bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity

feat(infra): route dns preflight through flowercore dns

Browse Source
This commit is contained in:
Andrew Stoltz
2026-04-23 17:03:22 -05:00
parent f9593e494a
commit 407d473b71
4 changed files with 256 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
apps/fc-distribution/README.md
View File

@@ -15,14 +15,28 @@ Root CA` as the trust anchor; per-edition leaf signing material lives in
## Deployment order (do NOT skip / reorder)
### 1. pfSense Unbound DNS — DONE 2026-04-23
### 1. FlowerCore.DNS preflight — VERIFIED 2026-04-23
`dist.iamworkin.lan -> 10.0.56.200` was added to pfSense Unbound out of band.
Verify before push:
`dist.iamworkin.lan` already resolves to `10.0.56.200`, but keep the
FlowerCore.DNS preflight green before push:
```bash
nslookup dist.iamworkin.lan 10.0.56.1 # expect 10.0.56.200
curl -sk "https://dns.iamworkin.lan/api/v1/zones/iamworkin.lan/resolve-preflight?hostname=dist.iamworkin.lan"
# Expect: "resolvable": true
python bluejay-infra/scripts/check-pfsense-dns.py
# Historical filename retained; implementation now calls FlowerCore.DNS
# resolve-preflight instead of raw resolver lookups.
```
If the record ever disappears, recreate it through FlowerCore.DNS before
push/apply:
```bash
curl -sk https://dns.iamworkin.lan/api/v1/servers
curl -sk -X POST https://dns.iamworkin.lan/api/v1/servers/<serverId>/zones/iamworkin.lan/records \
-H "Content-Type: application/json" \
-d '{"name":"dist","type":"A","data":"10.0.56.200","ttl":300}'
```
If this is missing, cert-manager HTTP-01 will silently back off ~2h. See

34
apps/fc-llm-bridge/README.md
View File

@@ -8,10 +8,10 @@ ADR: ADR-088 in [`../../../FlowerCore.Notes/ARCHITECTURE.md`](../../../FlowerCor
## Deployment order (do NOT skip / reorder)
### 1. pfSense Unbound DNS override — REQUIRED FIRST
### 1. FlowerCore.DNS preflight — REQUIRED FIRST
`fc-llm-bridge.iamworkin.lan` is not currently in pfSense Unbound. Verified
with `python bluejay-infra/scripts/check-pfsense-dns.py` at staging time.
`fc-llm-bridge.iamworkin.lan` must keep resolving to `10.0.56.200` through
FlowerCore.DNS before this manifest is applied.
step-ca (the ACME CA on noc1) uses pfSense Unbound (10.0.56.1), **not**
cluster CoreDNS. If you apply this manifest before adding the DNS override,
@@ -19,29 +19,28 @@ cert-manager's HTTP-01 challenge silently fails for ~2h (exponential backoff)
until someone manually runs `kubectl -n fc-llm-bridge delete order <order>`
to bust the cache. See memory `feedback_pfsense_dns_required_for_acme.md`.
From `FlowerCore.Notes`:
Verify the record through the public preflight API:
```bash
# 1. Edit HOSTS list in scripts/pfsense-add-dns-overrides.py, append:
# ("fc-llm-bridge", "10.0.56.200", "cert-manager HTTP-01 target (Traefik VIP)"),
# 2. Source creds + run:
source scripts/credential-helper.sh
export PFSENSE_PASS=$(get_cred "pfSense Admin")
python scripts/pfsense-add-dns-overrides.py
curl -sk "https://dns.iamworkin.lan/api/v1/zones/iamworkin.lan/resolve-preflight?hostname=fc-llm-bridge.iamworkin.lan"
# Expect: "resolvable": true
```
Verify:
```bash
nslookup fc-llm-bridge.iamworkin.lan 10.0.56.1
# Expect: Address: 10.0.56.200
python scripts/check-pfsense-dns.py
# Historical filename retained; implementation now calls FlowerCore.DNS
# resolve-preflight instead of raw resolver lookups.
```
Or run the full pre-merge gate from `bluejay-infra`:
If the record is missing, recreate it through FlowerCore.DNS before pushing:
```bash
python scripts/check-pfsense-dns.py
# Expect: OK fc-llm-bridge.iamworkin.lan -> 10.0.56.200
curl -sk https://dns.iamworkin.lan/api/v1/servers
curl -sk -X POST https://dns.iamworkin.lan/api/v1/servers/<serverId>/zones/iamworkin.lan/records \
-H "Content-Type: application/json" \
-d '{"name":"fc-llm-bridge","type":"A","data":"10.0.56.200","ttl":300}'
```
### 2. Create the `FC LLM Bridge API Keys` 1Password item
@@ -154,8 +153,9 @@ bridge (the design doc describes this split as the preferred approach).
## Current state at staging time (2026-04-23)
- `fc-llm-bridge.iamworkin.lan`NOT in pfSense Unbound (verified via
`nslookup fc-llm-bridge.iamworkin.lan 10.0.56.1`: NXDOMAIN).
- `fc-llm-bridge.iamworkin.lan`public FlowerCore.DNS preflight is now
green and resolves to `10.0.56.200`; keep `python scripts/check-pfsense-dns.py`
green before push.
- `FC LLM Bridge API Keys` — NOT created in 1Password (user action).
- `Claude API Key` — already exists in `IAmWorkin` vault
(`e5tth3y5mp3lhdavg35pxadzca`), also consumed by AiStation and Chat.Web.