skupperproject · ted-ross · Jun 11, 2026 · Jun 12, 2026 · Jun 12, 2026 · Jun 12, 2026
diff --git a/charts/helmfile/resources/db-setup.sql b/charts/helmfile/resources/db-setup.sql
@@ -63,7 +63,7 @@ CREATE TYPE LifecycleType AS ENUM ('partial', 'new', 'skx_cr_created', 'cm_cert_
 --   ready-automatic  The site is ready to be deployed by the automatic process
 --   deployed         The site is deployed and has checked in with the management plane
 --
-CREATE TYPE DeploymentStateType AS ENUM ('not-ready', 'ready-bootstrap', 'ready-bootfinish', 'ready-automatic', 'deployed');
+CREATE TYPE DeploymentStateType AS ENUM ('not-ready', 'ready-bootstrap', 'ready-bootfinish', 'ready-automatic', 'colo-automatic', 'deployed');
 
 --
 -- ApplicationNetworkType
@@ -164,7 +164,7 @@ CREATE TABLE Backbones (
     Name text UNIQUE,
     Lifecycle LifecycleType DEFAULT 'new',
     Failure text,
-    Certificate UUID REFERENCES TlsCertificates,
+    Certificate UUID REFERENCES TlsCertificates ON DELETE CASCADE,
     CoLocatedNamespace text UNIQUE DEFAULT NULL,
     Owner UUID REFERENCES Users,
     OwnerGroup text 
@@ -181,7 +181,7 @@ CREATE TABLE InteriorSites (
     Name text,
     Lifecycle LifecycleType DEFAULT 'new',
     Failure text,
-    Certificate UUID REFERENCES TlsCertificates,
+    Certificate UUID REFERENCES TlsCertificates ON DELETE CASCADE,
     DeploymentState DeploymentStateType DEFAULT 'not-ready',
     TargetPlatform text REFERENCES TargetPlatforms,
 
@@ -192,7 +192,7 @@ CREATE TABLE InteriorSites (
 
     Backbone UUID REFERENCES Backbones,
     CoLocated boolean DEFAULT false,
-    Owner UUID REFERENCES Users,
+    Owner UUID REFERENCES Users,   -- TODO - Remove these.  It doesn't make sense for a site to have a different owner than the backbone
     OwnerGroup text
 );
 

diff --git a/charts/management-server/templates/rbac.yaml b/charts/management-server/templates/rbac.yaml
@@ -109,6 +109,7 @@ rules:
       - networks
       - networkaccesses
       - routeraccesses
+      - listeners
     verbs:
       - get
       - list

diff --git a/components/management-controller/src/api-admin.js b/components/management-controller/src/api-admin.js
@@ -25,7 +25,6 @@ import { SiteIngressChanged, LinkChanged, SiteDeleted } from './sync-management.
 import { Log } from '@skupperx/modules/log'
 import { ManageIngressAdded, LinkAddedOrDeleted, ManageIngressDeleted } from './site-deployment-state.js';
 import { ValidateAndNormalizeFields, IsValidUuid, UniquifyName } from '@skupperx/modules/util';
-import { processColoBackbones } from './colo-sync.js';
 import { NotifyTransaction } from './notify.js';
 
