From 7a0e540af0f78ea465be9603b5977f91a1dcceea Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Thu, 2 Apr 2026 07:13:49 -0600 Subject: [PATCH 1/4] added tokensmith basic config file; update env file Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 9 ++++++++ systemd/configs/tokensmith.json | 19 +++++++++++++++++ systemd/containers/tokensmith.container | 28 +++++++++++++++++++++++++ 3 files changed, 56 insertions(+) create mode 100644 systemd/configs/tokensmith.json create mode 100644 systemd/containers/tokensmith.container diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index efbe4ea..a4cb925 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -36,6 +36,15 @@ SMD_DBUSER=smd-user SMD_DBOPTS=sslmode=disable SMD_JWKS_URL=http://opaal:3333/keys +# Environemnt Variables +TOKENSMITH_ISSUER=https://tokensmith.openchami.dev +TOKENSMITH_CLUSTER_ID=demo-cluster +TOKENSMITH_OPENCHAMI_ID=demo-openchami +TOKENSMITH_CONFIG=/tokensmith/config.json +TOKENSMITH_KEY_DIR=/tmp/tokensmith/keys +TOKENSMITH_OIDC_PROVIDER=http://hydra:4444 +TOKENSMITH_PORT=8080 + # Environemnt Variables STEPPATH=/home/step DOCKER_STEPCA_INIT_NAME=OpenCHAMI diff --git a/systemd/configs/tokensmith.json b/systemd/configs/tokensmith.json new file mode 100644 index 0000000..09d4ed4 --- /dev/null +++ b/systemd/configs/tokensmith.json @@ -0,0 +1,19 @@ +{ + "groupScopes": { + "admin": [ + "admin", + "write", + "read" + ], + "operator": [ + "write", + "read" + ], + "user": [ + "read" + ], + "viewer": [ + "read" + ] + } +} \ No newline at end of file diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container new file mode 100644 index 0000000..5d23ab5 --- /dev/null +++ b/systemd/containers/tokensmith.container @@ -0,0 +1,28 @@ +[Unit] +Description=The tokensmith container +Wants=hydra-gen-jwks.service +After=hydra-gen-jwks.service +PartOf=openchami.target + +[Container] +ContainerName=tokensmith +HostName=tokensmith +Image=ghcr.io/openchami/tokensmith:pr-13 +EnvironmentFile=/etc/openchami/configs/openchami.env + +# Volumes +Volume=/etc/openchami/tokensmith.json:/tokensmith/config.json:Z + +# Networks for the Container to use +Network=openchami-internal.network +Network=openchami-jwt-internal.network + +# Extra hosts +PodmanArgs=--add-host='demo.openchami.cluster:172.16.0.254' +# Proxy settings +PodmanArgs=--http-proxy=false + +[Service] +Restart=always +# Run commands after container starts +ExecStartPost=sleep 10s \ No newline at end of file From a32b699e95d4fbef563989939150e7395940839b Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 7 Apr 2026 14:50:25 -0600 Subject: [PATCH 2/4] added tokensmith bootstrap token script Signed-off-by: Travis Cotton --- scripts/tokensmith_bootstrap_token.sh | 14 +++++++ systemd/containers/bss-init.container | 28 ------------- systemd/containers/bss.container | 36 ----------------- .../containers/cloud-init-server.container | 24 ----------- systemd/containers/hydra-gen-jwks.container | 26 ------------ systemd/containers/hydra-migrate.container | 32 --------------- systemd/containers/hydra.container | 40 ------------------- systemd/containers/opaal-idp.container | 26 ------------ systemd/containers/opaal.container | 33 --------------- 9 files changed, 14 insertions(+), 245 deletions(-) create mode 100644 scripts/tokensmith_bootstrap_token.sh delete mode 100644 systemd/containers/bss-init.container delete mode 100644 systemd/containers/bss.container delete mode 100644 systemd/containers/cloud-init-server.container delete mode 100644 systemd/containers/hydra-gen-jwks.container delete mode 100644 systemd/containers/hydra-migrate.container delete mode 100644 systemd/containers/hydra.container delete mode 100644 systemd/containers/opaal-idp.container delete mode 100644 systemd/containers/opaal.container diff --git a/scripts/tokensmith_bootstrap_token.sh b/scripts/tokensmith_bootstrap_token.sh new file mode 100644 index 0000000..f9f8083 --- /dev/null +++ b/scripts/tokensmith_bootstrap_token.