Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RSS -> Nexus handoff plumbing #1528

Closed
smklein opened this issue Aug 1, 2022 · 5 comments · Fixed by #3073
Closed

RSS -> Nexus handoff plumbing #1528

smklein opened this issue Aug 1, 2022 · 5 comments · Fixed by #3073
Labels
bootstrap services For those occasions where you want the rack to turn on
Milestone
MVP

Comments

@smklein
Copy link
Collaborator

smklein commented Aug 1, 2022

RSS must provide operators a way to "add sufficient networking configuration to be able to launch Nexus, and continue setup through the web console".

The current implementation is somewhat limited in this regard - although config-rss.toml - representing user input - can contain an external address for Nexus, there are shortcomings:

  • It's limited to a single address
  • There is no mechanism to supply server certificates to encrypt traffic
@smklein
Copy link
Collaborator Author

smklein commented Aug 1, 2022

See: sled-agent/src/rack_setup/config.rs

@smklein smklein changed the title Add support for pluming x509 certificate from RSS into Nexus Add support for plumbing x509 certificate from RSS into Nexus Aug 4, 2022
@smklein smklein mentioned this issue Aug 4, 2022
Merged
@smklein smklein added the bootstrap services For those occasions where you want the rack to turn on label Dec 6, 2022
@smklein
Copy link
Collaborator Author

smklein commented Dec 6, 2022

#1959 provides more detail about the x509 transfer

@smklein smklein changed the title Add support for plumbing x509 certificate from RSS into Nexus RSS -> Nexus handoff plumbing Dec 6, 2022
@davepacheco
Copy link
Collaborator

I'm putting this on the MVP board because I think it covers work that we plan to do for then. I think all that's missing here is to plumb the certificate list from RSS's API to Nexus's. That is, it's already in Nexus's API. What's left is accepting this in RSS's API, which means figuring out what should go into the config files we use in dev/test.

@davepacheco davepacheco added this to the MVP milestone May 9, 2023
@smklein
Copy link
Collaborator Author

smklein commented May 9, 2023

RSS is already passing TLS certs to Nexus, through the internal API:

omicron/nexus/types/src/internal_api/params.rs

Lines 242 to 243 in 9070c6b

/// x.509 Certificates used to encrypt communication with the external API.
pub certs: Vec<Certificate>,

@smklein
Copy link
Collaborator Author

smklein commented May 9, 2023

Ah, luqman corrected me, there is still this TODO:

omicron/sled-agent/src/rack_setup/service.rs

Lines 745 to 759 in 9070c6b

let request = NexusTypes::RackInitializationRequest {
services,
datasets,
internal_services_ip_pool_ranges,
// TODO(https://github.com/oxidecomputer/omicron/issues/1959): Plumb
// these paths through RSS's API.
//
// These certificates CAN be updated through Nexus' HTTP API, but
// should be bootstrapped during the rack setup process to avoid
// the need for unencrypted communication.
certs: vec![],
internal_dns_zone_config: d2n_params(&service_plan.dns_config),
external_dns_zone_name: config.external_dns_zone_name.clone(),
recovery_silo: config.recovery_silo.clone(),
};

So this part is still to-do -- it's the handoff of the TLS certs from wicket/wicketd (via the bootstrap network) to RSS itself

@davepacheco davepacheco mentioned this issue May 9, 2023
Merged
leftwo pushed a commit that referenced this issue Nov 19, 2024
Update Crucible to latest
962ac94 
No Propolis changes other than to update Crucible

