feat(rpm): replace init-pki.sh with openshell-gateway generate-certs#1426
Merged
Conversation
Cuts the RPM gateway over to the unified Rust certgen path. The systemd
user unit's first ExecStartPre now invokes:
/usr/bin/openshell-gateway generate-certs --output-dir %S/openshell/tls
producing the same six-PEM layout init-pki.sh built (ca.{crt,key},
server/tls.{crt,key}, client/tls.{crt,key}) and the same CLI mTLS copy
under $XDG_CONFIG_HOME/openshell/gateways/openshell/mtls/. None of the
OPENSHELL_TLS_* / OPENSHELL_PODMAN_TLS_* paths in the unit change.
Adds host.containers.internal to the gateway's built-in SAN list so
podman containers reaching their host validate cleanly with no
per-deployment --server-san flag. Docker (host.docker.internal) and
Kubernetes (cluster.local DNS) were already covered.
Drops 197 lines of openssl shell, the install/file lines for the script
itself, and updates the docs (man page, RPM CONFIGURATION.md, env-file
generator comment) to point at the new entrypoint. The %S state dir,
unit security hardening, and consumer paths are untouched.
maxamillion
requested review from
a team,
derekwaynecarr and
mrunalp
as code owners
TaylorMutch
approved these changes
May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
RPM cutover: the gateway systemd user unit's `ExecStartPre` now invokes `openshell-gateway generate-certs --output-dir %S/openshell/tls` instead of the 197-line `deploy/rpm/init-pki.sh` openssl wrapper. One PKI implementation, one file layout, real test coverage.
Builds on #1257, which landed the `generate-certs` subcommand and its `--output-dir` local mode.
Related Issue
Related to #1258 (supersedes `tmutch/rpm-certgen-cutover`).
Changes
Testing
Validated end-to-end on Fedora 43 VM (rootless Podman, netavark) with the built RPMs:
Ph1: `init-pki.sh` absent from RPM; correct `ExecStartPre` lines in unit file
Ph2: First-start PKI generation via `openshell_server::certgen`; TLS+mTLS enabled
Ph3: 6 PEM files, correct layout, 600 key permissions, CA chain valid
Ph4: All 9 SANs confirmed including new `host.containers.internal`
Ph5: CLI auto-discovery certs populated at `~/.config/openshell/gateways/openshell/mtls/`
Ph6: Idempotency — restart skips regen with `PKI files already exist, skipping`
Ph7: Self-healing — deleted CLI mtls dir re-populated on restart without PKI regen
Ph8: mTLS enforced (plaintext → reset; no-client-cert → TLS alert; full mTLS → success)
Ph9: Podman sandbox created, exec'd, deleted; supervisor connected via `host.containers.internal`
Ph10: Cert rotation — delete TLS dir → new certs → CLI certs updated → sandbox works
Ph11: Partial state → `ExecStartPre` fails with explicit recovery hint
`mise run pre-commit` passes
Unit tests pass (14 certgen + 3 pki tests)
E2E tests added/updated (not applicable — RPM packaging path)
Checklist