carverauto/serviceradar

Fork

You've already forked serviceradar

Code Issues 190 Pull requests 16 Projects Releases 173 Packages Wiki Activity Actions

Implement zero-touch onboarding across the ServiceRadar stack #619

New issue

Closed

opened 2026-03-28 04:26:30 +00:00 by mfreeman451 · 1 comment

mfreeman451 commented

2026-03-28 04:26:30 +00:00

Owner

Copy link

Imported from GitHub.

Original GitHub issue: #1891
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/issues/1891
Original created: 2025-10-25T21:32:00Z

Summary

Deliver zero/low-touch onboarding across the full ServiceRadar stack (Core services, NATS/DataSvc, SRQL, Proton, OTEL collector, trapd, flowgger, agents, pollers, checkers, edge NATS leaf nodes).
Make container/Kubernetes installs frictionless by auto-configuring SPIFFE/SPIRE and service credentials during deployment.
Provide automation-friendly scripts for bare-metal and edge rollouts that minimize manual configuration.

Background

docs/docs/agent-onboarding-plan.md (updated 2025-10-25) now outlines stack-wide requirements, highlights the absence of onboarding APIs/CLI/UX, and documents gaps in SPIFFE packaging for both core and edge services.
Today every service, including the demo environment, depends on pre-baked configs and static TLS material; no centralized approval or identity issuance exists.

Tasks

#1892
Finalize a product brief capturing API contracts, datastore schema, audit logging, and UX states for onboarding every service role.
Implement Core onboarding service endpoints with persistence, token validation, SPIFFE entry creation hooks, and regression coverage.
Extend all runtimes (core services, agents, pollers, checkers, NATS leaf nodes) plus serviceradar-cli to perform the bootstrap handshake, manage returned credentials, and rotate/revoke enrollment packs.
Build admin UI workflows for pending registrations, bulk approvals, template assignment, and activity history, with policy controls for auto-approval by role/site.
Harden the security story: define bootstrap credential lifecycle, ship SPIRE server/agent packaging for container and bare-metal targets, and document fallbacks when SPIRE is unavailable.
Finalize reusable configuration templates and schema validation, wiring KV/Data Service interactions, NATS routing, and service-specific defaults into the approval flow.
Update Docker/K8s manifests and Helm/Compose assets so installs auto-bootstrap via SPIFFE with zero manual secret editing.
Ship bare-metal/VM automation (scripts, Ansible/Terraform roles) that install the stack, register services with SPIRE, and verify successful activation end to end.
Add demo environment automation that exercises the full onboarding path as part of CI/release validation.

Acceptance Criteria

SPIFFE/SPIRE is deployed and documented in the demo namespace; core services successfully authenticate via SPIFFE as a baseline.
Core onboarding endpoints exist with tests, docs, and audit logs; SPIFFE entries are created automatically on approval.
Every runtime can start with only endpoint + bootstrap token, obtain SPIFFE or mTLS credentials, and reconnect without manual file edits.
serviceradar-cli supports enrollment pack create/rotate/revoke and stack bootstrap commands with documentation and examples.
Web UI exposes pending registrations, approval history, bulk actions, and policy-based auto-approval.
Container/K8s deployments come up fully authenticated without manual secret injection; bare-metal scripts configure SPIRE and services with minimal input.
Demo namespace automation validates the zero-touch workflow and is integrated into the release checklist.