Crucible changes are:
Add debug/timeout to test_memory.sh (#1563)
Consolidate ack checking (#1561)
Rename for crutest: RegionInfo -> DiskInfo (#1562)
Fix dtrace system level scripts (#1560)
Remove `ackable_work`; ack immediately instead (#1552)
No more New jobs, no more New jobs column (#1559)
Remove delay-based backpressure in favor of explicit queue limits (#1515)
Only send flushes when Downstairs is idle; send Barrier otherwise (#1505)
Update Rust crate reqwest to v0.12.9 (#1536)
Update Rust crate omicron-zone-package to 0.11.1 (#1535)
Remove separate validation array (#1522)
Remove more unnecessary `DsState` variants (#1550)
Consolidate `DownstairsClient::reinitialize` (#1549)
Update Rust crate uuid to v1.11.0 (#1546)
Update Rust crate reedline to 0.36.0 (#1544)
Update Rust crate bytes to v1.8.0 (#1541)
Update Rust crate thiserror to v1.0.66 (#1539)
Update Rust crate serde_json to v1.0.132 (#1538)
Update Rust crate serde to v1.0.214 (#1537)
Remove transient states in `DsState` (#1526)
Update Rust crate libc to v0.2.161 (#1534)
Update Rust crate futures to v0.3.31 (#1532)
Update Rust crate clap to v4.5.20 (#1531)
Update Rust crate async-trait to 0.1.83 (#1530)
Update Rust crate anyhow to v1.0.92 (#1529)
Remove obsolete crutest perf test (#1528)
Update dependency rust to v1.82.0 (#1512)
Still more updates to support Volume layer activities. (#1508)
Remove remaining IOPS/bandwidth limiting code (#1525)
Add unit test for VersionMismatch (#1524)
Removing panic paths by only destructuring once (#1523)
Update actions/checkout digest to 11bd719 (#1518)
Switch to using `Duration` for times (#1520)
@leftwo leftwo mentioned this issue Nov 19, 2024
Merged
leftwo added a commit that referenced this issue Nov 20, 2024
@leftwo
Update Crucible to latest (#7101)
ac3fb34 
No Propolis changes other than to update Crucible

Crucible changes are:
Add debug/timeout to test_memory.sh (#1563)
Consolidate ack checking (#1561)
Rename for crutest: RegionInfo -> DiskInfo (#1562) Fix dtrace system
level scripts (#1560)
Remove `ackable_work`; ack immediately instead (#1552) No more New jobs,
no more New jobs column (#1559)
Remove delay-based backpressure in favor of explicit queue limits
(#1515) Only send flushes when Downstairs is idle; send Barrier
otherwise (#1505) Update Rust crate reqwest to v0.12.9 (#1536)
Update Rust crate omicron-zone-package to 0.11.1 (#1535) Remove separate
validation array (#1522)
Remove more unnecessary `DsState` variants (#1550) Consolidate
`DownstairsClient::reinitialize` (#1549) Update Rust crate uuid to
v1.11.0 (#1546)
Update Rust crate reedline to 0.36.0 (#1544)
Update Rust crate bytes to v1.8.0 (#1541)
Update Rust crate thiserror to v1.0.66 (#1539)
Update Rust crate serde_json to v1.0.132 (#1538)
Update Rust crate serde to v1.0.214 (#1537)
Remove transient states in `DsState` (#1526)
Update Rust crate libc to v0.2.161 (#1534)
Update Rust crate futures to v0.3.31 (#1532)
Update Rust crate clap to v4.5.20 (#1531)
Update Rust crate async-trait to 0.1.83 (#1530)
Update Rust crate anyhow to v1.0.92 (#1529)
Remove obsolete crutest perf test (#1528)
Update dependency rust to v1.82.0 (#1512)
Still more updates to support Volume layer activities. (#1508) Remove
remaining IOPS/bandwidth limiting code (#1525) Add unit test for
VersionMismatch (#1524)
Removing panic paths by only destructuring once (#1523) Update
actions/checkout digest to 11bd719 (#1518)
Switch to using `Duration` for times (#1520)

Co-authored-by: Alan Hanson <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bootstrap services For those occasions where you want the rack to turn on
Projects
None yet
Milestone
MVP
Development

Successfully merging a pull request may close this issue.

pass initial TLS certificates into RSS oxidecomputer/omicron
2 participants
@davepacheco @smklein