deploy(gx10): accept DER agent client cert headers

2026-06-19 01:58:12 -05:00
parent 57a1afe159
commit 299ce5aeed
4 changed files with 6 additions and 22 deletions
--- a/apps-gx10/fc-devicemgmt/README.md
+++ b/apps-gx10/fc-devicemgmt/README.md
@@ -3,7 +3,10 @@
 This adopted GX10 app hosts `FlowerCore.DeviceManagement.Web` at
 `https://devices.iamworkin.lan`. Agent-only REST/SignalR callbacks can use
 `https://devices-agent.iamworkin.lan`, which is a separate Traefik router that
-requires a TLS client certificate and forwards the presented PEM to the app.
+requires a TLS client certificate and forwards the presented certificate to the
+app. Traefik v3.6 currently forwards raw base64 DER in
+`X-Forwarded-Tls-Client-Cert`; the app also accepts URL-escaped PEM for
+compatibility with older/alternate Traefik shapes.

 ## Apple MDM Runtime Contract

@@ -38,7 +41,7 @@ DeviceManagement auth is enabled on GX10. The deployment maps
 path aligned with REST auth. Agent heartbeat, inventory, command poll, app-catalog,
 and command-result callbacks use the agent-specific authorization boundary: the
 server validates a direct device client certificate when Kestrel receives one,
-validates Traefik-forwarded client certificate PEM only on
+validates Traefik-forwarded client certificates only on
 `devices-agent.iamworkin.lan`, and also accepts only the scoped
 `DEVICE_MANAGEMENT_AGENT_API_KEY` via `Authorization: Bearer` or
 `X-Agent-Api-Key` as the fallback path. Operator write endpoints must use
--- a/apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json
+++ b/apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json
@@ -321,7 +321,7 @@
                "value": "true"
              }
            ],
-            "image": "localhost/fc-devicemgmt-web:v20260619-enrollnorm-2376476",
+            "image": "localhost/fc-devicemgmt-web:v20260619-mtlsder-5131f32",
            "imagePullPolicy": "Never",
            "livenessProbe": {
              "failureThreshold": 3,
--- a/apps-gx10/fc-devicemgmt/ingressroute-devicemgmt-agent-mtls.json
+++ b/apps-gx10/fc-devicemgmt/ingressroute-devicemgmt-agent-mtls.json
@@ -14,10 +14,6 @@
        "kind": "Rule",
        "match": "Host(`devices-agent.iamworkin.lan`)",
        "middlewares": [
-          {
-            "name": "devicemgmt-agent-strip-forwarded-cert",
-            "namespace": "fc-devicemgmt"
-          },
          {
            "name": "devicemgmt-agent-pass-client-cert",
            "namespace": "fc-devicemgmt"
--- a/apps-gx10/fc-devicemgmt/middleware-devicemgmt-agent-strip-forwarded-cert.json
+++ b/apps-gx10/fc-devicemgmt/middleware-devicemgmt-agent-strip-forwarded-cert.json
@@ -1,15 +0,0 @@
-{
-  "apiVersion": "traefik.io/v1alpha1",
-  "kind": "Middleware",
-  "metadata": {
-    "name": "devicemgmt-agent-strip-forwarded-cert",
-    "namespace": "fc-devicemgmt"
-  },
-  "spec": {
-    "headers": {
-      "customRequestHeaders": {
-        "X-Forwarded-Tls-Client-Cert": ""
-      }
-    }
-  }
-}