 const API_PREFIX   = '/api/v1alpha1/';
@@ -54,21 +53,9 @@ const createBackbone = async function(req, res) {
                 );
                 backboneId = result.rows[0].id;
                 notify.add('Backbones', backboneId);
-                if (!!norm.coLocatedNamespace) {
-                    const site_result = await client.query(`INSERT INTO InteriorSites(Name, TargetPlatform, CoLocated, Backbone, Owner, OwnerGroup) ` +
-                    `VALUES ('co-located', 'sk2', true, $1, $2, $3) RETURNING Id`,
-                    [backboneId, userInfo.userId, norm.ownerGroup]);
-                    siteId = site_result.rows[0].id;
-                    notify.add('InteriorSites', siteId);
-                    const ap_result = await client.query(`INSERT INTO BackboneAccessPoints(Name, Kind, InteriorSite, Owner, OwnerGroup, AccessType) ` +
-                            `VALUES ('manage', 'manage', $1, $2, $3, 'local') RETURNING Id`,
-                            [siteId, userInfo.userId, norm.ownerGroup]);
-                    notify.add('BackboneAccessPoints', ap_result.rows[0].id);
-                }
             });
             await notify.commit();
             returnStatus = 201;
-            await processColoBackbones();
             res.status(returnStatus).json({id: backboneId});
         } catch (error) {
             returnStatus = 500;
@@ -484,50 +471,20 @@ const deleteBackbone = async function(req, res) {
             if (vanResult.rowCount > 0) {
                 throw new Error('Cannot delete a backbone with active application networks');
             }
-            const siteResult = await client.query("SELECT Id, Certificate, CoLocated FROM InteriorSites WHERE Backbone = $1", [bid]);
-            let coLocatedOnly = false;
-            let siteId = null;
-            let siteCertificate = null;
+            const siteResult = await client.query("SELECT Id, Certificate FROM InteriorSites WHERE Backbone = $1 AND CoLocated = false", [bid]);
             if (siteResult.rowCount > 0) {
-                if (siteResult.rowCount > 1 || !siteResult.rows[0].colocated) {
-                    throw new Error('Cannot delete a backbone with interior sites');
-                }
-                coLocatedOnly = true;
-                siteId = siteResult.rows[0].id;
-                siteCertificate = siteResult.rows[0].certificate;
+                throw new Error('Cannot delete a backbone with interior sites');
             }
-            if (coLocatedOnly) {
-                const apResult = await client.query("SELECT Id, Certificate FROM BackboneAccessPoints WHERE InteriorSite = $1", [siteId]);
-                for (const row of apResult.rows) {
-                    if (row.certificate) {
-                        await client.query("UPDATE BackboneAccessPoints SET Certificate = NULL WHERE Id = $1", [row.id]);
-                        await client.query("DELETE FROM TlsCertificates WHERE Id = $1", [row.certificate]);
-                        // not needed: notify.update('BackboneAccessPoints', row.id);
-                        notify.delete('TlsCertificates', row.certificate);
-                    }
-                    await client.query("DELETE FROM BackboneAccessPoints WHERE Id = $1", [row.id]);
-                    notify.delete('BackboneAccessPoints', row.id);
-                }
-                await client.query("DELETE FROM InteriorSites WHERE Id = $1", [siteId]);
-                notify.delete('InteriorSites', siteId);
-                if (siteCertificate) {
-                    await client.query("DELETE FROM TlsCertificates WHERE Id = $1", [siteCertificate])
-                    notify.delete('TlsCertificates', siteCertificate);
-                }
+            const coloResult = await client.query("DELETE FROM InteriorSites WHERE Backbone = $1 AND CoLocated = true RETURNING Id, Certificate", [bid]);
+            if (coloResult.rowCount == 1) {
+                const colo = coloResult.rows[0];
+                notify.delete('InteriorSites', colo.id);
             }
             const bbResult = await client.query("DELETE FROM Backbones WHERE Id = $1 RETURNING Certificate", [bid]);
             notify.delete('Backbones', bid);
-            if (bbResult.rowCount == 1) {
-                const row = bbResult.rows[0];
-                if (row.certificate) {
-                    await client.query("DELETE FROM TlsCertificates WHERE Id = $1", [row.certificate]);
-                    notify.delete('TlsCertificates', row.certificate);
-                }
-            }
         });
         res.status(returnStatus).end();
         await notify.commit();
-        await processColoBackbones();
     } catch (error) {
         returnStatus = 400;
         res.status(returnStatus).send(error.message);

diff --git a/components/management-controller/src/backbone-links.js b/components/management-controller/src/backbone-links.js
@@ -27,6 +27,7 @@ import { LoadSecret } from '@skupperx/modules/kube'
 import { Log } from '@skupperx/modules/log'
 import { ClientFromPool } from './db.js';
 import { OpenConnection, CloseConnection } from '@skupperx/modules/amqp'
+import { NotifyTransaction, RegisterNotification } from './notify.js';
 
 let controller_name;
 let tls_ca;
@@ -67,8 +68,14 @@ async function deleteConnection(apid) {
     }
 }
 
+async function periodicCheck() {
+    const normal_period  = 30000;
+    const startup_period = 2000;
+    await reconcileBackboneConnections();
+    setTimeout(periodicCheck, !!tls_cert ? normal_period : startup_period);
+}
+
 async function reconcileBackboneConnections() {
-    let reschedule_delay = 30000;
     const client = await ClientFromPool('system');
     try {
         await client.query('BEGIN');
@@ -96,10 +103,8 @@ async function reconcileBackboneConnections() {
     } catch (err) {
         Log(`Rolling back reconcile-backbone-connections transaction: ${err.stack}`);
         await client.query('ROLLBACK');
-        reschedule_delay = 10000;
     } finally {
         client.release();
-        setTimeout(reconcileBackboneConnections, reschedule_delay);
     }
 }
 
