From 14d89ba49d34667a49c40fd0022f65f9d4145e1d Mon Sep 17 00:00:00 2001 From: Robot Date: Fri, 19 Jun 2026 00:22:31 -0500 Subject: [PATCH] deploy(gx10): restore DeviceManagement agent heartbeat auth --- apps-gx10/fc-devicemgmt/README.md | 10 +++++++--- .../deployment-fc-devicemgmt-web.json | 20 ++++++++++++++++++- 2 files changed, 26 insertions(+), 4 deletions(-) diff --git a/apps-gx10/fc-devicemgmt/README.md b/apps-gx10/fc-devicemgmt/README.md index 598197c..245fc18 100644 --- a/apps-gx10/fc-devicemgmt/README.md +++ b/apps-gx10/fc-devicemgmt/README.md @@ -15,6 +15,7 @@ values to clear readiness checks. | --- | --- | | `DEVICE_MANAGEMENT_OPERATOR_API_KEY` | Required operator API key for authenticated REST/MCP write operations, including Android command queueing. | | `DEVICE_MANAGEMENT_ADMIN_API_KEY` | Required admin API key for privileged DeviceManagement operations. | +| `DEVICE_MANAGEMENT_AGENT_API_KEY` | Required scoped agent credential for REST agent callbacks when TLS terminates before Kestrel; maps to `Auth:AgentApiKey` and `FlowerCore:Auth:AgentApiKey`. | | `NANOHUB_API_KEY` | NanoHUB API password for HTTP Basic user `nanohub`. | | `APPLE_MDM_APNS_TOPIC` | MDM APNs topic returned after uploading the Apple MDM push certificate to NanoHUB/NanoMDM. | | `APPLE_MDM_SCEP_URL` | Live SCEP URL included in the enrollment profile. | @@ -32,9 +33,12 @@ managed Wi-Fi encryption type, auto-join, and MAC-randomization disablement. DeviceManagement auth is enabled on GX10. The deployment maps `DEVICE_MANAGEMENT_OPERATOR_API_KEY` to both `Auth__ApiKey` and `FlowerCore__Auth__ApiKey`; the unprefixed key keeps the MCP API key post-config -path aligned with REST auth. Agent enrollment, heartbeat, inventory, command poll, -and command-result callbacks remain on the unauthenticated agent channel by -application policy; operator write endpoints must use `X-Api-Key`. +path aligned with REST auth. Agent heartbeat, inventory, command poll, app-catalog, +and command-result callbacks use the agent-specific authorization boundary: the +server validates a device client certificate when Kestrel receives one, and also +accepts only the scoped `DEVICE_MANAGEMENT_AGENT_API_KEY` via `Authorization: +Bearer` or `X-Agent-Api-Key` when TLS is terminated before the app. Operator write +endpoints must use `X-Api-Key`. ## Readiness Check diff --git a/apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json b/apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json index 8eba6b6..fa32d04 100644 --- a/apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json +++ b/apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json @@ -137,6 +137,24 @@ } } }, + { + "name": "Auth__AgentApiKey", + "valueFrom": { + "secretKeyRef": { + "key": "DEVICE_MANAGEMENT_AGENT_API_KEY", + "name": "fc-devicemgmt-runtime" + } + } + }, + { + "name": "FlowerCore__Auth__AgentApiKey", + "valueFrom": { + "secretKeyRef": { + "key": "DEVICE_MANAGEMENT_AGENT_API_KEY", + "name": "fc-devicemgmt-runtime" + } + } + }, { "name": "FlowerCore__EventBus__Redis__Configuration", "value": "redis.fc-redis.svc:6379" @@ -295,7 +313,7 @@ "value": "true" } ], - "image": "localhost/fc-devicemgmt-web:v20260619-agentcert-19befc2", + "image": "localhost/fc-devicemgmt-web:v20260619-agentkey-48b20bc", "imagePullPolicy": "Never", "livenessProbe": { "failureThreshold": 3,