bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity

deploy(gx10): add DeviceManagement enrollment CA runtime

Browse Source
This commit is contained in:
Robot
2026-06-19 06:45:09 -05:00
parent 4c369cc7ec
commit 5ce4f0d1e7
3 changed files with 34 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
apps-gx10/fc-devicemgmt/README.md
View File

@@ -21,6 +21,8 @@ values to clear readiness checks.
| `DEVICE_MANAGEMENT_OPERATOR_API_KEY` | Required operator API key for authenticated REST/MCP write operations, including Android command queueing. | | `DEVICE_MANAGEMENT_OPERATOR_API_KEY` | Required operator API key for authenticated REST/MCP write operations, including Android command queueing. |
| `DEVICE_MANAGEMENT_ADMIN_API_KEY` | Required admin API key for privileged DeviceManagement operations. | | `DEVICE_MANAGEMENT_ADMIN_API_KEY` | Required admin API key for privileged DeviceManagement operations. |
| `DEVICE_MANAGEMENT_AGENT_API_KEY` | Required scoped agent credential for REST agent callbacks when TLS terminates before Kestrel; maps to `Auth:AgentApiKey` and `FlowerCore:Auth:AgentApiKey`. | | `DEVICE_MANAGEMENT_AGENT_API_KEY` | Required scoped agent credential for REST agent callbacks when TLS terminates before Kestrel; maps to `Auth:AgentApiKey` and `FlowerCore:Auth:AgentApiKey`. |
| `DEVICE_MANAGEMENT_ENROLLMENT_CA_CERTIFICATE_PEM` | Optional persistent enrollment CA certificate PEM; maps to `FlowerCore:DeviceManagement:EnrollmentCertificateAuthorityCertificatePem`. Required before ingress can verify agent client-cert chains. |
| `DEVICE_MANAGEMENT_ENROLLMENT_CA_PRIVATE_KEY_PEM` | Optional private key PEM matching the persistent enrollment CA certificate; maps to `FlowerCore:DeviceManagement:EnrollmentCertificateAuthorityPrivateKeyPem`. |
| `NANOHUB_API_KEY` | NanoHUB API password for HTTP Basic user `nanohub`. | | `NANOHUB_API_KEY` | NanoHUB API password for HTTP Basic user `nanohub`. |
| `APPLE_MDM_APNS_TOPIC` | MDM APNs topic returned after uploading the Apple MDM push certificate to NanoHUB/NanoMDM. | | `APPLE_MDM_APNS_TOPIC` | MDM APNs topic returned after uploading the Apple MDM push certificate to NanoHUB/NanoMDM. |
| `APPLE_MDM_SCEP_URL` | Live SCEP URL included in the enrollment profile. | | `APPLE_MDM_SCEP_URL` | Live SCEP URL included in the enrollment profile. |
@@ -49,9 +51,11 @@ validates Traefik-forwarded client certificates only on
The agent-only Traefik route currently uses `RequireAnyClientCert`; the The agent-only Traefik route currently uses `RequireAnyClientCert`; the
application remains the authorization boundary by matching the forwarded client application remains the authorization boundary by matching the forwarded client
certificate thumbprint to the enrolled device record. Once DeviceManagement certificate thumbprint to the enrolled device record. Once
exports a persistent enrollment CA bundle, switch this TLSOption to `DEVICE_MANAGEMENT_ENROLLMENT_CA_CERTIFICATE_PEM` and
`RequireAndVerifyClientCert` with that CA secret. `DEVICE_MANAGEMENT_ENROLLMENT_CA_PRIVATE_KEY_PEM` are present and newly enrolled
agents prove they chain to that CA, create the matching Traefik CA secret and
switch this TLSOption to `RequireAndVerifyClientCert`.
## Readiness Check ## Readiness Check

22
apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json
View File

@@ -155,6 +155,26 @@
} }
} }
}, },
{
"name": "FlowerCore__DeviceManagement__EnrollmentCertificateAuthorityCertificatePem",
"valueFrom": {
"secretKeyRef": {
"key": "DEVICE_MANAGEMENT_ENROLLMENT_CA_CERTIFICATE_PEM",
"name": "fc-devicemgmt-runtime",
"optional": true
}
}
},
{
"name": "FlowerCore__DeviceManagement__EnrollmentCertificateAuthorityPrivateKeyPem",
"valueFrom": {
"secretKeyRef": {
"key": "DEVICE_MANAGEMENT_ENROLLMENT_CA_PRIVATE_KEY_PEM",
"name": "fc-devicemgmt-runtime",
"optional": true
}
}
},
{ {
"name": "FlowerCore__DeviceManagement__AgentMtls__ForwardedCertificateHosts__0", "name": "FlowerCore__DeviceManagement__AgentMtls__ForwardedCertificateHosts__0",
"value": "devices-agent.iamworkin.lan" "value": "devices-agent.iamworkin.lan"
@@ -321,7 +341,7 @@
"value": "true" "value": "true"
} }
], ],
"image": "localhost/fc-devicemgmt-web:v20260619-mtlsder-5131f32", "image": "localhost/fc-devicemgmt-web:v20260619-enrollca-c54623d",
"imagePullPolicy": "Never", "imagePullPolicy": "Never",
"livenessProbe": { "livenessProbe": {
"failureThreshold": 3, "failureThreshold": 3,

6
tests/bluejay-infra-lint/FleetManifestLintTests.cs
View File

@@ -1017,6 +1017,12 @@ public sealed class FleetManifestLintTests
JsonEnvSecretName(web, "FlowerCore__Auth__AdminApiKey").Should().Be("fc-devicemgmt-runtime"); JsonEnvSecretName(web, "FlowerCore__Auth__AdminApiKey").Should().Be("fc-devicemgmt-runtime");
JsonEnvSecretKey(web, "FlowerCore__Auth__AdminApiKey").Should().Be("DEVICE_MANAGEMENT_ADMIN_API_KEY"); JsonEnvSecretKey(web, "FlowerCore__Auth__AdminApiKey").Should().Be("DEVICE_MANAGEMENT_ADMIN_API_KEY");
JsonEnvSecretOptional(web, "FlowerCore__Auth__AdminApiKey").Should().BeNull(); JsonEnvSecretOptional(web, "FlowerCore__Auth__AdminApiKey").Should().BeNull();
JsonEnvSecretName(web, "FlowerCore__DeviceManagement__EnrollmentCertificateAuthorityCertificatePem").Should().Be("fc-devicemgmt-runtime");
JsonEnvSecretKey(web, "FlowerCore__DeviceManagement__EnrollmentCertificateAuthorityCertificatePem").Should().Be("DEVICE_MANAGEMENT_ENROLLMENT_CA_CERTIFICATE_PEM");
JsonEnvSecretOptional(web, "FlowerCore__DeviceManagement__EnrollmentCertificateAuthorityCertificatePem").Should().BeTrue();
JsonEnvSecretName(web, "FlowerCore__DeviceManagement__EnrollmentCertificateAuthorityPrivateKeyPem").Should().Be("fc-devicemgmt-runtime");
JsonEnvSecretKey(web, "FlowerCore__DeviceManagement__EnrollmentCertificateAuthorityPrivateKeyPem").Should().Be("DEVICE_MANAGEMENT_ENROLLMENT_CA_PRIVATE_KEY_PEM");
JsonEnvSecretOptional(web, "FlowerCore__DeviceManagement__EnrollmentCertificateAuthorityPrivateKeyPem").Should().BeTrue();
} }
[Fact] [Fact]