Update release with new fabrica-based services; remove old services#50
Update release with new fabrica-based services; remove old services#50travisbcotton wants to merge 4 commits intomainfrom
Conversation
Signed-off-by: Travis Cotton <trcotton@lanl.gov>
Signed-off-by: Travis Cotton <trcotton@lanl.gov>
Signed-off-by: Travis Cotton <trcotton@lanl.gov>
travisbcotton
force-pushed
the
trcotton/tokensmith-container
branch
from
9bf779d to
ef8d070
Compare
travisbcotton
changed the title
Signed-off-by: Travis Cotton <trcotton@lanl.gov>
There was a problem hiding this comment.
Just a quick note glancing at this: The files in systemd/containers/ are named *.container instead of *.service. It looks like that also applies to metadata-service.service too.
| @@ -0,0 +1,30 @@ | |||
| [Unit] | |||
| Description=The bss container | |||
There was a problem hiding this comment.
The bss container -> The boot-service container
| @@ -36,6 +22,15 @@ SMD_DBUSER=smd-user | |||
| SMD_DBOPTS=sslmode=disable | |||
| SMD_JWKS_URL=http://opaal:3333/keys | |||
There was a problem hiding this comment.
I'm not sure what changes have been made to SMD with the tokensmith integration, but this would probably need to be changed or removed.
There was a problem hiding this comment.
This script needs to be copied and permissions changed in the openchami.spec file. I'm not sure exactly where it goes but I'm guessing here.
cp scripts/tokensmith_bootstrap_token.sh %{buildroot}/usr/bin
# ...
chmod +x %{buildroot}/usr/bin/tokensmith_bootstrap_token.sh*Edit: It looks like the tokensmith_bootstrap_token.sh script should be placed in /usr/local/sbin/ judging by the ExecStartPre path in the boot-service.service file.
| EnvironmentFile=/etc/openchami/configs/openchami.env | ||
|
|
||
| # Volumes | ||
| Volume=/etc/openchami/tokensmith.json:/tokensmith/config.json:Z |
There was a problem hiding this comment.
I think this should be /etc/openchami/tokensmith.json -> /etc/openchami/configs/tokensmith.json since tokensmith.json is copied from systemd/configs/tokensmith.json to /etc/openchami/configs/tokensmith.json in the spec file.
|
Just a couple of other notes before merging. We need to update the
We also need to update |
|
Another note...we're going to update the CoreDHCP config in Here's snippet of the tutorial config should look like after the changes: - coresmd: |
svc_base_uri=https://demo.openchami.cluster:8443
ipxe_base_uri=http://172.16.0.254:8081
ca_cert=/root_ca/root_ca.crt
cache_valid=30s
lease_time=1h
single_port=false
- bootloop: |
lease_file=/tmp/coredhcp.db
script_path=default
lease_time=5m
ipv4_start=172.16.0.200
ipv4_end=172.16.0.250 |
| @@ -36,6 +22,15 @@ SMD_DBUSER=smd-user | |||
| SMD_DBOPTS=sslmode=disable | |||
There was a problem hiding this comment.
Based on the changes from this PR it looks like we need to some more variables (or flags) to get SMD to work with tokensmith:
SMD_AUTH_BACKEND=tokensmith(or-auth-backendflag)SMD_AUTH_ISSUER=https://tokensmith.openchami.dev(or-auth-issuerflag; I'm assuming this should be the same asTOKENSMITH_ISSUER)SMD_AUTH_AUDIENCES=(or-auth-audiencesflag which I think should be the services that consume the token)
3 participants
Pull Request Template
Thank you for your contribution! Please ensure the following before submitting:
Checklist
make test(or equivalent) locally and all tests passgit commit -s) with my real name and email<filename>.licensesidecarLICENSES/directoryDescription
Please include a summary of the change and which issue is fixed.
Also include relevant motivation and context.
Fixes #(issue)
Type of Change
For more info, see Contributing Guidelines.