ospab
a7ec878518
feat(enrollment): implement token-based enrollment flow
Changes:
1. ✅ Updated SHA256SUMS with new ostp-server binary
2. ✅ Made oncp-master optional in deploy.sh (two deployment modes)
3. ✅ Added enrollment_token support to ostp-server
4. ✅ Updated config examples with token field
Deployment Modes:
- Mode 1 (Standalone): Connect to existing master with enrollment token
- Mode 2 (Full Stack): Deploy both master + server on one host
ostp-server Enrollment Flow:
1. Admin generates token on master: \oncp-master node token --expiry 60\
2. Node submits enrollment with token in config (psk: 'AUTO')
3. Master validates token (silent drop if invalid - security)
4. Admin approves node: \oncp-master node approve <node-id>\
5. Node receives PSK + IP from 10.X.0.0/16 pool
6. Update config with PSK, restart server
deploy.sh Features:
- Interactive mode selection
- Conditional oncp-master installation
- Automated token generation (full stack mode)
- Enrollment submission (standalone mode)
Config Examples:
- server.json.example: Full stack with local master
- server-enrollment.json.example: Standalone with token
Security:
- Token validation before enrollment acceptance
- Silent drop on invalid token (prevents enumeration)
- One-time use tokens with expiration
- IPAM automatic IP allocation from pool
Documentation:
- Updated README with deployment modes
- Added enrollment workflow explanation
- Security features documented
- CLI examples for both modes