feature/SP-7400, swarm-db secure connection

[Villain88]

Summary by CodeRabbit

• New Features

  • Introduced Swarm deployment orchestration framework with automated service provisioning and lifecycle management
  • Added PKI Authority service for certificate and key management
  • Added infrastructure services: MongoDB, NATS, Redis, CockroachDB, Knot DNS, and OpenResty
  • Enabled WireGuard networking support for encrypted inter-node communication
  • Switched container networking from Canal to Cilium CNI
  • Added comprehensive deployment automation and configuration management tools

• Documentation

  • Added Swarm deployment architecture documentation and deployment workflow guides

• Infrastructure

  • Enabled overlay filesystem and WireGuard kernel support

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This pull request introduces a comprehensive Swarm-based deployment infrastructure overhaul, adding PKI certificate management, distributed service orchestration, and enhanced VM provisioning. Key additions include: swarm-db and swarm-cloud submodules, new systemd services for Swarm components, revised initramfs with cryptographic storage and overlay filesystem, installation of MongoDB, NATS, CockroachDB, and other services, Python-based provisioning plugins, and bootstrap scripts for service registration in SwarmDB.

Changes

Cohort / File(s)	Summary
Swarm Guidance & Documentation .cursor/rules/swarm.mdc, .github/copilot-instructions.md, README_SWARM.md	New guidance files establishing Swarm as the primary source of truth for deployment architecture, CLI tooling, and service management. Comprehensive documentation of swarm-db, swarm-node, manifest handling, and ClusterPolicy/ClusterService data models.
Submodules & Build Integration .gitmodules, .github/workflows/build-sp-vm.yml	Added swarm-cloud and swarm-db as Git submodules with SSH URLs; updated CI workflow to handle submodule authentication and PKI Docker registry login.
Kernel & Initramfs Configuration src/kernel/files/configs/fragments/x86_64/superprotocol.conf, src/initramfs/files/initramfs.list, src/initramfs/files/init.sh	Enabled overlay filesystem and WireGuard kernel options; added cryptographic tools (cryptsetup, lsblk, mkfs.ext4, wipefs) to initramfs; rewrote init.sh to implement LUKS encryption, overlay mounting, and secure root switching.
Core Dockerfile & Build src/Dockerfile	Comprehensive rewrite replacing hauler/RKE2 logic with Swarm infrastructure; added e2fsprogs, swarm-db build stage, RKE2 integration with Cilium CNI, PKI authority LXC setup, and Node.js service ecosystem.
Systemd Services & PKI Authority src/rootfs/files/configs/etc/systemd/system/*.service, src/rootfs/files/configs/pki-service/systemd/*.service	Removed legacy state_disk_mount and check-config-files services; added swarm-db, swarm-node, swarm-cloud-api, swarm-services, and PKI authority services with proper dependencies and lifecycle management.
PKI Authority Implementation src/rootfs/files/configs/pki-service/scripts/*.py, src/rootfs/files/configs/pki-service/conf/*.yaml, src/services/apps/pki-authority/*.py	Complete PKI Authority provisioning with helpers for container management, YAML patching, iptables configuration, and a provisioning plugin; includes LXC-based service with health checks and Redis gateway route management.
Service Installation Scripts src/rootfs/files/scripts/install_*.sh	New installers for Node.js, CockroachDB, Knot DNS, MongoDB, NATS, OpenResty, PCCS, sync-client, and services-downloader; each integrates into the rootfs via chroot and enables required systemd services.
Service Provisioning Plugins src/services/apps/*/main.py, src/services/apps/*/manifest.yaml	Complete provisioning plugins for MongoDB, NATS, PKI Authority, test-app, and test-app-route with lifecycle commands (init, apply, health, finalize, destroy), state management, and cluster orchestration logic.
Services Downloader src/rootfs/files/configs/usr/local/lib/services-downloader/src/	Node.js-based download utility with Gatekeeper integration, resource locking, tar unpacking, and SSL/TLS support for fetching and staging service packages.
Swarm Bootstrap Scripts src/swarm-scripts/*.sh, src/swarm-scripts/swarm-cli.py	Bootstrap scripts (10–67) for registering services (WireGuard, HW measurement, latency, geo-ip, RKE2, Redis, CockroachDB, Knot, OpenResty, NATS, MongoDB, test-app, etc.) in SwarmDB; swarm-cli.py provides CLI for managing ClusterPolicies, ClusterServices, and SwarmSecrets.
Configuration & Utility Updates .gitignore, src/.dockerignore, src/rootfs/files/configs/fstab, src/rootfs/files/configs/etc/rancher/rke2/config.yaml, various helper scripts	Minor file exclusions, updated RKE2 to use Cilium CNI, removed legacy fstab mounts, added firewall hardening with debug SSH gating, and implemented kubectl symlink management.
Testing & Documentation src/swarm-scripts/test/nats_js_sync_test.*	NATS JetStream synchronization test utility with multi-node support, helper functions for stream management, and message publishing/reading verification.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

