feature: add nats auth #41
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JettTech
changed the title
JettTech
changed the title
Draft
…nto nats-proposal-auth
* refactor util_libs * adjust codebase to new types * update .env.example
* refactor service
* refactor host agent client structure
* temporary(flake): switch to blueprint fork
* feat(nix/lib): wrap runNixOSTest with defaults
this is required when VM tests use nixos modules that live in a
blueprint repository like this.
* feat(nix/packages/rust-workspace): expose rust binaries
previously it would only expose the target directory as an archive.
* WIP: feat(holo-agent): add nixos module with integration test
* FIXME: this commit needs splitting up
iterate on holo-agent-integration-nixos with code changes all over the place.
test can be run with:
nix build -vL .\#checks.x86_64-linux.holo-agent-integration-nixos
* fix(nix/modules/host-agent): wait for network connectivity
* holo-host-agent: use wantedBy and increase logging
* feat(host_agent): add leafnode creds CLI arg and improve handling consistency
this also takes out the hardoded path for the credentials path which has
been panicing in the integration tests.
* fix(host-agent): continously try to connect to spawned NATS leaf server
when running the host-agent on system startup there seems to be a race
condition that prevents the agent from connecting to the spawned NATS
instance.
the root cause for this _might_ be a race condition between the network
stack availability and spawning Nats, however that's a guess. it might
also just take a 100-200ms for Nats to start servicing the TCP port.
either way, the boot log in the integration test looks like this with
the fix applied. the loop fails once and then succeeds after waiting
100ms:
```
[ 6.690765] holo-host-agent-start[695]: [2025-01-20T20:53:16Z INFO util_libs::nats_server] NATS Leaf Server is running at 127.0.0.1:4222
[ 6.692975] holo-host-agent-start[695]: [2025-01-20T20:53:16Z INFO host_agent::workload_manager] HPOS Agent Client: Connecting to server...
[ 6.695163] holo-host-agent-start[695]: [2025-01-20T20:53:16Z INFO host_agent::workload_manager] host_creds_path : None
[ 6.696391] holo-host-agent-start[695]: [2025-01-20T20:53:16Z INFO host_agent::workload_manager] host_pubkey : host_id_placeholder>
[ 6.698881] holo-host-agent-start[695]: [2025-01-20T20:53:16Z INFO host_agent::workload_manager] nats_url : 127.0.0.1:4222
[ 6.720665] systemd-logind[707]: New seat seat0.
[ 6.723219] holo-host-agent-start[695]: [2025-01-20T20:53:16Z WARN host_agent::workload_manager] connecting to NATS via 127.0.0.1:4222: IO error: Connection refused (os error 111), retrying in 100ms
[ 6.726726] systemd-logind[707]: Watching system buttons on /dev/input/event2 (Power Button)
[ 6.727999] systemd-logind[707]: Watching system buttons on /dev/input/event3 (QEMU Virtio Keyboard)
[ 6.731311] systemd-logind[707]: Watching system buttons on /dev/input/event0 (AT Translated Set 2 keyboard)
[ 6.734306] systemd[1]: Started User Login Management.
[ 6.762172] systemd[1]: Started Name Service Cache Daemon (nsncd).
[ 6.764253] nsncd[750]: Jan 20 20:53:16.581 INFO started, config: Config { ignored_request_types: {}, worker_count: 8, handoff_timeout: 3s }, path: "/var/run/nscd/socket"
[ 6.767328] systemd[1]: Reached target Host and Network Name Lookups.
[ 6.768655] systemd[1]: Reached target User and Group Name Lookups.
[ 6.771096] systemd[1]: Finished resolvconf update.
[ 6.771760] systemd[1]: Reached target Preparation for Network.
[ 6.776104] systemd[1]: Starting DHCP Client...
[ 6.779801] systemd[1]: Starting Address configuration of eth1...
[ 6.862637] network-addresses-eth1-start[775]: adding address 192.168.1.1/24... done
[ 6.872977] holo-host-agent-start[695]: [2025-01-20T20:53:16Z INFO util_libs::nats_js_client] NATS-CLIENT-LOG::Host Agent::Connected to NATS server at 127.0.0.1:4222
[ 6.880800] network-addresses-eth1-start[775]: adding address 2001:db8:1::1/64... done
[ 6.903973] systemd[1]: Finished Address configuration of eth1.
```
* separate out orchetrator client into own feature pr
* chore: nix fmt
* update hpos naming
* improve workload desc
* restore `WorkloadApiResult`
* remove host env var
* temporary(flake): bump blueprint for upstreamed fixes
* feat(nix/packages/rust-workspace): expose rust binaries
previously it would only expose the target directory as an archive.
* feat(nix): introduce holo-host-agent module with integration test
the holo-host agent also pulls in extra-container as that's going to be
the initial vehicle for defining and running host workloads.
* feat(nix/holo-nats-server): make port and leafnodeport configurable
* host-agent: improve resilience and configuration
* turn some hardcoded values into CLI arguments
* wait (with a timeout) for NATS to be ready to serve connections
* pass through NATS stdout/stderr
* provision (techdebt) TODOs
* feat(holo-nats-server): use lib.mkDefault for defaults
otherwise users will require `lib.mkForce` or similar to override
* feat(nix/modules/nixos): expose blueprint's publisherArgs
otherwise it uses `flake` from downstream consumers which will not work
as expected.
* feat(niox module holo-nats-server): add openFirewall cfg and use correct ports
* feat(nixos module holo-nats-server): configure TLS websockets via caddy
primarily this is motivated by TLS encryption. websockets are straight
forward to gate via a reverse TLS proxy like caddy.
as a nice side-effect, external clients and leafnodes can now connect
via the a shared port.
* feat,refactor(host-agent): TLS websocket connection, CLI args, config serialization
* feat(nixos module holo-host-agent): add hub TLS options and add extra args option
* test(holo-agent-integration-nixos): adapt to TLS via websocket
* feat(host-agent/cli): require command
* feat(host-agent): close NATS client connection before exiting the process
Co-authored-by: Lisa Jetton <[email protected]>
* adjust codebase to new types
* add nix formatter updates
* update .env.example
* test with only 1 hpos
* correct log msg
* remove js prefix condition
* update README
* refactor/util-libs (#73)
* refactor workload service (#71)
* refactor-client-dir (#69)
---------
Co-authored-by: Stefan Junker <[email protected]>
Co-authored-by: Stefan Junker <[email protected]>
Base automatically changed from
orchestrator-client
to
43-orchestrator-client
February 21, 2025 23:37
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updates:
Links to issue https://github.com/Holo-Host/holo-host-private/issues/45#issue-2699061153