Skip to content

fix(homebrew): repair local driver bootstrap state#1527

Open
TaylorMutch wants to merge 2 commits into
mainfrom
fix-homebrew-local-driver-bootstrap/tm
Open

fix(homebrew): repair local driver bootstrap state#1527
TaylorMutch wants to merge 2 commits into
mainfrom
fix-homebrew-local-driver-bootstrap/tm

Conversation

@TaylorMutch
Copy link
Copy Markdown
Collaborator

@TaylorMutch TaylorMutch commented May 22, 2026

Summary

Fix the macOS Homebrew/local-driver bootstrap state that can leave Docker or Podman sandboxes unable to connect back to the gateway after an upgrade.

This addresses the installer/runtime repair gaps tracked in #1525 and covers the stale supervisor image symptom tracked in #1523.

Problem

During local macOS debugging we found three upgrade-state issues:

  • the Homebrew service wrapper copied TLS certs into OPENSHELL_LOCAL_TLS_DIR but did not copy the generated sandbox JWT keys
  • openshell-gateway generate-certs --output-dir ... skipped existing TLS bundles even when the server certificate was missing newer required SANs like host.containers.internal
  • local Docker/Podman drivers could keep using stale supervisor images for mutable tags like dev or latest

The stale TLS case broke the explicit Podman driver because its default gateway endpoint uses https://host.containers.internal:17670, while older generated certs did not contain that SAN.

Changes

  • Copy jwt/signing.pem, jwt/public.pem, and jwt/kid into the Homebrew service-local TLS directory before starting the gateway.
  • Expose DEFAULT_SERVER_SANS from openshell-bootstrap so local cert repair can compare existing certs against the same SAN set used for generation.
  • Teach local certgen to parse the existing server certificate SANs and refresh TLS material when required SANs are missing.
  • Preserve existing JWT signing material when only TLS needs to be refreshed.
  • Refresh mutable Docker supervisor tags (dev/latest) before extracting the supervisor binary, with fallback to the local image if the refresh fails.
  • Refresh mutable Podman supervisor tags using Podman's newer policy while keeping pinned and digest references on missing.

Compatibility

  • Existing complete local bundles with current SANs still skip regeneration.
  • Legacy TLS-only bundles still get JWT material added.
  • Existing JWT keys are preserved when only stale TLS is repaired, so previously minted token validation state is not unnecessarily rotated.
  • Pinned supervisor image tags and digest references keep the previous cache-friendly behavior.

Testing

  • git diff --check
  • python3 -c 'import ast, pathlib; ast.parse(pathlib.Path("tasks/scripts/release.py").read_text())'
  • cargo test -p openshell-bootstrap pki
  • cargo test -p openshell-driver-docker supervisor
  • cargo test -p openshell-server certgen
  • cargo test -p openshell-driver-podman supervisor_pull_policy

Fixes #1525
Related #1523

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Homebrew local driver bootstrap should repair stale TLS/JWT state

1 participant

@TaylorMutch