diff --git a/scripts/tokensmith_bootstrap_token.sh b/scripts/tokensmith_bootstrap_token.sh new file mode 100644 index 0000000..f9f8083 --- /dev/null +++ b/scripts/tokensmith_bootstrap_token.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +CLIENT="${1}" +SERVICE="smd" + +TOKENSMITH_BOOTSTRAP_TOKEN=$(podman exec -e SERVICE=$SERVICE -e CLIENT=$CLIENT tokensmith /bin/sh -c "\ + /usr/local/bin/tokensmith mint-bootstrap-token \ + --key-file /tmp/tokensmith/keys/private.pem \ + --service-id ${CLIENT}-client \ + --target-service ${SERVICE} + ") +SECRET_NAME="${CLIENT}-bootstrap-token" +printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret rm ${SECRET_NAME} 2>/dev/null || true +printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret create ${SECRET_NAME} - \ No newline at end of file diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index efbe4ea..f216bec 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -14,20 +14,6 @@ URLS_LOGOUT=https://${SYSTEM_URL}/logout # Environemnt Variables POSTGRES_USER=ochami -# Environemnt Variables -BSS_USESQL=true -BSS_INSECURE=true -BSS_DEBUG=true -BSS_DBHOST=postgres -BSS_DBPORT=5432 -BSS_DBNAME=bssdb -BSS_DBUSER=bss-user -BSS_JWKS_URL=http://opaal:3333/keys -BSS_OAUTH2_ADMIN_BASE_URL=http://opaal:3333 -BSS_OAUTH2_PUBLIC_BASE_URL=http://opaal:3333 -BSS_IPXE_SERVER=${SYSTEM_URL} -BSS_CHAIN_PROTO=https - # Environemnt Variables SMD_DBHOST=postgres SMD_DBPORT=5432 @@ -36,6 +22,15 @@ SMD_DBUSER=smd-user SMD_DBOPTS=sslmode=disable SMD_JWKS_URL=http://opaal:3333/keys +# Environemnt Variables +TOKENSMITH_ISSUER=https://tokensmith.openchami.dev +TOKENSMITH_CLUSTER_ID=demo-cluster +TOKENSMITH_OPENCHAMI_ID=demo-openchami +TOKENSMITH_CONFIG=/tokensmith/config.json +TOKENSMITH_KEY_DIR=/tmp/tokensmith/keys +TOKENSMITH_OIDC_PROVIDER=http://hydra:4444 +TOKENSMITH_PORT=8080 + # Environemnt Variables STEPPATH=/home/step DOCKER_STEPCA_INIT_NAME=OpenCHAMI @@ -53,6 +48,4 @@ ANSIBLE_HOST_KEY_CHECKING=False # Environemnt Variables for cloud-init LISTEN=:27777 SMD_URL=http://smd:27779 -OPAAL_URL=http://opaal:3333 -JWKS_URL=http://opaal:3333/keys IMPERSONATION=true diff --git a/systemd/configs/tokensmith.json b/systemd/configs/tokensmith.json new file mode 100644 index 0000000..09d4ed4 --- /dev/null +++ b/systemd/configs/tokensmith.json @@ -0,0 +1,19 @@ +{ + "groupScopes": { + "admin": [ + "admin", + "write", + "read" + ], + "operator": [ + "write", + "read" + ], + "user": [ + "read" + ], + "viewer": [ + "read" + ] + } +} \ No newline at end of file diff --git a/systemd/containers/boot-service.service b/systemd/containers/boot-service.service new file mode 100644 index 0000000..cc79678 --- /dev/null +++ b/systemd/containers/boot-service.service @@ -0,0 +1,30 @@ +[Unit] +Description=The bss container +PartOf=openchami.target + +# Ensure SMD has started already +Wants=smd.service tokensmith.service +After=smd.service tokensmith.service + +[Container] +ContainerName=boot-service +HostName=boot-service +Image=boot-service:test + +# Environment Variables +EnvironmentFile=/etc/openchami/configs/openchami.env + +# Secrets +Secret=boot-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN + +# Networks for the Container to use +Network=openchami-internal.network + +# Proxy settings +PodmanArgs=--http-proxy=false + +Exec=serve --enable-auth --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd + +[Service] +ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh boot-service +Restart=always diff --git a/systemd/containers/bss-init.container b/systemd/containers/bss-init.container deleted file mode 100644 index cc48c9f..0000000 --- a/systemd/containers/bss-init.container +++ /dev/null @@ -1,28 +0,0 @@ -[Unit] -Description=The bss-init container -Wants=smd.service -Requires=postgres.service -PartOf=openchami.target - -[Container] -ContainerName=bss-init -HostName=bss-init -Image=ghcr.io/openchami/bss:v1.32.1 - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Secrets -Secret=bss_postgres_password,type=env,target=BSS_DBPASS - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false -PodmanArgs=--entrypoint='["/bin/sh","-c","/usr/local/bin/bss-init "]' - -[Service] -Restart=on-failure -Type=oneshot -RemainAfterExit=yes diff --git a/systemd/containers/bss.container b/systemd/containers/bss.container deleted file mode 