Imported from GitHub. Original GitHub issue: #1891 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/issues/1891 Original created: 2025-10-25T21:32:00Z --- ### Summary - Deliver zero/low-touch onboarding across the full ServiceRadar stack (Core services, NATS/DataSvc, SRQL, Proton, OTEL collector, trapd, flowgger, agents, pollers, checkers, edge NATS leaf nodes). - Make container/Kubernetes installs frictionless by auto-configuring SPIFFE/SPIRE and service credentials during deployment. - Provide automation-friendly scripts for bare-metal and edge rollouts that minimize manual configuration. ### Background - `docs/docs/agent-onboarding-plan.md` (updated 2025-10-25) now outlines stack-wide requirements, highlights the absence of onboarding APIs/CLI/UX, and documents gaps in SPIFFE packaging for both core and edge services. - Today every service, including the demo environment, depends on pre-baked configs and static TLS material; no centralized approval or identity issuance exists. ### Tasks - [x] #1892 - [ ] Finalize a product brief capturing API contracts, datastore schema, audit logging, and UX states for onboarding every service role. - [ ] Implement Core onboarding service endpoints with persistence, token validation, SPIFFE entry creation hooks, and regression coverage. - [x] Extend all runtimes (core services, agents, pollers, checkers, NATS leaf nodes) plus `serviceradar-cli` to perform the bootstrap handshake, manage returned credentials, and rotate/revoke enrollment packs. - [ ] Build admin UI workflows for pending registrations, bulk approvals, template assignment, and activity history, with policy controls for auto-approval by role/site. - [x] Harden the security story: define bootstrap credential lifecycle, ship SPIRE server/agent packaging for container and bare-metal targets, and document fallbacks when SPIRE is unavailable. - [ ] Finalize reusable configuration templates and schema validation, wiring KV/Data Service interactions, NATS routing, and service-specific defaults into the approval flow. - [x] Update Docker/K8s manifests and Helm/Compose assets so installs auto-bootstrap via SPIFFE with zero manual secret editing. - [ ] Ship bare-metal/VM automation (scripts, Ansible/Terraform roles) that install the stack, register services with SPIRE, and verify successful activation end to end. - [ ] Add demo environment automation that exercises the full onboarding path as part of CI/release validation. ### Acceptance Criteria - SPIFFE/SPIRE is deployed and documented in the demo namespace; core services successfully authenticate via SPIFFE as a baseline. - Core onboarding endpoints exist with tests, docs, and audit logs; SPIFFE entries are created automatically on approval. - Every runtime can start with only endpoint + bootstrap token, obtain SPIFFE or mTLS credentials, and reconnect without manual file edits. - `serviceradar-cli` supports enrollment pack create/rotate/revoke and stack bootstrap commands with documentation and examples. - Web UI exposes pending registrations, approval history, bulk actions, and policy-based auto-approval. - Container/K8s deployments come up fully authenticated without manual secret injection; bare-metal scripts configure SPIRE and services with minimal input. - Demo namespace automation validates the zero-touch workflow and is integrated into the release checklist.

mfreeman451 added the

feature

label

2026-03-28 04:26:30 +00:00

mfreeman451 commented

2026-03-28 04:26:30 +00:00

Author

Owner

Copy link

Imported GitHub comment.

Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/issues/1891#issuecomment-3813918899
Original created: 2026-01-28T21:02:49Z

closing, stale

Imported GitHub comment. Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/issues/1891#issuecomment-3813918899 Original created: 2026-01-28T21:02:49Z --- closing, stale

