NMS-19640: Sentinel: Investigate if its possible to move away from Confd

[mershad-manesh]

All Contributors

• Have you read our Contribution Guidelines?
• Have you (electronically) signed the OpenNMS Contributor Agreement?

External References

• Jira (Issue Tracker): https://opennms.atlassian.net/browse/NMS-19640

[Copilot]

Pull request overview

This PR removes Sentinel’s dependency on confd-based templating and shifts container configuration toward environment-variable-driven configuration and static config overlays, aligning with NMS-19640’s goal of moving away from confd.

Changes:

• Add default Sentinel .cfg files (Kafka IPC + Elasticsearch flows persistence) that can be driven by environment variables.
• Update entrypoint.sh to write selected environment variables into Sentinel config files and to manage IPC feature boot templates.
• Remove confd assets from the Sentinel image build and switch the Dockerfile to copy container-specific etc/ overlays instead.

Reviewed changes

Copilot reviewed 27 out of 28 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
opennms-container/sentinel/container-fs/etc/org.opennms.features.flows.persistence.elastic.cfg	Adds default Elastic flows persistence config using ${env:...} substitution.
opennms-container/sentinel/container-fs/etc/org.opennms.core.ipc.sink.kafka.consumer.cfg	Adds default Kafka consumer config using ${env:...} substitution.
opennms-container/sentinel/container-fs/etc/org.opennms.core.ipc.sink.kafka.cfg	Adds default Kafka sink config using ${env:...} substitution.
opennms-container/sentinel/container-fs/etc/featuresBoot.d/templates/sentinel-ipc.boot	Adds a feature boot template for enabling Kafka IPC.
opennms-container/sentinel/container-fs/entrypoint.sh	Replaces confd application with env parsing + config mutation + feature-boot template application.
opennms-container/sentinel/container-fs/confd/templates/*	Removes confd templates previously used to generate configs and features.
opennms-container/sentinel/container-fs/confd/scripts/*	Removes confd helper scripts.
opennms-container/sentinel/container-fs/confd/confd.toml	Removes confd config.
opennms-container/sentinel/container-fs/confd/conf.d/*	Removes confd template definitions.
opennms-container/sentinel/Dockerfile	Stops copying confd into the image and instead overlays container-fs/etc/; also changes the base image tag.

Comments suppressed due to low confidence (1)

opennms-container/sentinel/container-fs/entrypoint.sh:215

• parseEnvironment and applyFeatureBootTemplates are only invoked inside the if [ ! -f .../etc/configured ] branch. If /opt/sentinel/etc is persisted (volume) and the container restarts, environment-driven config changes (Kafka/Elasticsearch/OPENNMS_INSTANCE_ID/SENTINEL_IPC) will no longer be applied. Consider running these steps on every start (or at least when the relevant env vars are present), not only on first-time initialization.

    if [ ! -f ${SENTINEL_HOME}/etc/configured ]; then
        # Create SSH Key-Pair to use with the Karaf Shell
        mkdir -p "${SENTINEL_HOME}/.ssh" && \
            chmod 700 "${SENTINEL_HOME}/.ssh" && \
            ssh-keygen -t rsa -f "${SENTINEL_HOME}/.ssh/id_rsa" -q -N "" && \
            echo "sentinel=$(cat "${SENTINEL_HOME}/.ssh/id_rsa.pub" | awk '{print $2}'),viewer" > "${SENTINEL_HOME}/etc/keys.properties" && \
            echo "_g_\\:admingroup = group,admin,manager,viewer,systembundles,ssh" >> "${SENTINEL_HOME}/etc/keys.properties" && \
            chmod 600 "${SENTINEL_HOME}/.ssh/id_rsa"

        # Expose Karaf Shell
        sed -i "/^sshHost/s/=.*/= 0.0.0.0/" ${SENTINEL_HOME}/etc/org.apache.karaf.shell.cfg

        # Expose the RMI registry and server
        sed -i "/^rmiRegistryHost/s/=.*/= 0.0.0.0/" ${SENTINEL_HOME}/etc/org.apache.karaf.management.cfg
        sed -i "/^rmiServerHost/s/=.*/= 0.0.0.0/" ${SENTINEL_HOME}/etc/org.apache.karaf.management.cfg

        # Set Sentinel location and connection to OpenNMS instance
        SENTINEL_CONFIG=${SENTINEL_HOME}/etc/org.opennms.sentinel.controller.cfg
        echo "location = ${SENTINEL_LOCATION}" > ${SENTINEL_CONFIG}
        echo "id = ${SENTINEL_ID:=$(uuidgen)}" >> ${SENTINEL_CONFIG}
        echo "broker-url = ${OPENNMS_BROKER_URL}" >> ${SENTINEL_CONFIG}