100644 index 48af6ca..0000000 --- a/systemd/containers/bss.container +++ /dev/null @@ -1,36 +0,0 @@ -[Unit] -Description=The bss container -PartOf=openchami.target - -# Ensure the init job has started (and if it fails, BSS will fail): -Requires=bss-init.service -After=bss-init.service - -# Ensure SMD has started already -Wants=smd.service -After=smd.service - -# Hydraledger JWKS must be generated first: -Wants=hydra-gen-jwks.service -After=hydra-gen-jwks.service - - -[Container] -ContainerName=bss -HostName=bss -Image=ghcr.io/openchami/bss:v1.32.1 - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Secrets -Secret=bss_postgres_password,type=env,target=BSS_DBPASS - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/cloud-init-server.container b/systemd/containers/cloud-init-server.container deleted file mode 100644 index fd914df..0000000 --- a/systemd/containers/cloud-init-server.container +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=The cloud-init-server container -Wants=smd.service -After=smd.service opaal.service -PartOf=openchami.target - -[Container] -ContainerName=cloud-init-server -HostName=cloud-init -Image=ghcr.io/openchami/cloud-init:v1.3.0 - -Volume=cloud-init-data:/cloud-init:rw,Z - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/coresmd-coredhcp.container b/systemd/containers/coresmd-coredhcp.container index 29afb18..201ee00 100644 --- a/systemd/containers/coresmd-coredhcp.container +++ b/systemd/containers/coresmd-coredhcp.container @@ -1,7 +1,7 @@ [Unit] Description=The CoreSMD CoreDHCP container -Wants=haproxy.service -After=haproxy.service +Wants=tokensmith.service smd.service +After=tokensmith.service smd.service PartOf=openchami.target [Container] diff --git a/systemd/containers/haproxy.container b/systemd/containers/haproxy.container index ac1c0f0..0c91ded 100644 --- a/systemd/containers/haproxy.container +++ b/systemd/containers/haproxy.container @@ -1,7 +1,7 @@ [Unit] Description=The haproxy container -Wants=bss.service cloud-init-server.service smd.service acme-deploy.service -After=openchami-external-network.service opaal.service smd.service bss.service acme-deploy.service cloud-init-server.service +Wants=boot-service.service metadata-service.service smd.service acme-deploy.service +After=openchami-external-network.service smd.service boot-service.service acme-deploy.service metadata-service.service Requires=openchami-external-network.service acme-deploy.service PartOf=openchami.target diff --git a/systemd/containers/hydra-gen-jwks.container b/systemd/containers/hydra-gen-jwks.container deleted file mode 100644 index e643bb5..0000000 --- a/systemd/containers/hydra-gen-jwks.container +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=The hydra-gen-jwks container -Wants=hydra.service -After=hydra.service -PartOf=openchami.target - -[Container] -ContainerName=hydra-gen-jwks -HostName=hydra-gen-jwks -Image=cgr.dev/chainguard/curl:latest - -# Command to run in container -Exec=--retry 10 --retry-delay 5 --retry-all-errors --verbose http://hydra:4444/.well-known/jwks.json - -# Networks for the Container to use -Network=openchami-jwt-internal.network - - -# Unsupported by generator options -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=on-failure -Type=oneshot -RemainAfterExit=yes diff --git a/systemd/containers/hydra-migrate.container b/systemd/containers/hydra-migrate.container deleted file mode 100644 index 9829126..0000000 --- a/systemd/containers/hydra-migrate.container +++ /dev/null @@ -1,32 +0,0 @@ -[Unit] -Description=The hydra-migrate container -Requires=postgres.service -After=postgres.service -PartOf=openchami.target - -[Container] -ContainerName=hydra-migrate -HostName=hydra-migrate -Image=docker.io/oryd/hydra:v2.3 - -# Volumes -Volume=/etc/openchami/configs/:/etc/config/hydra:Z - -# Secrets -Secret=hydra_system_secret,type=env,target=SECRETS_SYSTEM -Secret=hydra_postgres_password,type=env,target=HYDRA_POSTGRES_PASSWORD -Secret=hydra_dsn,type=env,target=DSN - -# Command to run in container -Exec=migrate -c /etc/config/hydra/hydra.yml sql -e --yes - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=on-failure -Type=oneshot -RemainAfterExit=yes diff --git a/systemd/containers/hydra.container b/systemd/containers/hydra.container deleted file mode 100644 index 4cd6461..0000000 --- a/systemd/containers/hydra.container +++ /dev/null @@ -1,40 +0,0 @@ -[Unit] -Description=The hydra container -PartOf=openchami.target - -# 1) Don’t start until hydra-migrate has successfully started: -Requires=hydra-migrate.service -After=hydra-migrate.service - -# 2) Also require Step-CA to be running first: -Wants=step-ca.service -After=step-ca.service - - -[Container] -ContainerName=hydra -HostName=hydra -Image=docker.io/oryd/hydra:v2.3 - -# Volumes -Volume=/etc/openchami/configs/:/etc/config/hydra:Z - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Secrets -Secret=hydra_system_secret,type=env,target=SECRETS_SYSTEM -Secret=hydra_dsn,type=env,target=DSN - -# Command to run in container -Exec=serve -c /etc/config/hydra/hydra.yml all --sqa-opt-out - -# Networks for the Container to use -Network=openchami-jwt-internal.network - - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/metadata-service.service b/systemd/containers/metadata-service.service new file mode 100644 index 0000000..4031d45 --- /dev/null +++ b/systemd/containers/metadata-service.service @@ -0,0 +1,27 @@ +[Unit] +Description=The metadata-service container +Wants=smd.service +After=smd.service tokensmith.service +PartOf=openchami.target + +[Container] +ContainerName=metadata-service +HostName=metadata-service +Image=metadata-service:test + +Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN + +# Environment Variables +EnvironmentFile=/etc/openchami/configs/openchami.env + +Exec=serve --tokensmith-url=http://tokensmith:8080 + +# Networks for the Container to use +Network=openchami-internal.network + +# Proxy settings +PodmanArgs=--http-proxy=false + +[Service] +ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh metadata-service +Restart=always \ No newline at end of file diff --git a/systemd/containers/opaal-idp.container b/systemd/containers/opaal-idp.container deleted file mode 100644 index cccba39..0000000 --- a/systemd/containers/opaal-idp.container +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=The opaal-idp container -Wants=hydra-gen-jwks.service -After=hydra-gen-jwks.service -PartOf=openchami.target - -[Container] -ContainerName=opaal-idp -HostName=opaal-idp -Image=ghcr.io/openchami/opaal:v0.3.12 - -# Volumes -Volume=/etc/openchami/configs:/opaal/config/:Z - -# Command to run in container -Exec=/opaal/opaal serve --config /opaal/config/opaal.yaml - -EnvironmentFile=/etc/openchami/configs/openchami.env -# Networks for the Container to use -Network=openchami-jwt-internal - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/opaal.container b/systemd/containers/opaal.container deleted file mode 100644 index 700b72c..0000000 --- a/systemd/containers/opaal.container +++ /dev/null @@ -1,33 +0,0 @@ -[Unit] -Description=The opaal container -PartOf=openchami.target - -# Don’t start until the ID-P is running: -Wants=opaal-idp.service -After=opaal-idp.service - -[Container] -ContainerName=opaal -HostName=opaal -Image=ghcr.io/openchami/opaal:v0.3.12 - - -# Volumes -Volume=/etc/openchami/configs:/opaal/config/:Z - -# Command to run in container -Exec=/opaal/opaal login --config /opaal/config/opaal.yaml - -# Networks for the Container to use -Network=openchami-internal.network -Network=openchami-jwt-internal.network - -# Extra hosts -PodmanArgs=--add-host='demo.openchami.cluster:172.16.0.254' -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always -# Run commands after container starts -ExecStartPost=sleep 10s diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container new file mode 100644 index 0000000..bfa2e0d --- /dev/null +++ b/systemd/containers/tokensmith.container @@ -0,0 +1,26 @@ +[Unit] +Description=The tokensmith container +PartOf=openchami.target + +[Container] +ContainerName=tokensmith +HostName=tokensmith +Image=ghcr.io/openchami/tokensmith:pr-19 +EnvironmentFile=/etc/openchami/configs/openchami.env + +# Volumes +Volume=/etc/openchami/tokensmith.json:/tokensmith/config.json:Z + +# Networks for the Container to use +Network=openchami-internal.network +Network=openchami-jwt-internal.network + +# Extra hosts +PodmanArgs=--add-host='demo.openchami.cluster:172.16.0.254' +# Proxy settings +PodmanArgs=--http-proxy=false + +[Service] +Restart=always +# Run commands after container starts +ExecStartPost=sleep 10s \ No newline at end of file