A collection of microservices that comprise the management backend for NVIDIA Bare Metal Manager, exposed as a REST API.
In deployments, NVIDIA Bare Metal Manager REST requires NVIDIA Bare Metal Manager Core to function.
The REST layer can be deployed in the datacenter with Bare Metal Manager Core, or deployed anywhere in Cloud and allow Site Agent to connect from the datacenter. Multiple Bare Metal Manager Cores running in different datacenters can also connect to Bare Metal Manager REST through respective Site Agents.
View latest OpenAPI schema on Github pages.
- Go 1.25.4 or later
- Docker 20.10+ with BuildKit enabled
- Make
- Kind (for local deployment)
- kubectl (for local deployment)
- jq (optional, for parsing JSON responses)
make testTests require PostgreSQL. The Makefile automatically manages a test container.
Test database configuration:
- Host:
localhost - Port:
30432 - User/Password:
postgres/postgres
make kind-resetThis command:
- Creates a Kind Kubernetes cluster
- Builds all Docker images
- Deploys all services (PostgreSQL, Temporal, Keycloak, cert-manager, etc.)
- Runs database migrations
- Configures PKI and site-agent
- Deploys a mock Bare Metal Manager Core
Once complete, services are available at:
| Service | URL |
|---|---|
| API | http://localhost:8388 |
| Keycloak | http://localhost:8080 |
| Temporal UI | http://localhost:8233 |
| Adminer (DB UI) | http://localhost:8081 |
Other useful commands:
make kind-status # Check pod status
make kind-logs # Tail API logs
make kind-redeploy # Rebuild and restart after code changes
make kind-verify # Run health checks
make kind-down # Tear down clusterTOKEN=$(curl -s -X POST "http://localhost:8080/realms/carbide-dev/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=carbide-api" \
-d "client_secret=carbide-local-secret" \
-d "grant_type=password" \
-d "username=admin@example.com" \
-d "password=adminpassword" | jq -r .access_token)# Health check
curl -s http://localhost:8388/healthz -H "Authorization: Bearer $TOKEN" | jq .
# Get current tenant (auto-creates on first access)
curl -s "http://localhost:8388/v2/org/test-org/carbide/tenant/current" \
-H "Authorization: Bearer $TOKEN" | jq .
# List sites
curl -s "http://localhost:8388/v2/org/test-org/carbide/site" \
-H "Authorization: Bearer $TOKEN" | jq .| Password | Roles | |
|---|---|---|
admin@example.com |
adminpassword |
FORGE_PROVIDER_ADMIN, FORGE_TENANT_ADMIN |
testuser@example.com |
testpassword |
FORGE_TENANT_ADMIN |
provider@example.com |
providerpassword |
FORGE_PROVIDER_ADMIN |
All users have the test-org organization assigned.
make docker-buildImages are tagged with localhost:5000 registry and latest tag by default.
make docker-build IMAGE_REGISTRY=my-registry.example.com/carbide IMAGE_TAG=v1.0.0- Authenticate with your registry:
# Docker Hub
docker login
# AWS ECR
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com
# Google Container Registry
gcloud auth configure-docker
# Azure Container Registry
az acr login --name myregistry- Build and push:
REGISTRY=my-registry.example.com/bare-metal-manager-rest
TAG=v1.0.0
make docker-build IMAGE_REGISTRY=$REGISTRY IMAGE_TAG=$TAG
for image in carbide-rest-api carbide-rest-workflow carbide-rest-site-manager carbide-rest-site-agent carbide-rest-db carbide-rest-cert-manager; do
docker push "$REGISTRY/$image:$TAG"
done| Image | Description |
|---|---|
carbide-rest-api |
Main REST API (port 8388) |
carbide-rest-workflow |
Temporal workflow worker |
carbide-rest-site-manager |
Site management worker |
carbide-rest-site-agent |
On-site agent |
carbide-rest-db |
Database migrations (run to completion) |
carbide-rest-cert-manager |
Native PKI certificate manager |
| Service | Binary | Description |
|---|---|---|
| carbide-rest-api | api |
Main REST API server |
| carbide-rest-workflow | workflow |
Temporal workflow service |
| carbide-rest-site-manager | sitemgr |
Site management service |
| carbide-site-agent | elektra |
On-site agent |
| carbide-rest-db | migrations |
Database migrations |
| carbide-rest-cert-manager | credsmgr |
Native PKI certificate manager |
Supporting modules:
- common - Shared utilities and configurations
- auth - Authentication and authorization
- ipam - IP Address Management
OpenAPI schema must be updated whenever the API endpoints are added/updated. Please view instructions at OpenAPI README
This project uses pre-commit with TruffleHog for secret detection to prevent accidentally committing sensitive information like API keys, passwords, or tokens.
# Install pre-commit hooks (first time setup)
make pre-commit-installThis will:
- Install
pre-commitif not already installed - Install
trufflehogif not already installed - Configure git hooks for pre-commit and pre-push
Once installed, TruffleHog automatically scans your changes on every git commit and git push.
To manually run the scan on all files:
make pre-commit-runExample output:
❯ make pre-commit-run
pre-commit run --all-files
[INFO] Initializing environment for https://github.com/trufflesecurity/trufflehog.
TruffleHog Secret Scan...................................................Passed
make pre-commit-update # Update hooks to latest versionsThis software is considered experimental and is a preview release. Use at your own risk in production environments. The software is provided "as is" without warranties of any kind. Features, APIs, and configurations may change without notice in future releases. For production deployments, thoroughly test in non-critical environments first.
See LICENSE for details.