        # Configure datasource
        DB_CONFIG=${SENTINEL_HOME}/etc/org.opennms.netmgt.distributed.datasource.cfg
        echo "datasource.url = jdbc:postgresql://${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}" > ${DB_CONFIG}
        echo "datasource.username = ${POSTGRES_USER}" >> ${DB_CONFIG}
        echo "datasource.password = ${POSTGRES_PASSWORD}" >> ${DB_CONFIG}
        echo "datasource.databaseName = ${POSTGRES_DB}" >> ${DB_CONFIG}

        parseEnvironment
        applyFeatureBootTemplates

        # Mark as configured
        echo "Configured $(date)" > ${SENTINEL_HOME}/etc/configured
    else
        echo "OpenNMS Sentinel is already configured, skipped."
    fi

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

parseEnvironment mutates IFS globally and never restores it. Because this runs before applyKarafDebugLogging, it can break later word-splitting (e.g., the for log in $(...) loop that relies on space splitting). Make IFS a local variable (e.g., local IFS=$'\n') or restore it before returning.

[Copilot]

applyFeatureBootTemplates only removes sentinel-ipc.boot. If users upgrade with a persisted /opt/sentinel/etc from the prior confd-based image, the old featuresBoot.d/ipc-strategy.boot file may still exist and continue to control IPC features unexpectedly. Consider also removing/overwriting the legacy ipc-strategy.boot (and any other confd-managed boot files) as part of this migration.

[Copilot]

This changes the Sentinel base image tag from ubi9-3.6.5.b357-jre-21 to ubi9-3.6.3.b335-jre-21, which looks like an unrelated downgrade (and diverges from the Minion/Core Dockerfiles still using 3.6.5). If intentional, it should be justified; otherwise, keep the base image version consistent to avoid missing security fixes and subtle runtime differences.

Suggested change

	ARG BASE_IMAGE="opennms/deploy-base:ubi9-3.6.3.b357-jre-21"
	ARG BASE_IMAGE="opennms/deploy-base:ubi9-3.6.5.b357-jre-21"

[Copilot]

The ERR trap message uses ${LINENO}, which will report the line number inside the trap handler rather than the line that failed. This can be misleading during troubleshooting; consider including $BASH_COMMAND and ${BASH_LINENO[0]} (or similar) to accurately report the failing command/line.

Suggested change

	trap 'rc=$?; echo "[Startup][ERROR] entrypoint failed at line ${LINENO} (exit=${rc})"; exit ${rc}' ERR
	trap 'rc=$?; cmd=$BASH_COMMAND; line=${BASH_LINENO[0]}; echo "[Startup][ERROR] entrypoint failed at line ${line}: ${cmd} (exit=${rc})"; exit ${rc}' ERR

[Copilot]

updateConfig uses grep -E/sed -r patterns with \s*, but \s is not whitespace in ERE (it matches a literal 's'). As a result, keys with spaces/comments may not be detected/replaced correctly and you can end up appending duplicate properties. Use [[:space:]]* (or switch to PCRE with grep -P/sed -E equivalents) for whitespace matching.

Suggested change

	if grep -E -q "^#?\s*$key\s*=" "$file"; then
	sed -r -i "s@^#?\s*$key\s*=.*@$key=$value@g" "$file" #note that no config values may contain an '@' char
	if grep -E -q "^#?[[:space:]]*$key[[:space:]]*=" "$file"; then
	sed -r -i "s@^#?[[:space:]]*$key[[:space:]]*=.*@$key=$value@g" "$file" #note that no config values may contain an '@' char

[Copilot]

updateConfig interpolates $key directly into regexes. Keys like bootstrap.servers contain regex metacharacters (.) so the match/replace can hit unintended lines. Escape $key for regex usage (or avoid regex by using fixed-string matching) before running grep/sed.

Suggested change

	# Omit $value here, in case there is sensitive information
	echo "[Configuring] '$key' in '$file'"
	# If config exists in file, replace it. Otherwise, append to file.
	if grep -E -q "^#?\s*$key\s*=" "$file"; then
	sed -r -i "s@^#?\s*$key\s*=.*@$key=$value@g" "$file" #note that no config values may contain an '@' char
	escaped_key=$(printf '%s' "$key" | sed 's/[][(){}.^$*+?|\\/]/\\&/g')
	# Omit $value here, in case there is sensitive information
	echo "[Configuring] '$key' in '$file'"
	# If config exists in file, replace it. Otherwise, append to file.
	if grep -E -q "^#?\s*$escaped_key\s*=" "$file"; then
	sed -r -i "s@^#?\s*$escaped_key\s*=.*@$key=$value@g" "$file" #note that no config values may contain an '@' char

[Copilot]

updateConfig assumes the target file already exists; with set -eE, grep will fail hard if the file is missing. This is likely for ${SENTINEL_HOME}/etc/custom.system.properties since it isn't added by this image overlay. Ensure the file exists (e.g., create/touch it) before running grep/sed, or have updateConfig create it when absent.