENT}-bootstrap-token"
+echo "Creating secret ${CLIENT}-bootstrap-token"
+printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret rm -i ${SECRET_NAME} 2>/dev/null || true
+printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret create ${SECRET_NAME} -
diff --git a/systemd/configs/coredhcp.yaml b/systemd/configs/coredhcp.yaml
@@ -1,18 +1,95 @@
+# Based on https://github.com/coredhcp/coredhcp/blob/master/cmds/coredhcp/config.yml.example
+# See there for more extensive CoreDHCP configuration documentation.
+
 server4:
-# You can configure the specific interfaces that you want OpenCHAMI to listen on by 
-# uncommenting the lines below and setting the interface
-  # listen:
-  #   - "%virbr-openchami"
+  # Optionally define how CoreDHCP binds to an interface or address. If unset,
+  # the server will bind to all interfaces (0.0.0.0).
+  #
+  #listen:
+  #  - "%virbr-openchami"
   plugins:
-# You are able to set the IP address of the system in server_id as the place to look for a DHCP server
-# DNS is able to be set to whatever you want but it is much easier if you keep it set to the server IP
-# Router is also able to be set to whatever you network router address is 
-    # - server_id: 172.16.0.254
-    # - dns: 172.16.0.254
-    # - router: 172.16.0.254
+    # Set DHCP Server Identifier to help resolve situations when there are
+    # multiple DHCP servers on a network.
+    #- server_id: 172.16.0.254
+
+    # Advertise list of DNS resolvers to use for hosts on network.
+    #- dns: 172.16.0.254
+
+    # REQUIRED: Advertise address of default router on network.
+    #- router: 172.16.0.254
+
+    # Advertise network mask of assigned IPs on network.
     - netmask: 255.255.255.0
-# The lines below define where the system should assign ip addresses for systems that do not have
-# mac addresses stored in SMD
-    # - coresmd: https://demo.openchami.cluster:8443 http://172.16.0.254:8081 /root_ca/root_ca.crt 30s 1h false
-    # - bootloop: /tmp/coredhcp.db default 5m 172.16.0.200 172.16.0.250
 
+    #
+    # OpenCHAMI CONFIGURATION
+    #
+
+    # Assign IP addresses to devices known to OpenCHAMI based on MAC address.
+    #- coresmd: |
+    #    /* Base URI for contacting SMD */
+    #    svc_base_uri=https://demo.openchami.cluster:8443
+    #
+    #    /* Base URI for contacting boot-service for boot scripts */
+    #    ipxe_base_uri=http://172.16.0.254:8081
+    #
+    #    /*
+    #     * Path to root CA certificate in container to use for TLS
+    #     * verification for communication with SMD
+    #     */
+    #    ca_cert=/root_ca/root_ca.crt
+    #
+    #    /* Refresh interval for CoreSMD's component cache */
+    #    cache_valid=30s
+    #
+    #    /* Duration DHCP leases should be valid */
+    #    lease_time=1h
+    #
+    #    /* Toggle TFTP single-port mode */
+    #    single_port=false
+    #
+    #    /*
+    #     * RICH RULES
+    #     *
+    #     * These are used to set DHCP options based on certain selectors.
+    #     * See: https://github.com/OpenCHAMI/coresmd/blob/main/examples/coredhcp/rules.md
+    #     */
+    #
+    #    /* Domain to append to set hostnames (able to be overridden)
+    #    domain=openchami.cluster
+    #
+    #    /*
+    #     * Log level for rules.
+    #     *
+    #     * none: do not log
+    #     * info: log rule matches
+    #     * debug: log rule matches and non-matches
+    #     */
+    #    rule_log=info
+    #
+    #    /* Set hostname based on type (node or BMC, respectively) */
+    #    rule=type:Node,hostname:n{02d}
+    #    rule=type:NodeBMC,hostname:{id}
+
+    # Optional catch-all for extra devices. This plugin is meant to assign
+    # temporary IPs via a very short lease to devices not tracked in SMD, e.g.
+    # for BMCs to be discoverable via Redfish so they _can_ be added to SMD.
+    # Non-BMC devices are served an iPXE script that instructs them to reboot
+    # (by default, this is customizable, hence the name 'bootloop') so that
+    # they will constantly try to get a new lease. The idea is that once they
+    # are added to SMD, CoreSMD above will catch it.
+    #- bootloop: |
+    #    /* Where to store leases (sqlite)
+    #    lease_file=/tmp/coredhcp.db
+    #
+    #    /* iPXE script to use ('default' reboots)
+    #    script_path=default
+    #
+    #    /* Duration of short-lived lease */
+    #    lease_time=5m
+    #
+    #    /* Beginning IP of assignable IPv4 addresses */
+    #    ipv4_start=172.16.0.200
+    #
+    #    /* Ending IP of assignable IPv4 addresses */
+    #    ipv4_end=172.16.0.250
diff --git a/systemd/configs/haproxy.cfg b/systemd/configs/haproxy.cfg
@@ -23,50 +23,32 @@ frontend openchami
   bind :443 ssl crt /etc/haproxy/certs/ strict-sni
   option forwardfor
 
