Skip to content

fix(dhcp-server): make API client certificates configurable#3704

Open
poroh wants to merge 1 commit into
NVIDIA:mainfrom
poroh:dhcp-server-client-cert-paths
Open

fix(dhcp-server): make API client certificates configurable#3704
poroh wants to merge 1 commit into
NVIDIA:mainfrom
poroh:dhcp-server-client-cert-paths

Conversation

@poroh

@poroh poroh commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

The DHCP server currently uses hardcoded /opt/forge certificate paths when calling the Carbide API. This prevents controller mode from running in environments where certificates are mounted elsewhere, including local development.

Add command-line options for the Carbide API root CA, client certificate, and client key. The resolved TLS configuration is created once during startup and reused for DHCP discovery calls. Existing /opt/forge paths remain the defaults, preserving deployed behavior.

The client certificate and key must be provided together to avoid starting with an incomplete mTLS identity.

Related issues

#3366

Type of Change

  • Add - New feature or capability
  • Change - Changes in existing functionality
  • Fix - Bug fixes
  • Remove - Removed features or deprecated functionality
  • Internal - Internal changes (refactoring, tests, docs, etc.)

Breaking Changes

  • This PR contains breaking changes

Testing

  • Unit tests added/updated
  • Integration tests added/updated
  • Manual testing performed
  • No testing required (docs, internal refactor, etc.)

Additional Notes

Existing deployments do not need to specify the new arguments. When omitted, the DHCP server continues using the standard /opt/forge certificate paths.

@poroh
poroh requested a review from a team as a code owner July 18, 2026 01:30
@poroh
poroh marked this pull request as draft July 18, 2026 01:31
@copy-pr-bot

copy-pr-bot Bot commented Jul 18, 2026

Copy link
Copy Markdown

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

@coderabbitai

coderabbitai Bot commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

The DHCP server gains CLI-configurable Forge TLS paths, propagates the resulting client configuration into RPC discovery, uses the configured listen address for UDP sockets, and validates relay response routing and broadcast destinations.

Changes

DHCP configuration flow

Layer / File(s) Summary
CLI and runtime configuration contracts
crates/dhcp-server/src/command_line.rs, crates/dhcp-server/src/main.rs
Adds paired client certificate/key validation, optional root CA configuration, and Forge client configuration storage in Config.
Forge TLS configuration propagation
crates/dhcp-server/src/main.rs, crates/dhcp-server/src/rpc/client.rs
Resolves default or explicit TLS paths during initialization, rejects incomplete credentials, and passes the resulting configuration to ApiConfig.
Network binding and relay response routing
crates/dhcp-server/src/main.rs
Uses listen_addr for UDP socket setup and updates tests for relay response ports and IPv4 broadcast destinations.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Args
  participant init
  participant ApiConfig
  participant ForgeTlsClient
  Args->>init: provide Forge TLS paths
  init->>ApiConfig: create configuration from forge_client_config
  ApiConfig->>ForgeTlsClient: configure TLS client
Loading

Possibly related PRs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 44.44% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title accurately summarizes the main change: configurable API client certificates for the DHCP server.
Description check ✅ Passed The description is clearly aligned with the changeset and correctly explains the new TLS configuration behavior.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

Signed-off-by: Dmitry Porokh <dporokh@nvidia.com>
@poroh
poroh force-pushed the dhcp-server-client-cert-paths branch from be013f4 to 8702ad4 Compare July 18, 2026 17:13
@poroh
poroh marked this pull request as ready for review July 18, 2026 17:13

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
crates/dhcp-server/src/command_line.rs (1)

28-40: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Reject port zero for DHCP sockets and relay responses.

Both fields accept 0: listen_addr can bind an ephemeral UDP port, while relay_response_port can route replies to UDP port zero. Since crates/dhcp-server/src/main.rs uses these values for socket binding and packet destinations, this can make the server unreachable or relay replies undeliverable. Reject zero during parsing/config validation and add regression tests for both options.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/dhcp-server/src/command_line.rs` around lines 28 - 40, Reject port
zero for both the listen_addr and relay_response_port CLI options before they
reach socket binding or relay destination construction. Add parsing or
configuration validation that accepts ports 1–65535 while producing clear errors
for zero, and add regression tests covering --listen-addr with port 0 and
--relay-response-port 0.
🧹 Nitpick comments (1)
crates/dhcp-server/src/command_line.rs (1)

111-163: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Make the CLI parser tests table-driven.

This test mixes several input/output/error mappings in one imperative sequence. Refactor the cases into a table (or the repository’s check_cases/scenario helpers), and add the symmetric key-without-certificate case so both credential requirements are covered.

As per coding guidelines, **/*.{rs,toml} requires table-driven tests for mappings to outputs or errors.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/dhcp-server/src/command_line.rs` around lines 111 - 163, Refactor the
dhcp_port_arguments test into table-driven cases covering default values,
overridden ports, TLS credentials, and invalid inputs. Use the repository’s
established check_cases/scenario helper if available, and add the missing
invalid case where --client-key-path is provided without --client-cert-path;
preserve the existing expected outputs and errors.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@crates/dhcp-server/src/command_line.rs`:
- Around line 28-40: Reject port zero for both the listen_addr and
relay_response_port CLI options before they reach socket binding or relay
destination construction. Add parsing or configuration validation that accepts
ports 1–65535 while producing clear errors for zero, and add regression tests
covering --listen-addr with port 0 and --relay-response-port 0.

---

Nitpick comments:
In `@crates/dhcp-server/src/command_line.rs`:
- Around line 111-163: Refactor the dhcp_port_arguments test into table-driven
cases covering default values, overridden ports, TLS credentials, and invalid
inputs. Use the repository’s established check_cases/scenario helper if
available, and add the missing invalid case where --client-key-path is provided
without --client-cert-path; preserve the existing expected outputs and errors.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9ecb5b78-d522-45b9-b2b6-8cc8d4a04256

📥 Commits

Reviewing files that changed from the base of the PR and between be013f4 and 8702ad4.

📒 Files selected for processing (3)
  • crates/dhcp-server/src/command_line.rs
  • crates/dhcp-server/src/main.rs
  • crates/dhcp-server/src/rpc/client.rs
🚧 Files skipped from review as they are similar to previous changes (2)
  • crates/dhcp-server/src/rpc/client.rs
  • crates/dhcp-server/src/main.rs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant