chore(pairing): FDO feature now enabled by default

Removed env variable PAIRING_ENABLE_FDO used to enable the feature

Removed openbao-init container since no longer needed

Signed-off-by: frossq <francesco.asquini@secomind.com>

Author: frossq

.github/workflows/astarte-end-to-end-test-workflow.yaml

@@ -144,8 +144,6 @@ jobs:
       - name: Initialize keys
         working-directory: .tmp/repos/astarte
         run: astartectl utils gen-keypair test
-      - name: Enable FDO
-        run: echo "PAIRING_ENABLE_FDO=true" >> .tmp/repos/astarte/.env
       - name: Start all Astarte services
         working-directory: .tmp/repos/astarte
         run: docker compose up --no-build --pull missing -d

CHANGELOG.md

@@ -5,7 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-## Unreleased
+## [1.4.0] - Unreleased
+
+### Changed
+
+- [astarte_pairing] FDO feature is enabled for all installations, removed environment variable `PAIRING_ENABLE_FDO`.
 
 ## [1.4.0-rc.0] - 2026-04-08
 

apps/astarte_pairing/README.md

@@ -52,8 +52,6 @@ CASSANDRA_NODES=localhost CFSSL_API_URL=http://localhost:8080 mix test
 
 # Test FDO
 
-> The feature is experimental and PAIRING_ENABLE_FDO must be set to true
-
 To test FDO, the manufacturer and Device CA keys are required and
 can be generated from the following tools:
 

apps/astarte_pairing/lib/astarte_pairing/config.ex

@@ -23,8 +23,8 @@ defmodule Astarte.Pairing.Config do
 
   use Skogsra
 
+  alias Astarte.FDO.Config, as: FDOConfig
   alias Astarte.Pairing.CFSSLCredentials
-  alias Astarte.Pairing.Config.BaseURLProtocol
   alias Astarte.Pairing.Config.CQExNodes
   alias Astarte.Secrets.Config, as: SecretsConfig
 
@@ -34,30 +34,6 @@ defmodule Astarte.Pairing.Config do
     type: :binary,
     required: true
 
-  @envdoc """
-  Set this variable to 'true' to enable FDO feature as device authentication mechanism.
-  WARNING: this feature is experimental and is not enabled by default
-  """
-  app_env :enable_fdo, :astarte_pairing, :enable_fdo,
-    os_env: "PAIRING_ENABLE_FDO",
-    type: :boolean,
-    default: false
-
-  @envdoc "The port the ingress is listening on, used for FDO authentication mechanism"
-  app_env :base_url_port, :astarte_pairing, :base_url_port,
-    os_env: "ASTARTE_BASE_URL_PORT",
-    type: :integer
-
-  @envdoc "The protocol the ingress is listening on, used for FDO authentication mechanism"
-  app_env :base_url_protocol, :astarte_pairing, :base_url_protocol,
-    os_env: "ASTARTE_BASE_URL_PROTOCOL",
-    type: BaseURLProtocol
-
-  @envdoc "The astarte base domain, used for FDO authentication mechanism"
-  app_env :base_url_domain, :astarte_pairing, :base_url_domain,
-    os_env: "ASTARTE_BASE_URL_DOMAIN",
-    type: :binary
-
   @envdoc "URL to the running CFSSL instance for device certificate generation."
   app_env :cfssl_url, :astarte_pairing, :cfssl_url,
     os_env: "PAIRING_CFSSL_URL",
@@ -157,16 +133,8 @@ defmodule Astarte.Pairing.Config do
       end
     end
 
-    if enable_fdo!() do
-      # check that all mandatory FDO variables are configured before starting
-      variables_to_check = [:base_url_port, :base_url_protocol, :base_url_domain]
-
-      if !Enum.all?(variables_to_check, &variable_set?(&1)) do
-        raise "FDO feature is enabled but not all its parameters are configured"
-      end
-
-      SecretsConfig.init()
-    end
+    FDOConfig.init!()
+    SecretsConfig.init()
   end
 
   @envdoc """
@@ -200,27 +168,9 @@ defmodule Astarte.Pairing.Config do
   @spec cassandra_node!() :: {String.t(), integer()}
   def cassandra_node!, do: Enum.random(cqex_nodes!())
 
-  def base_url! do
-    protocol = base_url_protocol!()
-    domain = base_url_domain!()
-    port = base_url_port!()
-
-    "#{protocol}://#{domain}:#{port}"
-  end
-
   @doc """
   Returns true if the authentication for the agent is disabled.
   Credential requests made by devices are always authenticated, even it this is true.
   """
   def authentication_disabled?, do: disable_authentication!()
-
-  defp variable_set?(var_name) do
-    case apply(__MODULE__, var_name, []) do
-      {:ok, val} when not is_nil(val) ->
-        true
-
-      _ ->
-        false
-    end
-  end
 end

apps/astarte_pairing/lib/astarte_pairing_web/plug/fdo_gate.ex

@@ -33,10 +33,6 @@ defmodule Astarte.PairingWeb.Router do
     plug Astarte.PairingWeb.Plug.LogHwId
   end
 