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +CLIENT="${1}" +SERVICE="smd" + +TOKENSMITH_BOOTSTRAP_TOKEN=$(podman exec -e SERVICE=$SERVICE -e CLIENT=$CLIENT tokensmith /bin/sh -c "\ + /usr/local/bin/tokensmith mint-bootstrap-token \ + --key-file /tmp/tokensmith/keys/private.pem \ + --service-id ${CLIENT}-client \ + --target-service ${SERVICE} + ") +SECRET_NAME="${CLIENT}-bootstrap-token" +printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret rm ${SECRET_NAME} 2>/dev/null || true +printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret create ${SECRET_NAME} - \ No newline at end of file diff --git a/systemd/containers/bss-init.container b/systemd/containers/bss-init.container deleted file mode 100644 index cc48c9f..0000000 --- a/systemd/containers/bss-init.container +++ /dev/null @@ -1,28 +0,0 @@ -[Unit] -Description=The bss-init container -Wants=smd.service -Requires=postgres.service -PartOf=openchami.target - -[Container] -ContainerName=bss-init -HostName=bss-init -Image=ghcr.io/openchami/bss:v1.32.1 - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Secrets -Secret=bss_postgres_password,type=env,target=BSS_DBPASS - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false -PodmanArgs=--entrypoint='["/bin/sh","-c","/usr/local/bin/bss-init "]' - -[Service] -Restart=on-failure -Type=oneshot -RemainAfterExit=yes diff --git a/systemd/containers/bss.container b/systemd/containers/bss.container deleted file mode 100644 index 48af6ca..0000000 --- a/systemd/containers/bss.container +++ /dev/null @@ -1,36 +0,0 @@ -[Unit] -Description=The bss container -PartOf=openchami.target - -# Ensure the init job has started (and if it fails, BSS will fail): -Requires=bss-init.service -After=bss-init.service - -# Ensure SMD has started already -Wants=smd.service -After=smd.service - -# Hydraledger JWKS must be generated first: -Wants=hydra-gen-jwks.service -After=hydra-gen-jwks.service - - -[Container] -ContainerName=bss -HostName=bss -Image=ghcr.io/openchami/bss:v1.32.1 - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Secrets -Secret=bss_postgres_password,type=env,target=BSS_DBPASS - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/cloud-init-server.container b/systemd/containers/cloud-init-server.container deleted file mode 100644 index fd914df..0000000 --- a/systemd/containers/cloud-init-server.container +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=The cloud-init-server container -Wants=smd.service -After=smd.service opaal.service -PartOf=openchami.target - -[Container] -ContainerName=cloud-init-server -HostName=cloud-init -Image=ghcr.io/openchami/cloud-init:v1.3.0 - -Volume=cloud-init-data:/cloud-init:rw,Z - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/hydra-gen-jwks.container b/systemd/containers/hydra-gen-jwks.container deleted file mode 100644 index e643bb5..0000000 --- a/systemd/containers/hydra-gen-jwks.container +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=The hydra-gen-jwks container -Wants=hydra.service -After=hydra.service -PartOf=openchami.target - -[Container] -ContainerName=hydra-gen-jwks -HostName=hydra-gen-jwks -Image=cgr.dev/chainguard/curl:latest - -# Command to run in container -Exec=--retry 10 --retry-delay 5 --retry-all-errors --verbose http://hydra:4444/.well-known/jwks.json - -# Networks for the Container to use -Network=openchami-jwt-internal.network - - -# Unsupported by generator options -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=on-failure -Type=oneshot -RemainAfterExit=yes diff --git a/systemd/containers/hydra-migrate.container b/systemd/containers/hydra-migrate.container deleted file mode 100644 index 9829126..0000000 --- a/systemd/containers/hydra-migrate.container +++ /dev/null @@ -1,32 +0,0 @@ -[Unit] -Description=The hydra-migrate container -Requires=postgres.service -After=postgres.service -PartOf=openchami.target - -[Container] -ContainerName=hydra-migrate -HostName=hydra-migrate -Image=docker.io/oryd/hydra:v2.3 - -# Volumes -Volume=/etc/openchami/configs/:/etc/config/hydra:Z - -# Secrets -Secret=hydra_system_secret,type=env,target=SECRETS_SYSTEM -Secret=hydra_postgres_password,type=env,target=HYDRA_POSTGRES_PASSWORD -Secret=hydra_dsn,type=env,target=DSN - -# Command to run in container -Exec=migrate -c /etc/config/hydra/hydra.yml sql -e --yes - -# Networks for the Container to use -Network=openchami-internal.network - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=on-failure -Type=oneshot -RemainAfterExit=yes diff --git a/systemd/containers/hydra.container b/systemd/containers/hydra.container deleted file mode 100644 index 4cd6461..0000000 --- a/systemd/containers/hydra.container +++ /dev/null @@ -1,40 +0,0 @@ -[Unit] -Description=The hydra container -PartOf=openchami.target - -# 1) Don’t start until hydra-migrate has successfully started: -Requires=hydra-migrate.service -After=hydra-migrate.service - -# 2) Also require Step-CA to be running first: -Wants=step-ca.service -After=step-ca.service - - -[Container] -ContainerName=hydra -HostName=hydra -Image=docker.io/oryd/hydra:v2.3 - -# Volumes -Volume=/etc/openchami/configs/:/etc/config/hydra:Z - -# Environment Variables -EnvironmentFile=/etc/openchami/configs/openchami.env - -# Secrets -Secret=hydra_system_secret,type=env,target=SECRETS_SYSTEM -Secret=hydra_dsn,type=env,target=DSN - -# Command to run in container -Exec=serve -c /etc/config/hydra/hydra.yml all --sqa-opt-out - -# Networks for the Container to use -Network=openchami-jwt-internal.network - - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/opaal-idp.container b/systemd/containers/opaal-idp.container deleted file mode 100644 index cccba39..0000000 --- a/systemd/containers/opaal-idp.container +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=The opaal-idp container -Wants=hydra-gen-jwks.service -After=hydra-gen-jwks.service -PartOf=openchami.target - -[Container] -ContainerName=opaal-idp -HostName=opaal-idp -Image=ghcr.io/openchami/opaal:v0.3.12 - -# Volumes -Volume=/etc/openchami/configs:/opaal/config/:Z - -# Command to run in container -Exec=/opaal/opaal serve --config /opaal/config/opaal.yaml - -EnvironmentFile=/etc/openchami/configs/openchami.env -# Networks for the Container to use -Network=openchami-jwt-internal - -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always diff --git a/systemd/containers/opaal.container b/systemd/containers/opaal.container deleted file mode 100644 index 700b72c..0000000 --- a/systemd/containers/opaal.container +++ /dev/null @@ -1,33 +0,0 @@ -[Unit] -Description=The opaal container -PartOf=openchami.target - -# Don’t start until the ID-P is running: -Wants=opaal-idp.service -After=opaal-idp.service - -[Container] -ContainerName=opaal -HostName=opaal -Image=ghcr.io/openchami/opaal:v0.3.12 - - -# Volumes -Volume=/etc/openchami/configs:/opaal/config/:Z - -# Command to run in container -Exec=/opaal/opaal login --config /opaal/config/opaal.yaml - -# Networks for the Container to use -Network=openchami-internal.network -Network=openchami-jwt-internal.network - -# Extra hosts -PodmanArgs=--add-host='demo.openchami.cluster:172.16.0.254' -# Proxy settings -PodmanArgs=--http-proxy=false - -[Service] -Restart=always -# Run commands after container starts -ExecStartPost=sleep 10s From ef8d0707dfee9d93252bf500db08c63b013d7f54 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 7 Apr 2026 14:50:51 -0600 Subject: [PATCH 3/4] removed old services; added new ones Signed-off-by: Travis Cotton --- systemd/containers/boot-service.service | 32 +++++++++++++++++++ systemd/containers/coresmd-coredhcp.container | 4 +-- systemd/containers/haproxy.container | 4 +-- systemd/containers/metadata-service.service | 24 ++++++++++++++ systemd/containers/tokensmith.container | 4 +-- 5 files changed, 61 insertions(+), 7 deletions(-) create mode 