bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity

deploy(gx10): restore DeviceManagement agent heartbeat auth

Browse Source
This commit is contained in:
Robot
2026-06-19 00:22:31 -05:00
parent 0eda4362ce
commit 14d89ba49d
2 changed files with 26 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
apps-gx10/fc-devicemgmt/README.md
View File

@@ -15,6 +15,7 @@ values to clear readiness checks.
| --- | --- | | --- | --- |
| `DEVICE_MANAGEMENT_OPERATOR_API_KEY` | Required operator API key for authenticated REST/MCP write operations, including Android command queueing. | | `DEVICE_MANAGEMENT_OPERATOR_API_KEY` | Required operator API key for authenticated REST/MCP write operations, including Android command queueing. |
| `DEVICE_MANAGEMENT_ADMIN_API_KEY` | Required admin API key for privileged DeviceManagement operations. | | `DEVICE_MANAGEMENT_ADMIN_API_KEY` | Required admin API key for privileged DeviceManagement operations. |
| `DEVICE_MANAGEMENT_AGENT_API_KEY` | Required scoped agent credential for REST agent callbacks when TLS terminates before Kestrel; maps to `Auth:AgentApiKey` and `FlowerCore:Auth:AgentApiKey`. |
| `NANOHUB_API_KEY` | NanoHUB API password for HTTP Basic user `nanohub`. | | `NANOHUB_API_KEY` | NanoHUB API password for HTTP Basic user `nanohub`. |
| `APPLE_MDM_APNS_TOPIC` | MDM APNs topic returned after uploading the Apple MDM push certificate to NanoHUB/NanoMDM. | | `APPLE_MDM_APNS_TOPIC` | MDM APNs topic returned after uploading the Apple MDM push certificate to NanoHUB/NanoMDM. |
| `APPLE_MDM_SCEP_URL` | Live SCEP URL included in the enrollment profile. | | `APPLE_MDM_SCEP_URL` | Live SCEP URL included in the enrollment profile. |
@@ -32,9 +33,12 @@ managed Wi-Fi encryption type, auto-join, and MAC-randomization disablement.
DeviceManagement auth is enabled on GX10. The deployment maps DeviceManagement auth is enabled on GX10. The deployment maps
`DEVICE_MANAGEMENT_OPERATOR_API_KEY` to both `Auth__ApiKey` and `DEVICE_MANAGEMENT_OPERATOR_API_KEY` to both `Auth__ApiKey` and
`FlowerCore__Auth__ApiKey`; the unprefixed key keeps the MCP API key post-config `FlowerCore__Auth__ApiKey`; the unprefixed key keeps the MCP API key post-config
path aligned with REST auth. Agent enrollment, heartbeat, inventory, command poll, path aligned with REST auth. Agent heartbeat, inventory, command poll, app-catalog,
and command-result callbacks remain on the unauthenticated agent channel by and command-result callbacks use the agent-specific authorization boundary: the
application policy; operator write endpoints must use `X-Api-Key`. server validates a device client certificate when Kestrel receives one, and also
accepts only the scoped `DEVICE_MANAGEMENT_AGENT_API_KEY` via `Authorization:
Bearer` or `X-Agent-Api-Key` when TLS is terminated before the app. Operator write
endpoints must use `X-Api-Key`.
## Readiness Check ## Readiness Check

20
apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json
View File

@@ -137,6 +137,24 @@
} }
} }
}, },
{
"name": "Auth__AgentApiKey",
"valueFrom": {
"secretKeyRef": {
"key": "DEVICE_MANAGEMENT_AGENT_API_KEY",
"name": "fc-devicemgmt-runtime"
}
}
},
{
"name": "FlowerCore__Auth__AgentApiKey",
"valueFrom": {
"secretKeyRef": {
"key": "DEVICE_MANAGEMENT_AGENT_API_KEY",
"name": "fc-devicemgmt-runtime"
}
}
},
{ {
"name": "FlowerCore__EventBus__Redis__Configuration", "name": "FlowerCore__EventBus__Redis__Configuration",
"value": "redis.fc-redis.svc:6379" "value": "redis.fc-redis.svc:6379"
@@ -295,7 +313,7 @@
"value": "true" "value": "true"
} }
], ],
"image": "localhost/fc-devicemgmt-web:v20260619-agentcert-19befc2", "image": "localhost/fc-devicemgmt-web:v20260619-agentkey-48b20bc",
"imagePullPolicy": "Never", "imagePullPolicy": "Never",
"livenessProbe": { "livenessProbe": {
"failureThreshold": 3, "failureThreshold": 3,