Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update recipes to support JWT-backed cloud-init #67

Merged
merged 7 commits into from
Aug 19, 2024
Merged

Update recipes to support JWT-backed cloud-init #67

merged 7 commits into from
Aug 19, 2024

Conversation

LRitzdorf
Copy link
Collaborator

@LRitzdorf LRitzdorf commented Jul 16, 2024
edited
Loading

Added

  • Initial TPM-manager container
  • Optional extra YAML file (for Docker Compose) to incorporate TPM manager and enable JWT-backed cloud-init endpoints

Changed

  • New cloud-init server, with support for JWT-backed endpoints
  • Minor update to BSS, adding support for notifications (i.e. POSTs to a specified URL; in this case to the TPM manager)

Related

@LRitzdorf LRitzdorf marked this pull request as ready for review July 17, 2024 16:36
@LRitzdorf LRitzdorf force-pushed the lritzdorf/tpm-manager branch 2 times, most recently from d091322 to 36ab066 Compare August 8, 2024 20:26
@LRitzdorf
Copy link
Collaborator Author

This should now be fully documented and ready to merge, and replaces #44 (by virtue of integrating the most recent cloud-init server). However, we may also want to look at the details of #44, particularly quickstart/cloud-init.yml and quickstart/configs/haproxy.cfg, to see if any of the changes there would be helpful to incorporate here.

@LRitzdorf
quickstart: include TPM-manager container
dc3e3f3 
Note that we do not perform SSH host key checking. Host keys are treated
as secrets, and will be applied via cloud-init *after* all TPM
operations have completed (since this needs the key that we store into
the TPM).
@LRitzdorf
quickstart(bss,tpm-manager): update to new BSS notifier system
f876286 
When a node requests its bootscript, BSS can now initiate a POST request
to and endpoint of the user's choice — in this case, to the TPM manager
daemon. This notification includes the booting node's IP address, which
is passed to Ansible as inventory to be configured with a TPM key.
@LRitzdorf
quickstart(openchami-svcs,tpm-manager): add cloud-init server
7f1e34a 
The tpm-manager compose file, in particular, includes an override clause
which enables the cloud-init server's "secure route" (i.e.
JWT-authenticated config data).
@LRitzdorf
quickstart(tpm-manager): bind-mount host's .ssh into container
ace6d86 
This is, usually, required so that Ansible in the container can SSH to
nodes.
@LRitzdorf
quickstart(openchami-svcs): update cloud-init server
ea94be2
@LRitzdorf
quickstart(haproxy): add cloud-init backend, secured route
cae9ac8
@LRitzdorf
quickstart(readme): document cloud-init server setup
4afa858
alexlovelltroy
alexlovelltroy approved these changes Aug 19, 2024
View reviewed changes
Copy link
Contributor

@alexlovelltroy alexlovelltroy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@alexlovelltroy alexlovelltroy merged commit 0a8c047 into main Aug 19, 2024
@LRitzdorf LRitzdorf deleted the lritzdorf/tpm-manager branch August 20, 2024 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexlovelltroy alexlovelltroy alexlovelltroy approved these changes

@travisbcotton travisbcotton Awaiting requested review from travisbcotton

@njones-lanl njones-lanl Awaiting requested review from njones-lanl

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LRitzdorf @alexlovelltroy