Add trust quorum reconfiguration endpoints to sled-agent API #9556
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
plaidfinch
force-pushed
the
sled-agent-trust-quorum-api
branch
2 times, most recently
from
79e918f to
5ccf78a
Compare
This comment was marked as outdated.
This comment was marked as outdated.
plaidfinch
commented
Dec 21, 2025
This comment was marked as resolved.
This comment was marked as resolved.
plaidfinch
force-pushed
the
sled-agent-trust-quorum-api
branch
from
60f26bb to
9f00be2
Compare
plaidfinch
commented
Dec 21, 2025
plaidfinch
added a commit
that referenced
this pull request
Dec 24, 2025
This commit addresses feedback from PR #9556 review: - Changed all idempotent mutating endpoints from POST to PUT - `/trust-quorum/reconfigure` → `/trust-quorum/configuration` - `/trust-quorum/upgrade-from-lrtq` → `/trust-quorum/upgrade` - `trust_quorum_commit` now returns `HttpResponseUpdatedNoContent` and returns an error if `CommitStatus::Pending` is returned (which indicates an unexpected state) - `trust_quorum_proxy_commit` follows the same pattern - `trust_quorum_prepare_and_commit` continues to return `CommitStatus` (per discussion, `Pending` is valid here, unlike above) - Changed from `PUT` with `TypedBody<TrustQuorumProxyStatusRequest>` to `GET` with `Query<BaseboardId>` - The destination baseboard ID is now passed as query parameters instead of a request body, which is more appropriate for a read-only operation Added `#[serde(rename_all = "snake_case")]` to enum types for consistent JSON serialization: - `Alarm` variants - `CommitStatus` variants - `ConfigurationError` variants - `RackSecretReconstructError` variants - `DecryptionError` variants - `SplitError` and `CombineError` (in gfss) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
plaidfinch
added a commit
that referenced
this pull request
Dec 24, 2025
This commit addresses feedback from PR #9556 review: - Changed all idempotent mutating endpoints from POST to PUT - `/trust-quorum/reconfigure` → `/trust-quorum/configuration` - `/trust-quorum/upgrade-from-lrtq` → `/trust-quorum/upgrade` - `trust_quorum_commit` now returns `HttpResponseUpdatedNoContent` and returns an error if `CommitStatus::Pending` is returned (which indicates an unexpected state) - `trust_quorum_proxy_commit` follows the same pattern - `trust_quorum_prepare_and_commit` continues to return `CommitStatus` (per discussion, `Pending` is valid here, unlike above) - Changed from `PUT` with `TypedBody<TrustQuorumProxyStatusRequest>` to `GET` with `Query<BaseboardId>` - The destination baseboard ID is now passed as query parameters instead of a request body, which is more appropriate for a read-only operation Added `#[serde(rename_all = "snake_case")]` to enum types for consistent JSON serialization: - `Alarm` variants - `CommitStatus` variants - `ConfigurationError` variants - `RackSecretReconstructError` variants - `DecryptionError` variants - `SplitError` and `CombineError` (in gfss) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
plaidfinch
force-pushed
the
sled-agent-trust-quorum-api
branch
from
822db60 to
720e481
Compare
Contributor
andrewjstone
left a comment
andrewjstone
left a comment
There was a problem hiding this comment.
This looks great @plaidfinch! Thanks for taking care of this.
My biggest request is that we don't re-export types everywhere and instead use them directly from their crates.
plaidfinch
added a commit
that referenced
this pull request
Dec 30, 2025
- HTTP methods corrected (POST for non-idempotent operations) - Re-exports removed between TQ crates - Salt::new() reverted to inherent method - Hex schema annotations for OpenAPI - InlineErrorChain for error formatting - Lines hard-wrapped at 80 cols
The following endpoints are created for trust quorum reconfiguration: - POST `/trust-quorum/reconfigure` - Initiate a reconfiguration - POST `/trust-quorum/upgrade-from-lrtq` - Upgrade from low-rent (legacy) trust quorum - POST `/trust-quorum/commit` - Commit a trust-quorum - GET `/trust-quorum/coordinator-status` - Get coordinator status - POST `/trust-quorum/prepare-and-commit` - Prepare and commit a configuration Types are organized per RFD 619 (via feeding Claude the RFD): - API types defined in `sled-agent-types-versions/src/add_trust_quorum/` - Re-exported via `latest.rs` and `sled-agent-types/src/trust_quorum.rs` - API trait uses `latest::` paths for all trust quorum types Also exports `EncryptedRackSecrets`, `Salt`, and `Sha3_256Digest` from `trust-quorum-protocol` for use in the `prepare_and_commit` handler. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add three new proxy endpoints to the sled-agent API that allow forwarding trust quorum operations to other nodes: - POST `/trust-quorum/proxy/commit` - POST `/trust-quorum/proxy/prepare-and-commit` - POST `/trust-quorum/proxy/status` Also refactors the trust quorum types to use `serde_with` with `Hex` encoding for cleaner serialization of digests and encrypted rack secrets, replacing manual hex string parsing with automatic encoding/decoding. