Wire SignalControl platform observability

2026-06-02 02:38:54 -05:00
parent 0307ae16ae
commit 2c8968f5d0
5 changed files with 439 additions and 1 deletions
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -227,6 +227,50 @@ public sealed class FleetManifestLintTests
        violations.Should().BeEmpty();
    }

+    [Fact]
+    public void SignalControlDeployment_MustKeepAuthOffAndStageOidcSecret()
+    {
+        var deployment = Inventory.Documents.Single(document =>
+            document.Kind == "Deployment"
+            && document.Namespace == "fc-signalcontrol"
+            && document.Name == "signalcontrol-web"
+            && document.RelativePath == "fc-signalcontrol/fc-signalcontrol.yaml");
+        var container = deployment.MainContainerMappings().Single(container =>
+            ManifestNodeExtensions.Scalar(container, "name") == "signalcontrol-web");
+
+        EnvValue(container, "Auth__Enabled").Should().Be("false");
+        EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("false");
+        EnvValue(container, "FlowerCore__Auth__Oidc__Enabled").Should().Be("true");
+        EnvSecretName(container, "FlowerCore__Auth__Oidc__Authority").Should().Be("signalcontrol-oidc-client");
+        EnvSecretKey(container, "FlowerCore__Auth__Oidc__Authority").Should().Be("issuer_url");
+        EnvSecretName(container, "FlowerCore__Auth__Oidc__ClientId").Should().Be("signalcontrol-oidc-client");
+        EnvSecretKey(container, "FlowerCore__Auth__Oidc__ClientId").Should().Be("client_id");
+        EnvSecretName(container, "FlowerCore__Auth__Oidc__ClientSecret").Should().Be("signalcontrol-oidc-client");
+        EnvSecretKey(container, "FlowerCore__Auth__Oidc__ClientSecret").Should().Be("client_secret");
+        EnvSecretOptional(container, "FlowerCore__Auth__Oidc__Authority").Should().BeTrue();
+        EnvSecretOptional(container, "FlowerCore__Auth__Oidc__ClientId").Should().BeTrue();
+        EnvSecretOptional(container, "FlowerCore__Auth__Oidc__ClientSecret").Should().BeTrue();
+    }
+
+    [Fact]
+    public void SignalControlDeployment_MustWirePirelayRelayBridgeSecret()
+    {
+        var deployment = Inventory.Documents.Single(document =>
+            document.Kind == "Deployment"
+            && document.Namespace == "fc-signalcontrol"
+            && document.Name == "signalcontrol-web"
+            && document.RelativePath == "fc-signalcontrol/fc-signalcontrol.yaml");
+        var container = deployment.MainContainerMappings().Single(container =>
+            ManifestNodeExtensions.Scalar(container, "name") == "signalcontrol-web");
+
+        EnvValue(container, "TrafficSignal__RelayBridge__Enabled").Should().Be("true");
+        EnvValue(container, "TrafficSignal__RelayBridge__BaseUrl").Should().Be("https://pirelay.iamworkin.lan");
+        EnvSecretName(container, "TrafficSignal__RelayBridge__ApiKey").Should().Be("signalcontrol-pirelay");
+        EnvSecretKey(container, "TrafficSignal__RelayBridge__ApiKey").Should().Be("ApiKey");
+        EnvSecretOptional(container, "TrafficSignal__RelayBridge__ApiKey").Should().BeTrue();
+        EnvValue(container, "LiveStatus__TrafficSignal__BaseAddress").Should().Be("https://signalcontrol.iamworkin.lan");
+    }
+
    [Fact]
    public void GitHubRunnerFleet_MustRegisterRequiredReposAsRepoScopedDeployments()
    {
@@ -424,6 +468,36 @@ public sealed class FleetManifestLintTests
        monitoring.Should().Contain("alert_channel: irc");
    }

+    [Fact]
+    public void Monitoring_MustScrapeSignalControlPiAppAndMountDashboard()
+    {
+        var monitoring = File.ReadAllText(Path.Combine(Inventory.BluejayRoot, "apps", "monitoring", "noc-monitoring.yaml"));
+
+        monitoring.Should().Contain("job_name: \"signalcontrol-pi-app\"");
+        monitoring.Should().Contain("metrics_path: /metrics/prometheus");
+        monitoring.Should().Contain("10.0.58.113:5200");
+        monitoring.Should().Contain("host: \"signal-a.iamworkin.lan\"");
+        monitoring.Should().Contain("mountPath: /var/lib/grafana/dashboards/signalcontrol");
+        monitoring.Should().Contain("name: grafana-dashboard-signalcontrol");
+    }
+
+    [Fact]
+    public void SignalControlGrafanaDashboard_MustCoverAppNodeAndPhysicalControlMetrics()
+    {
+        var dashboard = File.ReadAllText(Path.Combine(
+            Inventory.BluejayRoot,
+            "apps",
+            "monitoring",
+            "grafana-dashboard-signalcontrol.yaml"));
+
+        dashboard.Should().Contain("uid\": \"flowercore-signalcontrol\"");
+        dashboard.Should().Contain("up{job=\\\"signalcontrol-pi-app\\\",instance=\\\"pirelay\\\"}");
+        dashboard.Should().Contain("up{job=\\\"edge-nodes\\\",instance=\\\"pirelay\\\"}");
+        dashboard.Should().Contain("signal_relay_writes_total");
+        dashboard.Should().Contain("signal_schedule_fires_total");
+        dashboard.Should().Contain("signalcontrol_screen_saver_enabled");
+    }
+
    [Fact]
    public void StatefulSets_WithVolumeClaimTemplates_MustDeclareFilesystemDefaults()
    {
@@ -762,6 +836,16 @@ public sealed class FleetManifestLintTests
            : null;
    }

+    private static bool EnvSecretOptional(YamlMappingNode container, string name)
+    {
+        return string.Equals(
+            EnvMapping(container, name) is { } env
+                ? ManifestNodeExtensions.Scalar(env, "valueFrom", "secretKeyRef", "optional")
+                : null,
+            "true",
+            StringComparison.Ordinal);
+    }
+
    private static YamlMappingNode? EnvMapping(YamlMappingNode container, string name)
    {
        return ManifestNodeExtensions.MappingSequence(container, "env")