---

🐰 A swarm of services now dance,
With PKI's cryptographic trance,
MongoDB, NATS, and more align,
In manifest glory they intertwine!
The rabbit's delight: orchestration divine!

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	Some changes appear unrelated to certificate retrieval for swarm-db: extensive swarm service orchestration (NATS, MongoDB, Redis, RKE2), general system hardening, kernel config updates, and platform infrastructure changes beyond the SP-7400 scope.	Review and potentially separate out-of-scope changes into distinct PRs: NATS/MongoDB/Redis orchestration, RKE2 configuration, kernel updates, and general platform work should be decoupled from the certificate retrieval feature.
Docstring Coverage	⚠️ Warning	Docstring coverage is 51.96% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feature/SP-7400, swarm-db secure connection' is specific and refers to a real linked issue (SP-7400) and a core aspect of the changeset (swarm-db secure connection via certificates).
Linked Issues check	✅ Passed	The PR implements certificate retrieval and persistence for swarm-db connections (SP-7400 objective). Multiple new components support this: pki-authority service setup, certificate extraction in download-sp-swarm-services.sh, PKI configuration scripts, and swarm-db service registration.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/SP-7400

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR adds secure connection support for swarm-db by implementing encryption key management and PKI certificate synchronization. The changes introduce a Python-based PKI Authority service orchestration framework to replace the previous shell script implementation, along with enhanced security features including encrypted memberlist communication.

Changes:

• Implemented PKI Authority service with init, sync, and configuration components using Python modules
• Added swarm-db encryption configuration through prepare_swarm_db_config.py script
• Integrated PKI sync client for certificate and key distribution in swarm environments

Reviewed changes

Copilot reviewed 19 out of 21 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/rootfs/files/scripts/setup_runtime_tools.sh	Added python3-venv package to support pki-sync-client npm package installation
src/rootfs/files/scripts/prepare_swarm_db_config.py	New script to inject encryption keys into swarm-db configuration
src/rootfs/files/scripts/install_sync_client.sh	New installer for @super-protocol/pki-sync-client npm package
src/rootfs/files/scripts/install_pccs.sh	Updated SSL key generation and config paths; changed CachingFillMode to LAZY
src/rootfs/files/configs/pki-service/systemd/*.service	New systemd service units for PKI Authority initialization, main service, and sync operations
src/rootfs/files/configs/pki-service/scripts/*.py	Python modules for PKI container lifecycle management and configuration
src/rootfs/files/configs/pki-service/pki-authority.service	Removed old monolithic service file (replaced by modular systemd units)
src/rootfs/files/configs/pki-service/create-and-configure-pki.sh	Removed bash script (replaced by pki_init.py and pki_configure.py)
src/rootfs/files/configs/pki-service/lxc-template.yaml	Removed old template (replaced by lxc-swarm-template.yaml)
src/rootfs/files/configs/pki-service/conf/*.yaml	New configuration templates for swarm mode and PKI sync client
src/rootfs/files/configs/etc/systemd/system/swarm-db.service	Added dependency on PKI Authority and encryption key preparation step
src/repos/swarm-db	Updated subproject commit to version with encryption support
src/Dockerfile	Reorganized PKI service installation with new directory structure and added pki-sync-client

Comments suppressed due to low confidence (1)

src/rootfs/files/scripts/install_pccs.sh:22

• Corrected spelling of 'loggggging' to 'logging'.

# init loggggging;

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.