fc-apple-mdm: add NanoHUB GitOps workload

2026-06-17 17:57:17 -05:00
parent 4b58b0ca5f
commit 8ac3557b01
11 changed files with 521 additions and 0 deletions
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -814,6 +814,78 @@ public sealed class FleetManifestLintTests
        ns.FileText.Should().Contain("ArgoCD discovers this directory as Application `infra-fc-devicemgmt`.");
    }

+    [Fact]
+    public void FcAppleMdm_NanoHubWorkloadMustStayPinnedAndInternalApiOnly()
+    {
+        var documents = AppDocuments("fc-apple-mdm");
+
+        documents.Should().Contain(document => document.Kind == "Namespace" && document.Name == "fc-apple-mdm");
+        documents.Should().Contain(document => document.Kind == "OnePasswordItem" && document.Name == "fc-apple-mdm-runtime");
+        documents.Should().NotContain(document => document.Kind == "Secret");
+
+        var item = documents.Single(document => document.Kind == "OnePasswordItem" && document.Name == "fc-apple-mdm-runtime");
+        item.Scalar("spec", "itemPath").Should().Be("vaults/IAmWorkin/items/FlowerCore Apple MDM Runtime");
+
+        var deployment = documents.Single(document => document.Kind == "Deployment" && document.Name == "fc-apple-mdm");
+        deployment.Scalar("spec", "strategy", "type").Should().Be("Recreate");
+        PodAnnotation(deployment, "fc.flowercore.io/healthz-anon").Should().Be("true");
+        PodAnnotation(deployment, "fc.flowercore.io/probe-path").Should().Be("/version");
+        PodAnnotation(deployment, "flowercore.io/audit-trace-id").Should().Be("apple-mdm-nanohub-runtime-trace");
+
+        var container = deployment.MainContainerMappings().Should().ContainSingle().Subject;
+        ManifestNodeExtensions.Scalar(container, "name").Should().Be("nanohub");
+        ManifestNodeExtensions.Scalar(container, "image").Should().Be("localhost/fc-apple-mdm-nanohub:v0.2.0-20260617");
+        ManifestNodeExtensions.Scalar(container, "imagePullPolicy").Should().Be("Never");
+        EnvValue(container, "NANOHUB_LISTEN").Should().Be(":9004");
+        EnvValue(container, "NANOHUB_STORAGE").Should().Be("file");
+        EnvValue(container, "NANOHUB_STORAGE_DSN").Should().Be("/var/lib/nanohub/db");
+        EnvValue(container, "NANOHUB_CHECKIN").Should().Be("true");
+        EnvSecretName(container, "NANOHUB_API_KEY").Should().Be("fc-apple-mdm-runtime");
+        EnvSecretKey(container, "NANOHUB_API_KEY").Should().Be("NANOHUB_API_KEY");
+        EnvSecretName(container, "NANOHUB_WEBHOOK_URL").Should().Be("fc-apple-mdm-runtime");
+        EnvSecretKey(container, "NANOHUB_WEBHOOK_URL").Should().Be("NANOHUB_WEBHOOK_URL");
+        EnvSecretOptional(container, "NANOHUB_WEBHOOK_URL").Should().Be("true");
+        ProbePath(container, "readinessProbe").Should().Be("/version");
+        ProbePath(container, "startupProbe").Should().Be("/version");
+        ProbePath(container, "livenessProbe").Should().Be("/version");
+
+        var certificate = documents.Single(document => document.Kind == "Certificate" && document.Name == "fc-apple-mdm-tls");
+        certificate.Scalar("spec", "issuerRef", "name").Should().Be("step-ca-acme");
+        certificate.Scalar("spec", "issuerRef", "kind").Should().Be("ClusterIssuer");
+        ManifestNodeExtensions.ScalarSequence(certificate.Root, "spec", "dnsNames")
+            .Should()
+            .ContainSingle("mdm.iamworkin.lan");
+
+        var ingress = documents.Single(document => document.Kind == "IngressRoute" && document.Name == "fc-apple-mdm");
+        var match = ingress.MappingSequence("spec", "routes")
+            .Select(route => ManifestNodeExtensions.Scalar(route, "match") ?? string.Empty)
+            .Should()
+            .ContainSingle()
+            .Subject;
+
+        match.Should().Contain("Host(`mdm.iamworkin.lan`)");
+        match.Should().Contain("PathPrefix(`/mdm`)");
+        match.Should().Contain("PathPrefix(`/checkin`)");
+        match.Should().Contain("PathPrefix(`/version`)");
+        match.Should().NotContain("/api/v1", "NanoHUB API access is cluster-internal for MDM-N1");
+
+        var service = documents.Single(document => document.Kind == "Service" && document.Name == "fc-apple-mdm");
+        service.AllScalars().Should().Contain("9004");
+
+        var policy = documents.Single(document => document.Kind == "NetworkPolicy" && document.Name == "fc-apple-mdm-isolation");
+        policy.AllScalars().Should().Contain(new[]
+        {
+            "traefik-system",
+            "fc-devicemgmt",
+            "10.0.56.200/32",
+        });
+        policy.EgressPorts().Should().Contain(new[] { "53", "80", "443", "8080", "8443" });
+
+        documents.Should().NotContain(document => document.AllScalars().Any(value =>
+            value.Contains("micromdm", StringComparison.OrdinalIgnoreCase)
+            || value.Contains("MICROMDM", StringComparison.Ordinal)));
+    }
+
    [Fact]
    public void BroaderHardeningDeployments_MustAnnotateAnonymousHealthProbeIntent()
    {