From 299ce5aeedd392cecad334a869665e2b1b13b163 Mon Sep 17 00:00:00 2001 From: Robot Date: Fri, 19 Jun 2026 01:58:12 -0500 Subject: [PATCH] deploy(gx10): accept DER agent client cert headers --- apps-gx10/fc-devicemgmt/README.md | 7 +++++-- .../deployment-fc-devicemgmt-web.json | 2 +- .../ingressroute-devicemgmt-agent-mtls.json | 4 ---- ...are-devicemgmt-agent-strip-forwarded-cert.json | 15 --------------- 4 files changed, 6 insertions(+), 22 deletions(-) delete mode 100644 apps-gx10/fc-devicemgmt/middleware-devicemgmt-agent-strip-forwarded-cert.json diff --git a/apps-gx10/fc-devicemgmt/README.md b/apps-gx10/fc-devicemgmt/README.md index 424563d..f4c0fc5 100644 --- a/apps-gx10/fc-devicemgmt/README.md +++ b/apps-gx10/fc-devicemgmt/README.md @@ -3,7 +3,10 @@ This adopted GX10 app hosts `FlowerCore.DeviceManagement.Web` at `https://devices.iamworkin.lan`. Agent-only REST/SignalR callbacks can use `https://devices-agent.iamworkin.lan`, which is a separate Traefik router that -requires a TLS client certificate and forwards the presented PEM to the app. +requires a TLS client certificate and forwards the presented certificate to the +app. Traefik v3.6 currently forwards raw base64 DER in +`X-Forwarded-Tls-Client-Cert`; the app also accepts URL-escaped PEM for +compatibility with older/alternate Traefik shapes. ## Apple MDM Runtime Contract @@ -38,7 +41,7 @@ DeviceManagement auth is enabled on GX10. The deployment maps path aligned with REST auth. Agent heartbeat, inventory, command poll, app-catalog, and command-result callbacks use the agent-specific authorization boundary: the server validates a direct device client certificate when Kestrel receives one, -validates Traefik-forwarded client certificate PEM only on +validates Traefik-forwarded client certificates only on `devices-agent.iamworkin.lan`, and also accepts only the scoped `DEVICE_MANAGEMENT_AGENT_API_KEY` via `Authorization: Bearer` or `X-Agent-Api-Key` as the fallback path. Operator write endpoints must use diff --git a/apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json b/apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json index bdd81e7..7f64bf6 100644 --- a/apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json +++ b/apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json @@ -321,7 +321,7 @@ "value": "true" } ], - "image": "localhost/fc-devicemgmt-web:v20260619-enrollnorm-2376476", + "image": "localhost/fc-devicemgmt-web:v20260619-mtlsder-5131f32", "imagePullPolicy": "Never", "livenessProbe": { "failureThreshold": 3, diff --git a/apps-gx10/fc-devicemgmt/ingressroute-devicemgmt-agent-mtls.json b/apps-gx10/fc-devicemgmt/ingressroute-devicemgmt-agent-mtls.json index 69307c1..dac6b7d 100644 --- a/apps-gx10/fc-devicemgmt/ingressroute-devicemgmt-agent-mtls.json +++ b/apps-gx10/fc-devicemgmt/ingressroute-devicemgmt-agent-mtls.json @@ -14,10 +14,6 @@ "kind": "Rule", "match": "Host(`devices-agent.iamworkin.lan`)", "middlewares": [ - { - "name": "devicemgmt-agent-strip-forwarded-cert", - "namespace": "fc-devicemgmt" - }, { "name": "devicemgmt-agent-pass-client-cert", "namespace": "fc-devicemgmt" diff --git a/apps-gx10/fc-devicemgmt/middleware-devicemgmt-agent-strip-forwarded-cert.json b/apps-gx10/fc-devicemgmt/middleware-devicemgmt-agent-strip-forwarded-cert.json deleted file mode 100644 index 38bf1ec..0000000 --- a/apps-gx10/fc-devicemgmt/middleware-devicemgmt-agent-strip-forwarded-cert.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "apiVersion": "traefik.io/v1alpha1", - "kind": "Middleware", - "metadata": { - "name": "devicemgmt-agent-strip-forwarded-cert", - "namespace": "fc-devicemgmt" - }, - "spec": { - "headers": { - "customRequestHeaders": { - "X-Forwarded-Tls-Client-Cert": "" - } - } - } -}