100644 systemd/containers/boot-service.service create mode 100644 systemd/containers/metadata-service.service diff --git a/systemd/containers/boot-service.service b/systemd/containers/boot-service.service new file mode 100644 index 0000000..22b0b5a --- /dev/null +++ b/systemd/containers/boot-service.service @@ -0,0 +1,32 @@ +[Unit] +Description=The bss container +#PartOf=openchami.target + +# Ensure the init job has started (and if it fails, BSS will fail): +Requires=tokensmith.service smd.service +After=tokensmith.service smd.service + +[Container] +ContainerName=boot-service +HostName=boot-service +Image=boot-service:test + +# Environment Variables +#EnvironmentFile=/etc/openchami/configs/openchami.env + +#Volume=/etc/openchami/configs/boot-service.yaml:/etc/boot-service/config.yaml:ro,Z + +# Secrets +Secret=bss-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN + +# Networks for the Container to use +Network=openchami-internal.network + +# Proxy settings +PodmanArgs=--http-proxy=false + +Exec=serve --enable-auth --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd + +[Service] +ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh bss +Restart=always diff --git a/systemd/containers/coresmd-coredhcp.container b/systemd/containers/coresmd-coredhcp.container index 29afb18..1089fb8 100644 --- a/systemd/containers/coresmd-coredhcp.container +++ b/systemd/containers/coresmd-coredhcp.container @@ -1,7 +1,7 @@ [Unit] Description=The CoreSMD CoreDHCP container -Wants=haproxy.service -After=haproxy.service +Wants=tokensmith.service +After=tokensmith.service PartOf=openchami.target [Container] diff --git a/systemd/containers/haproxy.container b/systemd/containers/haproxy.container index ac1c0f0..0c91ded 100644 --- a/systemd/containers/haproxy.container +++ b/systemd/containers/haproxy.container @@ -1,7 +1,7 @@ [Unit] Description=The haproxy container -Wants=bss.service cloud-init-server.service smd.service acme-deploy.service -After=openchami-external-network.service opaal.service smd.service bss.service acme-deploy.service cloud-init-server.service +Wants=boot-service.service metadata-service.service smd.service acme-deploy.service +After=openchami-external-network.service smd.service boot-service.service acme-deploy.service metadata-service.service Requires=openchami-external-network.service acme-deploy.service PartOf=openchami.target diff --git a/systemd/containers/metadata-service.service b/systemd/containers/metadata-service.service new file mode 100644 index 0000000..a02451a --- /dev/null +++ b/systemd/containers/metadata-service.service @@ -0,0 +1,24 @@ +[Unit] +Description=The metadata-service container +Wants=smd.service +After=smd.service tokensmith.service +PartOf=openchami.target + +[Container] +ContainerName=metadata-service +HostName=cloud-init +Image=metadata-service:test + +Volume=cloud-init-data:/cloud-init:rw,Z + +# Environment Variables +EnvironmentFile=/etc/openchami/configs/openchami.env + +# Networks for the Container to use +Network=openchami-internal.network + +# Proxy settings +PodmanArgs=--http-proxy=false + +[Service] +Restart=always \ No newline at end of file diff --git a/systemd/containers/tokensmith.container b/systemd/containers/tokensmith.container index 5d23ab5..bfa2e0d 100644 --- a/systemd/containers/tokensmith.container +++ b/systemd/containers/tokensmith.container @@ -1,13 +1,11 @@ [Unit] Description=The tokensmith container -Wants=hydra-gen-jwks.service -After=hydra-gen-jwks.service PartOf=openchami.target [Container] ContainerName=tokensmith HostName=tokensmith -Image=ghcr.io/openchami/tokensmith:pr-13 +Image=ghcr.io/openchami/tokensmith:pr-19 EnvironmentFile=/etc/openchami/configs/openchami.env # Volumes From bd70b1916acde14b548492441e380949df177133 Mon Sep 17 00:00:00 2001 From: Travis Cotton Date: Tue, 7 Apr 2026 15:49:03 -0600 Subject: [PATCH 4/4] updating some container files Signed-off-by: Travis Cotton --- systemd/configs/openchami.env | 16 ---------------- systemd/containers/boot-service.service | 16 +++++++--------- systemd/containers/coresmd-coredhcp.container | 4 ++-- systemd/containers/metadata-service.service | 7 +++++-- 4 files changed, 14 insertions(+), 29 deletions(-) diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env index a4cb925..f216bec 100644 --- a/systemd/configs/openchami.env +++ b/systemd/configs/openchami.env @@ -14,20 +14,6 @@ URLS_LOGOUT=https://${SYSTEM_URL}/logout # Environemnt Variables POSTGRES_USER=ochami -# Environemnt Variables -BSS_USESQL=true -BSS_INSECURE=true -BSS_DEBUG=true -BSS_DBHOST=postgres -BSS_DBPORT=5432 -BSS_DBNAME=bssdb -BSS_DBUSER=bss-user -BSS_JWKS_URL=http://opaal:3333/keys -BSS_OAUTH2_ADMIN_BASE_URL=http://opaal:3333 -BSS_OAUTH2_PUBLIC_BASE_URL=http://opaal:3333 -BSS_IPXE_SERVER=${SYSTEM_URL} -BSS_CHAIN_PROTO=https - # Environemnt Variables SMD_DBHOST=postgres SMD_DBPORT=5432 @@ -62,6 +48,4 @@ ANSIBLE_HOST_KEY_CHECKING=False # Environemnt Variables for cloud-init LISTEN=:27777 SMD_URL=http://smd:27779 -OPAAL_URL=http://opaal:3333 -JWKS_URL=http://opaal:3333/keys IMPERSONATION=true diff --git a/systemd/containers/boot-service.service b/systemd/containers/boot-service.service index 22b0b5a..cc79678 100644 --- a/systemd/containers/boot-service.service +++ b/systemd/containers/boot-service.service @@ -1,10 +1,10 @@ [Unit] Description=The bss container -#PartOf=openchami.target +PartOf=openchami.target -# Ensure the init job has started (and if it fails, BSS will fail): -Requires=tokensmith.service smd.service -After=tokensmith.service smd.service +# Ensure SMD has started already +Wants=smd.service tokensmith.service +After=smd.service tokensmith.service [Container] ContainerName=boot-service @@ -12,12 +12,10 @@ HostName=boot-service Image=boot-service:test # Environment Variables -#EnvironmentFile=/etc/openchami/configs/openchami.env - -#Volume=/etc/openchami/configs/boot-service.yaml:/etc/boot-service/config.yaml:ro,Z +EnvironmentFile=/etc/openchami/configs/openchami.env # Secrets -Secret=bss-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN +Secret=boot-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN # Networks for the Container to use Network=openchami-internal.network @@ -28,5 +26,5 @@ PodmanArgs=--http-proxy=false Exec=serve --enable-auth --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd [Service] -ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh bss +ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh boot-service Restart=always diff --git a/systemd/containers/coresmd-coredhcp.container b/systemd/containers/coresmd-coredhcp.container index 1089fb8..201ee00 100644 --- a/systemd/containers/coresmd-coredhcp.container +++ b/systemd/containers/coresmd-coredhcp.container @@ -1,7 +1,7 @@ [Unit] Description=The CoreSMD CoreDHCP container -Wants=tokensmith.service -After=tokensmith.service +Wants=tokensmith.service smd.service +After=tokensmith.service smd.service PartOf=openchami.target [Container] diff --git a/systemd/containers/metadata-service.service b/systemd/containers/metadata-service.service index a02451a..4031d45 100644 --- a/systemd/containers/metadata-service.service +++ b/systemd/containers/metadata-service.service @@ -6,14 +6,16 @@ PartOf=openchami.target [Container] ContainerName=metadata-service -HostName=cloud-init +HostName=metadata-service Image=metadata-service:test -Volume=cloud-init-data:/cloud-init:rw,Z +Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN # Environment Variables EnvironmentFile=/etc/openchami/configs/openchami.env +Exec=serve --tokensmith-url=http://tokensmith:8080 + # Networks for the Container to use Network=openchami-internal.network @@ -21,4 +23,5 @@ Network=openchami-internal.network PodmanArgs=--http-proxy=false [Service] +ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh metadata-service Restart=always \ No newline at end of file