bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity

deploy(gx10): add DeviceManagement agent mTLS route

Browse Source
This commit is contained in:
Robot
2026-06-19 00:51:01 -05:00
parent 14d89ba49d
commit 0d71a789c2
7 changed files with 125 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
apps-gx10/fc-devicemgmt/README.md
View File

@@ -1,7 +1,9 @@
# FlowerCore DeviceManagement on GX10 # FlowerCore DeviceManagement on GX10
This adopted GX10 app hosts `FlowerCore.DeviceManagement.Web` at This adopted GX10 app hosts `FlowerCore.DeviceManagement.Web` at
`https://devices.iamworkin.lan`. `https://devices.iamworkin.lan`. Agent-only REST/SignalR callbacks can use
`https://devices-agent.iamworkin.lan`, which is a separate Traefik router that
requires a TLS client certificate and forwards the presented PEM to the app.
## Apple MDM Runtime Contract ## Apple MDM Runtime Contract
@@ -35,10 +37,18 @@ DeviceManagement auth is enabled on GX10. The deployment maps
`FlowerCore__Auth__ApiKey`; the unprefixed key keeps the MCP API key post-config `FlowerCore__Auth__ApiKey`; the unprefixed key keeps the MCP API key post-config
path aligned with REST auth. Agent heartbeat, inventory, command poll, app-catalog, path aligned with REST auth. Agent heartbeat, inventory, command poll, app-catalog,
and command-result callbacks use the agent-specific authorization boundary: the and command-result callbacks use the agent-specific authorization boundary: the
server validates a device client certificate when Kestrel receives one, and also server validates a direct device client certificate when Kestrel receives one,
accepts only the scoped `DEVICE_MANAGEMENT_AGENT_API_KEY` via `Authorization: validates Traefik-forwarded client certificate PEM only on
Bearer` or `X-Agent-Api-Key` when TLS is terminated before the app. Operator write `devices-agent.iamworkin.lan`, and also accepts only the scoped
endpoints must use `X-Api-Key`. `DEVICE_MANAGEMENT_AGENT_API_KEY` via `Authorization: Bearer` or
`X-Agent-Api-Key` as the fallback path. Operator write endpoints must use
`X-Api-Key`.
The agent-only Traefik route currently uses `RequireAnyClientCert`; the
application remains the authorization boundary by matching the forwarded client
certificate thumbprint to the enrolled device record. Once DeviceManagement
exports a persistent enrollment CA bundle, switch this TLSOption to
`RequireAndVerifyClientCert` with that CA secret.
## Readiness Check ## Readiness Check

18
apps-gx10/fc-devicemgmt/certificate-devicemgmt-agent-tls.json Normal file
View File

@@ -0,0 +1,18 @@
{
"apiVersion": "cert-manager.io/v1",
"kind": "Certificate",
"metadata": {
"name": "fc-devicemgmt-agent-tls",
"namespace": "fc-devicemgmt"
},
"spec": {
"dnsNames": [
"devices-agent.iamworkin.lan"
],
"issuerRef": {
"kind": "ClusterIssuer",
"name": "step-ca-acme"
},
"secretName": "fc-devicemgmt-agent-tls"
}
}

10
apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json
View File

@@ -155,6 +155,14 @@
} }
} }
}, },
{
"name": "FlowerCore__DeviceManagement__AgentMtls__ForwardedCertificateHosts__0",
"value": "devices-agent.iamworkin.lan"
},
{
"name": "FlowerCore__DeviceManagement__AgentMtls__ForwardedCertificateHeader",
"value": "X-Forwarded-Tls-Client-Cert"
},
{ {
"name": "FlowerCore__EventBus__Redis__Configuration", "name": "FlowerCore__EventBus__Redis__Configuration",
"value": "redis.fc-redis.svc:6379" "value": "redis.fc-redis.svc:6379"
@@ -313,7 +321,7 @@
"value": "true" "value": "true"
} }
], ],
"image": "localhost/fc-devicemgmt-web:v20260619-agentkey-48b20bc", "image": "localhost/fc-devicemgmt-web:v20260619-agentmtls-3b298d7",
"imagePullPolicy": "Never", "imagePullPolicy": "Never",
"livenessProbe": { "livenessProbe": {
"failureThreshold": 3, "failureThreshold": 3,

42
apps-gx10/fc-devicemgmt/ingressroute-devicemgmt-agent-mtls.json Normal file
View File

@@ -0,0 +1,42 @@
{
"apiVersion": "traefik.io/v1alpha1",
"kind": "IngressRoute",
"metadata": {
"name": "devicemgmt-agent-mtls",
"namespace": "fc-devicemgmt"
},
"spec": {
"entryPoints": [
"websecure"
],
"routes": [
{
"kind": "Rule",
"match": "Host(`devices-agent.iamworkin.lan`)",
"middlewares": [
{
"name": "devicemgmt-agent-strip-forwarded-cert",
"namespace": "fc-devicemgmt"
},
{
"name": "devicemgmt-agent-pass-client-cert",
"namespace": "fc-devicemgmt"
}
],
"services": [
{
"name": "fc-devicemgmt-web",
"port": 80
}
]
}
],
"tls": {
"options": {
"name": "devicemgmt-agent-mtls",
"namespace": "fc-devicemgmt"
},
"secretName": "fc-devicemgmt-agent-tls"
}
}
}

13
apps-gx10/fc-devicemgmt/middleware-devicemgmt-agent-pass-client-cert.json Normal file
View File

@@ -0,0 +1,13 @@
{
"apiVersion": "traefik.io/v1alpha1",
"kind": "Middleware",
"metadata": {
"name": "devicemgmt-agent-pass-client-cert",
"namespace": "fc-devicemgmt"
},
"spec": {
"passTLSClientCert": {
"pem": true
}
}
}

15
apps-gx10/fc-devicemgmt/middleware-devicemgmt-agent-strip-forwarded-cert.json Normal file
View File

@@ -0,0 +1,15 @@
{
"apiVersion": "traefik.io/v1alpha1",
"kind": "Middleware",
"metadata": {
"name": "devicemgmt-agent-strip-forwarded-cert",
"namespace": "fc-devicemgmt"
},
"spec": {
"headers": {
"customRequestHeaders": {
"X-Forwarded-Tls-Client-Cert": ""
}
}
}
}

13
apps-gx10/fc-devicemgmt/tlsoption-devicemgmt-agent-mtls.json Normal file
View File

@@ -0,0 +1,13 @@
{
"apiVersion": "traefik.io/v1alpha1",
"kind": "TLSOption",
"metadata": {
"name": "devicemgmt-agent-mtls",
"namespace": "fc-devicemgmt"
},
"spec": {
"clientAuth": {
"clientAuthType": "RequireAnyClientCert"
}
}
}