torc 0.23.0

Workflow management system
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166

# TLS/HTTPS Configuration

When the Torc server uses HTTPS — either directly or behind a reverse proxy with an internal CA —
clients need to know which CA certificate to trust. This page shows how to configure that.

## Quick Setup

Most HPC users only need to do this once.

### Step 1: Get the CA Certificate

Ask your system administrator for the PEM-encoded CA certificate file used by the Torc server. It
typically lives on a shared filesystem, e.g., `/shared/certs/corporate-ca.pem`.

### Step 2: Generate a Config File

```bash
torc config init --user
```

This creates `~/.config/torc/config.toml` with all available settings and defaults.

### Step 3: Edit the Config File

Open `~/.config/torc/config.toml` and set the server URL and CA certificate path:

```toml
[client]
api_url = "https://torc.hpc.nrel.gov:8080/torc-service/v1"

[client.tls]
ca_cert = "/shared/certs/corporate-ca.pem"
```

### Step 4: Verify

```bash
torc workflows list
```

If the connection succeeds, you're done. All Torc components — CLI, TUI, job runners, MCP server,
and dashboard — use these settings automatically.

## Slurm / HPC

When you submit a workflow with `torc slurm generate` + `torc submit`, TLS settings from your config
file (or CLI flags) are automatically propagated as CLI flags on the `torc-slurm-job-runner` command
that runs on compute nodes. No extra environment variable setup is needed.

The only requirement is that the CA certificate file must be on a **shared filesystem** accessible
from all compute nodes.

```bash
# Your config file handles TLS — just submit as normal
torc slurm generate --account myproject workflow.yaml && torc submit workflow.yaml
```

## Advanced Configuration

### CLI Flags

You can override config file settings on any command:

```bash
torc --url https://torc.hpc.nrel.gov:8080/torc-service/v1 \
     --tls-ca-cert /path/to/ca.pem \
     workflows list
```

### Environment Variables

```bash
export TORC_API_URL=https://torc.hpc.nrel.gov:8080/torc-service/v1
export TORC_TLS_CA_CERT=/path/to/ca.pem

torc workflows list
```

### Priority Order

Settings are resolved from highest to lowest priority:

1. CLI flags (`--tls-ca-cert`, `--tls-insecure`)
2. Environment variables (`TORC_TLS_CA_CERT`, `TORC_TLS_INSECURE`)
3. Project config (`./torc.toml`)
4. User config (`~/.config/torc/config.toml`)
5. System config (`/etc/torc/config.toml`)
6. Built-in defaults

### Insecure Mode (Development Only)

For local development with self-signed certificates, you can skip verification:

```bash
torc --url https://localhost:8443/torc-service/v1 \
     --tls-insecure \
     workflows list
```

> **Warning:** Never use `--tls-insecure` in production. It disables all certificate verification,
> making connections vulnerable to man-in-the-middle attacks.

### Programmatic Access (Rust)

```rust
use std::path::PathBuf;
use torc::client::apis::configuration::{Configuration, TlsConfig};

let tls = TlsConfig {
    ca_cert_path: Some(PathBuf::from("/path/to/ca.pem")),
    insecure: false,
};
let mut config = Configuration::with_tls(tls);
config.base_path =
    "https://torc.hpc.nrel.gov:8080/torc-service/v1".to_string();
```

## Troubleshooting

### "certificate verify failed" or "unable to get local issuer certificate"

The client cannot verify the server's certificate chain. Provide the CA certificate:

```bash
torc --tls-ca-cert /path/to/ca.pem workflows list
```

If you don't have the CA certificate, ask your system administrator. Common locations:

```bash
# RHEL / CentOS / Fedora
ls /etc/pki/tls/certs/

# Ubuntu / Debian
ls /etc/ssl/certs/
```

### Connection Refused with HTTPS URL

Verify the server is actually listening on HTTPS. If the server runs HTTP behind a reverse proxy,
check that the proxy is configured and the URL is correct.

### TLS Not Working on Compute Nodes

1. Confirm the CA certificate path is on a shared filesystem visible to compute nodes
2. Check that your config file or CLI flags are set before submitting the workflow

## Reference

| CLI Flag               | Environment Variable | Config Key            | Description                     |
| ---------------------- | -------------------- | --------------------- | ------------------------------- |
| `--tls-ca-cert <PATH>` | `TORC_TLS_CA_CERT`   | `client.tls.ca_cert`  | PEM-encoded CA certificate path |
| `--tls-insecure`       | `TORC_TLS_INSECURE`  | `client.tls.insecure` | Skip certificate verification   |
| `--url <URL>`          | `TORC_API_URL`       | `client.api_url`      | Torc server URL                 |

### Certificate Requirements

- **Format:** PEM-encoded (Base64 ASCII, begins with `-----BEGIN CERTIFICATE-----`)
- **Type:** CA certificate (not the server's leaf certificate)

## See Also

- [Authentication](./authentication.md) — Setting up user authentication
- [Security Reference](./security.md) — Security best practices and threat model
- [Server Deployment](./server-deployment.md) — Deploying the Torc server
- [Configuration Reference](../../core/reference/configuration.md) — All configuration options