@@ -153,17 +158,20 @@ async function resolveTLSData() {
 async function resolveControllerRecord() {
     let reschedule_delay = -1;
     const client = await ClientFromPool('system');
+    const notify = new NotifyTransaction();
     try {
         await client.query('BEGIN');
         const result = await client.query("SELECT * FROM ManagementControllers WHERE Name = $1", [controller_name]);
         if (result.rowCount == 1) {
             setTimeout(resolveTLSData, 0);
         } else {
-            await client.query("INSERT INTO ManagementControllers (Name) VALUES ($1)", [controller_name]);
+            const addResult = await client.query("INSERT INTO ManagementControllers (Name) VALUES ($1) RETURNING Id", [controller_name]);
+            notify.add('ManagementControllers', addResult.rows[0].id);
             setTimeout(resolveTLSData, 1000);
             Log(`No management controller found for '${controller_name}', created new record`);
         }
         await client.query('COMMIT');
+        await notify.commit();
     } catch (err) {
         Log(`Rolling back resolveControllerRecord transaction: ${err.stack}`);
         await client.query('ROLLBACK');
@@ -176,6 +184,12 @@ async function resolveControllerRecord() {
     }
 }
 
+async function onAccessPointChange(action, id) {
+    if ((action == 'DELETE' || action == 'UPDATE') && id in manageConnections) {
+        await reconcileBackboneConnections();
+    }
+}
+
 export async function RegisterHandler(onAdded, onDeleted) {
     for (const [key, value] of Object.entries(manageConnections)) {
         await onAdded(key, value.conn);
@@ -191,4 +205,6 @@ export async function Start(name) {
     Log(`[Backbone-links module starting for controller: ${name}]`);
     controller_name = name;
     await resolveControllerRecord();
+    RegisterNotification('BackboneAccessPoints', onAccessPointChange, false);
+    setTimeout(periodicCheck, 5000);
 }
diff --git a/components/management-controller/src/certs.js b/components/management-controller/src/certs.js
@@ -33,7 +33,7 @@ import { NotifyTransaction, RegisterNotification } from './notify.js';
 //
 // When new management controllers are created, add a certificate request.
 //
-async function onManagementControllersChange(action, tableName, id) {
+async function onManagementControllersChange(action, id) {
     if (action != 'DELETE') {
         const client = await ClientFromPool('system');
         try {
@@ -68,7 +68,7 @@ async function onManagementControllersChange(action, tableName, id) {
 //
 // When new backbones are created, add a certificate request to begin the full setup of the network.
 //
-async function onBackbonesChange(action, tableName, id) {
+async function onBackbonesChange(action, id) {
     const client = await ClientFromPool('system');
     try {  
         await client.query('BEGIN');
@@ -101,7 +101,7 @@ async function onBackbonesChange(action, tableName, id) {
 //
 //
 //
-async function onAccessPointsChange(action, tableName, id) {
+async function onAccessPointsChange(action, id) {
     const client = await ClientFromPool('system');
     try {
         await client.query('BEGIN');
@@ -144,7 +144,7 @@ async function onAccessPointsChange(action, tableName, id) {
 //
 // When new networks are created, add a certificate request to begin the full setup of the network.
 //
-async function onApplicationNetworksChange(action, tableName, id) {
+async function onApplicationNetworksChange(action, id) {
     const client = await ClientFromPool('system');
     const notify = new NotifyTransaction();
     try {
@@ -188,7 +188,7 @@ async function onApplicationNetworksChange(action, tableName, id) {
 //
 // processNewInteriorSites
 //
-async function onInteriorSitesChange(action, tableName, id) {
+async function onInteriorSitesChange(action, id) {
     const client = await ClientFromPool('system');
     const notify = new NotifyTransaction();
     try {
@@ -223,7 +223,7 @@ async function onInteriorSitesChange(action, tableName, id) {
 //
 // processNewInvitations
 //
-const onInvitationsChange = async function(action, tableName, id) {
+const onInvitationsChange = async function(action, id) {
     const client = await ClientFromPool('system');
     const notify = new NotifyTransaction();
     try {
@@ -258,7 +258,7 @@ const onInvitationsChange = async function(action, tableName, id) {
 //
 // processNewMemberSites
 //
-async function onMemberSitesChange(action, tableName, id) {
+async function onMemberSitesChange(action, id) {
     const client = await ClientFromPool('system');
     const notify = new NotifyTransaction();
     try {
@@ -291,7 +291,7 @@ async function onMemberSitesChange(action, tableName, id) {
 }
 
 
-async function onNetworkCredentialsChange(action, tableName, id) {
+async function onNetworkCredentialsChange(action, id) {
     const client = await ClientFromPool('system');
     const notify = new NotifyTransaction();
     try {
@@ -331,7 +331,7 @@ async function onNetworkCredentialsChange(action, tableName, id) {
 //
 // When new networks are created, add a certificate request to begin the full setup of the network.
 //
-async function onCertificateRequestsChange(action, tableName, id) {
+async function onCertificateRequestsChange(action, id) {
     const client = await ClientFromPool('system');
     const notify = new NotifyTransaction();
     try {