mfreeman451 closed this issue

2026-03-28 04:26:30 +00:00

No Branch/Tag specified

staging

2406-feat-agent-fleet-management-secure-self-update-system

bug/k8s-helm-deployments

chore/k8s-arc-update

rust-fix

2371-analytics-stats-cards-should-abbreviate-numbers

chore/perl-cleanup

2942-featweb-ng-add-logs-tab-to-device-details-page

192-feat-tftp-server

mikemiles-dev/feature/netflow_collection

testing

dependabot/cargo/hostname-0.4.1

dependabot/cargo/redis-1.0.1

dependabot/cargo/bb8-0.9.0

dependabot/cargo/rcgen-0.14.6

dependabot/cargo/hyper-1.8.1

dependabot/cargo/hyper-util-0.1.19

dependabot/cargo/clap-4.5.51

dependabot/cargo/thiserror-2.0.17

dependabot/cargo/time-tz-2.0.0

dependabot/cargo/tonic-build-0.14.2

main

dependabot/npm_and_yarn/docs/mdast-util-to-hast-13.2.1

815-feat-support-win32-for-agentpoller

gh-pages

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.2

v1.1.0

v1.0.92

v1.0.91

v1.0.90

v1.0.89

v1.0.88

v1.0.87

v1.0.86

v1.0.85

v1.0.84

v1.0.83

v1.0.82

v1.0.81

v1.0.78

v1.0.77

v1.0.76

v1.0.70

v1.0.69

v1.0.68

v1.0.67

v1.0.66

v1.0.65

v1.0.64

v1.0.63

v1.0.62

v1.0.61

v1.0.60

v1.0.59

v1.0.58

1.0.57

v1.0.56

v1.0.55

v1.0.54-pre5

v1.0.53

v1.0.53-pre19

v1.0.53-pre18

v1.0.53-pre17

v1.0.53-pre15

1.0.53-pre10

1.0.53-pre9

1.0.53-pre8

1.0.53-pre7

1.0.53-pre6

1.0.53-pre5

1.0.53-pre4

1.0.53-pre3

1.0.53-pre2

1.0.53-pre1

1.0.52

1.0.51

1.0.50

1.0.49

1.0.49-pre5

1.0.49-pre4

1.0.49-pre3

1.0.49-pre2

1.0.48

1.0.48-rc2

1.0.48-rc1

1.0.48-pre8

1.0.48-pre7

1.0.48-pre6

1.0.48-pre5

1.0.48-pre4

1.0.48-pre3

1.0.48-pre2

1.0.48-pre1

1.0.47

1.0.47-pre8

1.0.47-pre7

1.0.47-pre6

1.0.47-pre5

1.0.47-pre4

1.0.47-pre3

1.0.47-pre2

1.0.47-pre1

1.0.46

1.0.46-pre9

1.0.46-pre8

1.0.46-pre7

1.0.46-pre6

1.0.46-pre5

1.0.46-pre4

1.0.46-pre3

1.0.46-pre2

1.0.46-pre1

1.0.45

1.0.44

1.0.44-pre12

1.0.44-pre11

1.0.44-pre10

1.0.44-pre9

1.0.44-pre8

1.0.44-pre7

1.0.44-pre6

1.0.44-pre5

1.0.44-pre4

1.0.44-pre3

1.0.44-pre2

1.0.44-pre1

1.0.43

1.0.42

1.0.41

1.0.41-pre1

1.0.40

1.0.40-pre11

1.0.40-pre10

1.0.40-pre9

1.0.40-pre8

1.0.40-pre7

1.0.40-pre6

1.0.40-pre5

1.0.40-pre4

1.0.40-pre3

1.0.40-pre2

1.0.40-pre1

1.0.39

1.0.38

1.0.37

1.0.36

1.0.36-pre5

1.0.36-pre4

1.0.36-pre3

1.0.36-pre2

1.0.35

1.0.35-pre3

1.0.35-pre2

1.0.35-pre

1.0.34-pre3

1.0.34-pre2

1.0.34-pre1

1.0.33

1.0.33-pre2

1.0.33-pre

1.0.32

1.0.31

1.0.30

1.0.29

1.0.28

1.0.27

1.0.26

1.0.25

1.0.24

1.0.23

1.0.22

1.0.21

1.0.20

1.0.19

1.0.18

1.0.17

1.0.16

1.0.15

1.0.14

1.0.13

1.0.11

1.0.10

1.0.9

1.0.8

1.0.7

1.0.6

1.0.5

1.0.4

1.0.3

1.0.2

1.0.1

1.0.0

Labels

Clear labels

1week

2weeks

Failed compliance check

IP cameras

NATS

NATS JetStream

Possible security concern

Something isn't working

build

checkers

ci-cd

continuous integration-continuous deployments

cleanup

cnpg

cloud-native postgres

Pull requests that update a dependency file

device-management

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

dusk

ebpf

enhancement

New feature or request

Pull requests that update GitHub Actions code

Pull requests that update Go code

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

javascript

Pull requests that update Javascript code

Oracle Linux related issues

otel

opentelemetry logs, traces, metrics

plug-in

proton

timeplus proton streaming database

python

question

Further information is requested

Pull requests that update rust code

sdk

security

serviceradar-agent

serviceradar-agent-gateway

This will not be worked on

zen-engine

No labels

1week

2weeks

Failed compliance check

IP cameras

NATS

Possible security concern

serviceradar-agent-gateway

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

carverauto/serviceradar#619

Reference in a new issue

Repository

carverauto/serviceradar

Title

Body

No description provided.

Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?

Rows
Columns