Add SignalControl platform telemetry manifests

2026-06-01 22:29:18 -05:00
parent 6c18f69cf2
commit 62f6d8e7d5
4 changed files with 363 additions and 0 deletions
--- a/apps/fc-signalcontrol/README.md
+++ b/apps/fc-signalcontrol/README.md
@@ -0,0 +1,33 @@
+# FlowerCore SignalControl platform notes
+
+This app owns the cluster web manager at `signalcontrol.iamworkin.lan` and documents the physical Pi pilot at `signal-a.iamworkin.lan` / `pirelay`.
+
+## mTLS enrollment pattern
+
+Do not install or restart anything from this repo. The intended pirelay pattern is the Pi-signage step-ca-agent shape:
+
+- stable node identity: `pirelay`
+- local private key and CSR generated on the node
+- CSR submitted through the approved DeviceManagement/step-ca enrollment path
+- client certificate and chain stored node-local under `/etc/flowercore/signalcontrol/mtls/`
+- daily renewal timer, renewing only when fewer than 30 days remain
+- certificate used for DM-agent to DM-web traffic and future SignalControl inter-service calls
+
+Secrets, enrollment codes, private keys, p12 passphrases, and OIDC client secrets stay out of Git.
+
+## Telemetry
+
+Monitoring manifests add a dedicated Prometheus job:
+
+- `signalcontrol-pi-app`
+- target `10.0.58.113:5200`
+- path `/metrics/prometheus`
+- labels `instance="pirelay"`, `host="signal-a.iamworkin.lan"`, `service="signalcontrol-pi"`
+
+Host metrics continue through the `edge-nodes` node_exporter target at `10.0.58.113:9100`.
+
+## Physical-control audit
+
+The app ships with `FlowerCore:SignalControl:PhysicalAudit:Enabled=false` and `ForwardingEnabled=false`. Enabling local audit creates a SHA-256 hash chain for physical-control mutations. Forwarding to `https://audit.iamworkin.lan/api/v1/audit/signalcontrol` requires flipping the forwarding gate separately.
+
+Telemetry reads and `/metrics` scrapes are not audited.