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Create `trust-quorum-types` and `trust-quorum-types-versions` crates following the RFD 619 pattern for API type versioning. - `trust-quorum-types`: Re-exports `latest::*` from versions crate - `trust-quorum-types-versions`: Contains versioned type definitions Types used in the public API of sled-agent moved into these crates, while attempting to keep as much protocol implementation as possible in the `trust-quorum-protocol` crate. Since Rust doesn't allow adding inherent methods to foreign types, methods that operated on types now in `trust-quorum-types` have been converted to free functions: - `Salt::new()` → `new_salt()` - `EncryptedRackSecrets::decrypt()` → `decrypt_rack_secrets()` - `Configuration::new()` → `new_configuration()` Moved `BaseboardId` from `sled-agent-types-versions` to `sled-hardware-types` to allow sharing across crates without circular dependency. The sled-agent trust-quorum API types now re-export from `trust-quorum-types-versions` instead of duplicating definitions, eliminating the `TrustQuorum*`-prefixed wrapper types. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit addresses feedback from PR #9556 review: - Changed all idempotent mutating endpoints from POST to PUT - `/trust-quorum/reconfigure` → `/trust-quorum/configuration` - `/trust-quorum/upgrade-from-lrtq` → `/trust-quorum/upgrade` - `trust_quorum_commit` now returns `HttpResponseUpdatedNoContent` and returns an error if `CommitStatus::Pending` is returned (which indicates an unexpected state) - `trust_quorum_proxy_commit` follows the same pattern - `trust_quorum_prepare_and_commit` continues to return `CommitStatus` (per discussion, `Pending` is valid here, unlike above) - Changed from `PUT` with `TypedBody<TrustQuorumProxyStatusRequest>` to `GET` with `Query<BaseboardId>` - The destination baseboard ID is now passed as query parameters instead of a request body, which is more appropriate for a read-only operation Added `#[serde(rename_all = "snake_case")]` to enum types for consistent JSON serialization: - `Alarm` variants - `CommitStatus` variants - `ConfigurationError` variants - `RackSecretReconstructError` variants - `DecryptionError` variants - `SplitError` and `CombineError` (in gfss) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Factor ReconfigureMsg, LrtqUpgradeMsg, CommitRequest, and PrepareAndCommitRequest into trust-quorum-types-versions so they can be shared between the protocol implementation and the sled-agent API without duplication. This simplifies the sled-agent HTTP handlers since the API types and protocol types are now identical - no conversion needed. The proxy request types (ProxyCommitRequest, ProxyPrepareAndCommitRequest) remain in sled-agent-types-versions since they add the proxy-specific destination field, and now embed the canonical request types. Co-Authored-By: Claude <noreply@anthropic.com>
- HTTP methods corrected (POST for non-idempotent operations) - Re-exports removed between TQ crates - Salt::new() reverted to inherent method - Hex schema annotations for OpenAPI - InlineErrorChain for error formatting - Lines hard-wrapped at 80 cols
plaidfinch
force-pushed
the
sled-agent-trust-quorum-api
branch
from
2538651 to
4c3a605
Compare
plaidfinch
commented
Dec 31, 2025
Contributor
Author
plaidfinch
left a comment
plaidfinch
left a comment
There was a problem hiding this comment.
I've looked through this in full again after rebase and my non-fresh eyes don't see anything amiss.
andrewjstone
approved these changes
Dec 31, 2025
Contributor
andrewjstone
left a comment
andrewjstone
left a comment
There was a problem hiding this comment.
This looks great. Awesome work @plaidfinch!
The only thing outstanding here is perhaps to make sure that we aren't still using trust_quorum_protocol to pull in types that should be coming from trust_quorum_types.
sled-agent/src/http_entrypoints.rs
Outdated
| }; | ||
| use sled_hardware_types::BaseboardId; | ||
| use slog_error_chain::InlineErrorChain; | ||
| use trust_quorum_protocol::{ |
Contributor
There was a problem hiding this comment.
shouldn't these types be coming from trust_quorum_types as they are used in the API?
Contributor
There was a problem hiding this comment.
Fixed along with a few other instances in b2fd757
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add trust quorum endpoints to the sled-agent API and factors trust-quorum types into versioned crates following the pattern blazed by RFD 619.
New sled-agent API endpoints (Version 13:
ADD_TRUST_QUORUM)PUT /trust-quorum/configuration- Initiate a reconfigurationPUT /trust-quorum/upgrade- Upgrade from legacy (LRTQ) trust quorumPUT /trust-quorum/commit- Commit a configurationGET /trust-quorum/coordinator-status- Get coordinator statusPUT /trust-quorum/prepare-and-commit- Prepare and commit a configurationPUT /trust-quorum/proxy/commit- Proxy commit to another nodePUT /trust-quorum/proxy/prepare-and-commit- Proxy prepare-and-commit to another nodeGET /trust-quorum/proxy/status- Get status from another node (destination via query params)Trust-Quorum types are now versioned
Two new crates:
trust-quorum-types: Re-exportslatest::*from the versions cratetrust-quorum-types-versions: Contains versioned type definitions withJsonSchemaderives for OpenAPI generationNote that this required turning some inherent methods into free functions (e.g.
Configuration::newintonew_configuration) because it's not possible to define an inherent method across a crate boundary, and it's not desirable to pull across a bunch of the trust-quorum-protocol implementation into the-typescrate's impl area.BaseboardIdmoved intosled-hardware-typesMoved
BaseboardIdfromsled-agent-types-versionstosled-hardware-typesto allow sharing across crates without a circular dependency (trust-quorum-typesonsled-agent-typesand vice-versa). Bothsled-agent-types-versionsandtrust-quorum-types-versionsnow re-export fromsled-hardware-types.