-  pipeline :fdo_feature_gate do
-    plug Astarte.PairingWeb.Plug.FDOGate
-  end
-
   pipeline :fdo do
     plug :accepts, ["cbor"]
     plug :put_view, Astarte.PairingWeb.FDOView
@@ -54,8 +50,6 @@ defmodule Astarte.PairingWeb.Router do
   end
 
   scope "/v1/:realm_name/fdo/101", Astarte.PairingWeb do
-    pipe_through :fdo_feature_gate
-
     pipe_through :fdo
 
     post "/msg/60", FDOOnboardingController, :hello_device
@@ -98,8 +92,6 @@ defmodule Astarte.PairingWeb.Router do
     end
 
     scope "/fdo" do
-      pipe_through :fdo_feature_gate
-
       pipe_through :agent_api
 
       post "/owner_keys", OwnerKeyController, :create_or_upload_key
@@ -112,7 +104,6 @@ defmodule Astarte.PairingWeb.Router do
     end
 
     scope "/ownership" do
-      pipe_through :fdo_feature_gate
       pipe_through :agent_api
 
       post "/", OwnershipVoucherController, :create

apps/astarte_pairing/lib/astarte_pairing_web/router.ex

@@ -279,21 +279,4 @@ defmodule Astarte.PairingWeb.FDOOnboardingControllerTest do
       assert {100, id} == assert_cbor_error(conn)
     end
   end
-
-  describe "FDO feature disabled" do
-    setup context do
-      setup_authenticated(context, :hello_device, 60)
-    end
-
-    test "makes the /v1/:realm_name/fdo/101 endpoints return a 404 error", %{
-      conn: conn,
-      create_path: path
-    } do
-      stub(Config, :enable_fdo!, fn -> false end)
-
-      conn
-      |> post(path, CBOR.encode(%{hello: "device"}))
-      |> response(404)
-    end
-  end
 end

apps/astarte_pairing/test/astarte_pairing_web/controllers/fdo_onboarding_controller_test.exs

@@ -175,16 +175,6 @@ defmodule Astarte.PairingWeb.Controllers.OwnerKeyControllerTest do
 
       assert resp_message =~ "has already been imported"
     end
-
-    test "returns a 404 error if FDO feature is disabled", context do
-      %{auth_conn: conn, owner_key_path: path, create_key_payload: payload} = context
-
-      stub(Config, :enable_fdo!, fn -> false end)
-
-      conn
-      |> post(path, payload)
-      |> response(404)
-    end
   end
 
   describe "/fdo/owner_keys listing" do

apps/astarte_pairing/test/astarte_pairing_web/controllers/owner_key_controller_test.exs

@@ -156,16 +156,6 @@ defmodule Astarte.PairingWeb.Controllers.OwnershipVoucherControllerTest do
       |> post(path, @sample_load_params)
       |> response(422)
     end
-
-    test "returns a 404 error if FDO feature is disabled", context do
-      %{auth_conn: conn, register_path: path} = context
-
-      stub(Config, :enable_fdo!, fn -> false end)
-
-      conn
-      |> post(path, @sample_load_params)
-      |> response(404)
-    end
   end
 
   defp register_setup(context) do
@@ -220,16 +210,6 @@ defmodule Astarte.PairingWeb.Controllers.OwnershipVoucherControllerTest do
       |> post(path, %{data: %{}})
       |> response(422)
     end
-
-    test "returns 404 when the FDO feature is disabled", context do
-      %{auth_conn: conn, path: path} = context
-
-      stub(Config, :enable_fdo!, fn -> false end)
-
-      conn
-      |> post(path, %{data: %{"ownership_voucher" => sample_voucher()}})
-      |> response(404)
-    end
   end
 
   describe "list_ownership_vouchers/2" do

apps/astarte_pairing/test/astarte_pairing_web/controllers/ownership_voucher_controller_test.exs

@@ -80,8 +80,6 @@ services:
         condition: service_started
       openbao:
         condition: service_healthy
-      openbao-init:
-        condition: service_completed_successfully
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.astarte-pairing.rule=Host(`api.${DOCKER_COMPOSE_ASTARTE_BASE_DOMAIN}`) && PathPrefix(`/pairing`)"
@@ -239,17 +237,6 @@ services:
       retries: 5
       start_period: 1s
 
-  # additional Bao server to inject runtime configurations in main Bao server
-  openbao-init:
-    image: openbao/openbao:2
-    depends_on:
-      openbao:
-        condition: service_healthy
-    environment:
-      - BAO_ADDR=http://openbao:8200
-      - BAO_TOKEN=${ASTARTE_VAULT_TOKEN}
-    command: bao secrets enable transit
-
   rendezvous:
     image: astarte/go-fdo-server:ade68cda47-20251128
     restart: on-failure