bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity

deploy(gx10): accept DER agent client cert headers

Browse Source
This commit is contained in:
Robot
2026-06-19 01:58:12 -05:00
parent 57a1afe159
commit 299ce5aeed
4 changed files with 6 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
apps-gx10/fc-devicemgmt/README.md
View File

@@ -3,7 +3,10 @@
This adopted GX10 app hosts `FlowerCore.DeviceManagement.Web` at This adopted GX10 app hosts `FlowerCore.DeviceManagement.Web` at
`https://devices.iamworkin.lan`. Agent-only REST/SignalR callbacks can use `https://devices.iamworkin.lan`. Agent-only REST/SignalR callbacks can use
`https://devices-agent.iamworkin.lan`, which is a separate Traefik router that `https://devices-agent.iamworkin.lan`, which is a separate Traefik router that
requires a TLS client certificate and forwards the presented PEM to the app. requires a TLS client certificate and forwards the presented certificate to the
app. Traefik v3.6 currently forwards raw base64 DER in
`X-Forwarded-Tls-Client-Cert`; the app also accepts URL-escaped PEM for
compatibility with older/alternate Traefik shapes.
## Apple MDM Runtime Contract ## Apple MDM Runtime Contract
@@ -38,7 +41,7 @@ DeviceManagement auth is enabled on GX10. The deployment maps
path aligned with REST auth. Agent heartbeat, inventory, command poll, app-catalog, path aligned with REST auth. Agent heartbeat, inventory, command poll, app-catalog,
and command-result callbacks use the agent-specific authorization boundary: the and command-result callbacks use the agent-specific authorization boundary: the
server validates a direct device client certificate when Kestrel receives one, server validates a direct device client certificate when Kestrel receives one,
validates Traefik-forwarded client certificate PEM only on validates Traefik-forwarded client certificates only on
`devices-agent.iamworkin.lan`, and also accepts only the scoped `devices-agent.iamworkin.lan`, and also accepts only the scoped
`DEVICE_MANAGEMENT_AGENT_API_KEY` via `Authorization: Bearer` or `DEVICE_MANAGEMENT_AGENT_API_KEY` via `Authorization: Bearer` or
`X-Agent-Api-Key` as the fallback path. Operator write endpoints must use `X-Agent-Api-Key` as the fallback path. Operator write endpoints must use

2
apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json
View File

@@ -321,7 +321,7 @@
"value": "true" "value": "true"
} }
], ],
"image": "localhost/fc-devicemgmt-web:v20260619-enrollnorm-2376476", "image": "localhost/fc-devicemgmt-web:v20260619-mtlsder-5131f32",
"imagePullPolicy": "Never", "imagePullPolicy": "Never",
"livenessProbe": { "livenessProbe": {
"failureThreshold": 3, "failureThreshold": 3,

4
apps-gx10/fc-devicemgmt/ingressroute-devicemgmt-agent-mtls.json
View File

@@ -14,10 +14,6 @@
"kind": "Rule", "kind": "Rule",
"match": "Host(`devices-agent.iamworkin.lan`)", "match": "Host(`devices-agent.iamworkin.lan`)",
"middlewares": [ "middlewares": [
{
"name": "devicemgmt-agent-strip-forwarded-cert",
"namespace": "fc-devicemgmt"
},
{ {
"name": "devicemgmt-agent-pass-client-cert", "name": "devicemgmt-agent-pass-client-cert",
"namespace": "fc-devicemgmt" "namespace": "fc-devicemgmt"

15
apps-gx10/fc-devicemgmt/middleware-devicemgmt-agent-strip-forwarded-cert.json
View File

@@ -1,15 +0,0 @@
{
"apiVersion": "traefik.io/v1alpha1",
"kind": "Middleware",
"metadata": {
"name": "devicemgmt-agent-strip-forwarded-cert",
"namespace": "fc-devicemgmt"
},
"spec": {
"headers": {
"customRequestHeaders": {
"X-Forwarded-Tls-Client-Cert": ""
}
}
}
}