-  acl PATH_smd path_beg -i /hsm/v2
+  acl PATH_smd              path_beg -i /hsm/v2
+  acl PATH_configurator     path_beg -i /configurator /generate
+  acl PATH_boot-service     path_beg -i /boot-service/
+  acl PATH_metadata-service path_beg -i /metadata-service/
+  acl PATH_tokensmith       path_beg -i /tokensmith/
 
-  acl PATH_bss path_beg -i /boot/v1
-  acl PATH_bss path_beg -i /apis/bss/
-
-  acl PATH_opaal path_beg -i /token
-  acl PATH_opaal path_beg -i /login
-  acl PATH_opaal path_beg -i /oidc/callback
-
-  acl PATH_opaal-idp path_beg -i /.well-known/openid-configuration
-  acl PATH_opaal-idp path_beg -i /.well-known/jwks.json
-  acl PATH_opaal-idp path_beg -i /browser/login
-  acl PATH_opaal-idp path_beg -i /api/login
-  acl PATH_opaal-idp path_beg -i /oauth2/authorize
-  acl PATH_opaal-idp path_beg -i /oauth2/token
-
-  acl PATH_cloud-init path_beg -i /cloud-init
-
-  acl PATH_configurator path_beg -i /generate
-  acl PATH_configurator path_beg -i /configurator
-
-  use_backend opaal if PATH_opaal
-  use_backend opaal-idp if PATH_opaal-idp
   use_backend smd if PATH_smd
-  use_backend bss if PATH_bss
-  use_backend cloud-init if PATH_cloud-init
   use_backend configurator if PATH_configurator
-
-backend opaal
-  server opaal opaal:3333
-
-backend opaal-idp
-  server opaal-idp opaal-idp:3332
+  use_backend boot-service if PATH_boot-service
+  use_backend metadata-service if PATH_metadata-service
+  use_backend tokensmith if PATH_tokensmith
 
 backend smd
   server smd smd:27779
 
-backend bss
-  server bss bss:27778
-  http-request replace-path ^/apis/bss/(.*) /\1
-
-backend cloud-init
-  server cloud-init-server cloud-init-server:27777
-  http-request replace-path ^/cloud-init(/.*) \1
-
 backend configurator
   server configurator configurator:3334 init-addr none
+
+backend boot-service
+  http-request set-path %[path,regsub(^/boot-service/,/)]
+  server boot-service boot-service:8081
+
+backend metadata-service
+  http-request set-path %[path,regsub(^/metadata-service/,/)]
+  server metadata-service metadata-service:8080
+
+backend tokensmith
+  http-request set-path %[path,regsub(^/tokensmith/,/)]
+  server tokensmith tokensmith:8080