From f5e739b23be029be2fde7f519f09897d1821ee9f Mon Sep 17 00:00:00 2001 From: Leechael Yim Date: Fri, 13 Feb 2026 18:19:02 +0800 Subject: [PATCH 1/2] feat(kms): add auto-onboard support via config Add `auto_onboard_url` config to automate KMS onboarding from an existing instance, removing the need for manual Web UI interaction. When set, the new KMS automatically fetches keys from the source KMS on startup. On failure, the process exits so docker restart can retry. --- kms/kms.toml | 1 + kms/src/config.rs | 1 + kms/src/main.rs | 5 ++++- kms/src/onboard_service.rs | 19 +++++++++++++++++++ 4 files changed, 25 insertions(+), 1 deletion(-) diff --git a/kms/kms.toml b/kms/kms.toml index 1f354066..d3976150 100644 --- a/kms/kms.toml +++ b/kms/kms.toml @@ -45,6 +45,7 @@ gateway_app_id = "any" [core.onboard] enabled = true auto_bootstrap_domain = "" +auto_onboard_url = "" quote_enabled = true address = "0.0.0.0" port = 8000 diff --git a/kms/src/config.rs b/kms/src/config.rs index 36874e1b..bf0774be 100644 --- a/kms/src/config.rs +++ b/kms/src/config.rs @@ -120,4 +120,5 @@ pub(crate) struct OnboardConfig { pub enabled: bool, pub quote_enabled: bool, pub auto_bootstrap_domain: String, + pub auto_onboard_url: String, } diff --git a/kms/src/main.rs b/kms/src/main.rs index eddfbdc9..bfab1e77 100644 --- a/kms/src/main.rs +++ b/kms/src/main.rs @@ -52,7 +52,10 @@ async fn run_onboard_service(kms_config: KmsConfig, figment: Figment) -> Result< "OK" } - if !kms_config.onboard.auto_bootstrap_domain.is_empty() { + if !kms_config.onboard.auto_onboard_url.is_empty() { + onboard_service::auto_onboard_keys(&kms_config).await?; + return Ok(()); + } else if !kms_config.onboard.auto_bootstrap_domain.is_empty() { onboard_service::bootstrap_keys(&kms_config).await?; return Ok(()); } diff --git a/kms/src/onboard_service.rs b/kms/src/onboard_service.rs index 4fb77dd2..65cc3f47 100644 --- a/kms/src/onboard_service.rs +++ b/kms/src/onboard_service.rs @@ -327,6 +327,25 @@ pub(crate) async fn update_certs(cfg: &KmsConfig) -> Result<()> { Ok(()) } +pub(crate) async fn auto_onboard_keys(cfg: &KmsConfig) -> Result<()> { + let source_url = cfg.onboard.auto_onboard_url.trim_end_matches('/').to_string(); + let source_url = if source_url.ends_with("/prpc") { + source_url + } else { + format!("{source_url}/prpc") + }; + let keys = Keys::onboard( + &source_url, + &cfg.onboard.auto_bootstrap_domain, + cfg.onboard.quote_enabled, + cfg.pccs_url.clone(), + ) + .await + .context("failed to auto-onboard from source KMS")?; + keys.store(cfg)?; + Ok(()) +} + pub(crate) async fn bootstrap_keys(cfg: &KmsConfig) -> Result<()> { let keys = Keys::generate( &cfg.onboard.auto_bootstrap_domain, From 9a8999df64f2293c174b470b90851392b2f2f9c1 Mon Sep 17 00:00:00 2001 From: Leechael Yim Date: Fri, 13 Feb 2026 18:35:48 +0800 Subject: [PATCH 2/2] style: apply cargo fmt --- kms/src/onboard_service.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kms/src/onboard_service.rs b/kms/src/onboard_service.rs index 65cc3f47..b946e965 100644 --- a/kms/src/onboard_service.rs +++ b/kms/src/onboard_service.rs @@ -328,7 +328,11 @@ pub(crate) async fn update_certs(cfg: &KmsConfig) -> Result<()> { } pub(crate) async fn auto_onboard_keys(cfg: &KmsConfig) -> Result<()> { - let source_url = cfg.onboard.auto_onboard_url.trim_end_matches('/').to_string(); + let source_url = cfg + .onboard + .auto_onboard_url + .trim_end_matches('/') + .to_string(); let source_url = if source_url.ends_with("/prpc") { source_url } else {