Add trust quorum reconfiguration endpoints to sled-agent API #9556
Conversation
plaidfinch
force-pushed
the
sled-agent-trust-quorum-api
branch
from
cfdce9d to
79e918f
Compare
The following endpoints are created for trust quorum reconfiguration: - POST `/trust-quorum/reconfigure` - Initiate a reconfiguration - POST `/trust-quorum/upgrade-from-lrtq` - Upgrade from low-rent (legacy) trust quorum - POST `/trust-quorum/commit` - Commit a trust-quorum - GET `/trust-quorum/coordinator-status` - Get coordinator status - POST `/trust-quorum/prepare-and-commit` - Prepare and commit a configuration Types are organized per RFD 619 (via feeding Claude the RFD): - API types defined in `sled-agent-types-versions/src/add_trust_quorum/` - Re-exported via `latest.rs` and `sled-agent-types/src/trust_quorum.rs` - API trait uses `latest::` paths for all trust quorum types Also exports `EncryptedRackSecrets`, `Salt`, and `Sha3_256Digest` from `trust-quorum-protocol` for use in the `prepare_and_commit` handler. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
plaidfinch
force-pushed
the
sled-agent-trust-quorum-api
branch
from
79e918f to
5ccf78a
Compare
|
This is still missing the |
| TrustQuorumCommitResponse::Committed | ||
| } | ||
| trust_quorum::CommitStatus::Pending => { | ||
| TrustQuorumCommitResponse::Pending |
There was a problem hiding this comment.
@andrewjstone You mentioned that this response is always a fatal error during reconfiguration of the TQ. Does that mean we should return an error response here, or should that be generated higher-up in Nexus?
| TrustQuorumCommitResponse::Committed | ||
| } | ||
| trust_quorum::CommitStatus::Pending => { | ||
| TrustQuorumCommitResponse::Pending |
There was a problem hiding this comment.
Similarly here: should we ever return Pending from this level of the API?
| ) -> Result<HttpResponseOk<TrustQuorumCommitResponse>, HttpError> { | ||
| let sa = request_context.context(); | ||
| let request = body.into_inner(); | ||
|
|
There was a problem hiding this comment.
This is a bunch of messy code to parse hex-encoded parameters representing the binary salt and data for the encrypted rack secret. I don't like it, and I want to do this better, but there's a tension because the messy parsing here prevents the necessity of tight coupling to the underlying TQ types, which was originally a desideratum. I will revisit this shortly and it should be checked carefully for correctness and cleanliness before merging.
| ) -> Result<HttpResponseUpdatedNoContent, HttpError> { | ||
| Ok(HttpResponseUpdatedNoContent()) | ||
| } | ||
|
|
There was a problem hiding this comment.
Do we want to implement these methods in the simulator or not?
| pub coordinator: BaseboardId, | ||
| /// All members of the configuration and the hex-encoded SHA3-256 hash of | ||
| /// their key shares. | ||
| pub members: BTreeMap<BaseboardId, String>, |
There was a problem hiding this comment.
The use of hex-encoded Strings here is not my favorite. As above — not sure what to do about it, let's discuss.
| #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, JsonSchema)] | ||
| pub struct TrustQuorumEncryptedRackSecrets { | ||
| /// Hex-encoded 32-byte salt used to derive the encryption key. | ||
| pub salt: String, |
There was a problem hiding this comment.
Hex-encoded string manually parsed in API handler: gross, how to better?
| /// Hex-encoded 32-byte salt used to derive the encryption key. | ||
| pub salt: String, | ||
| /// Hex-encoded encrypted data. | ||
| pub data: String, |
There was a problem hiding this comment.
A final hex-encoded string manually parsed in the API handler.
| EncryptedRackSecrets, RackSecret, ReconstructedRackSecret, Salt, | ||
| Sha3_256Digest, |
There was a problem hiding this comment.
Is it okay to export Salt and Sha3_256Digest here? Or is there a different or better way to handle the need for these in the API?
|
Looks like the build is failing in CI because of: a missing implementation of the added |
Adds version 13 (
ADD_TRUST_QUORUM) to the Sled Agent API with the following endpoints for trust quorum reconfiguration:/trust-quorum/reconfigure- Initiate a reconfiguration/trust-quorum/upgrade-from-lrtq- Upgrade from low-rent (legacy) trust quorum/trust-quorum/commit- Commit a trust-quorum/trust-quorum/coordinator-status- Get coordinator status/trust-quorum/prepare-and-commit- Prepare and commit a configurationTypes are organized per RFD 619 (via feeding Claude the RFD):
sled-agent-types-versions/src/add_trust_quorum/latest.rsandsled-agent-types/src/trust_quorum.rslatest::paths for all trust quorum typesAlso exports
EncryptedRackSecrets,Salt, andSha3_256Digestfromtrust-quorum-protocolfor use in theprepare_and_commithandler.Co-authored by Claude Code