bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity

deploy(apple-mdm): route scep to noc1 ca

Browse Source 
Adds the GX10 /scep route to the noc1 Apple MDM SCEP CA without exposing NanoHUB APIs.
This commit is contained in:
Robot
2026-06-18 11:23:00 -05:00
parent e543018bdc
commit f78e6747b4
3 changed files with 91 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
tests/bluejay-infra-lint/Gx10AppleMdmNanohubTests.cs
View File

@@ -17,6 +17,8 @@ public sealed class Gx10AppleMdmNanohubTests
Documents.Should().Contain(document => Is(document, "Namespace", "fc-apple-mdm"));
Documents.Should().Contain(document => Is(document, "ConfigMap", "fc-apple-mdm-root-ca"));
Documents.Should().Contain(document => Is(document, "Service", "fc-apple-mdm"));
Documents.Should().Contain(document => Is(document, "Service", "fc-apple-mdm-scep"));
Documents.Should().Contain(document => Is(document, "EndpointSlice", "fc-apple-mdm-scep-noc1"));
Documents.Should().Contain(document => Is(document, "NetworkPolicy", "fc-apple-mdm-netpol"));
Documents.Should().NotContain(document => (document.Scalar("kind") ?? string.Empty) == "Secret");
Documents.Should().NotContain(document => (document.Scalar("kind") ?? string.Empty) == "OnePasswordItem");
@@ -66,16 +68,35 @@ public sealed class Gx10AppleMdmNanohubTests
}
[Fact]
public void Manifest_ExposesOnlyMdmCheckinAndVersionPaths()
public void Manifest_ExposesOnlyMdmCheckinVersionAndScepPaths()
{
var certificate = Single("Certificate", "fc-apple-mdm-tls");
certificate.Scalar("spec", "issuerRef", "name").Should().Be("step-ca-acme");
certificate.Scalar("spec", "issuerRef", "kind").Should().Be("ClusterIssuer");
certificate.ScalarSequence("spec", "dnsNames").Should().ContainSingle("mdm.iamworkin.lan");
var scepService = Single("Service", "fc-apple-mdm-scep");
scepService.Scalar("spec", "type").Should().Be("ClusterIP");
var scepServicePort = scepService.MappingSequence("spec", "ports").Should().ContainSingle().Subject;
scepServicePort.Scalar("name").Should().Be("http");
scepServicePort.Scalar("port").Should().Be("80");
scepServicePort.Scalar("targetPort").Should().Be("9080");
var scepEndpointSlice = Single("EndpointSlice", "fc-apple-mdm-scep-noc1");
scepEndpointSlice.Scalar("addressType").Should().Be("IPv4");
scepEndpointSlice.Scalar("metadata", "labels", "kubernetes.io/service-name").Should().Be("fc-apple-mdm-scep");
var scepEndpoint = scepEndpointSlice.MappingSequence("endpoints").Should().ContainSingle().Subject;
scepEndpoint.ScalarSequence("addresses").Should().ContainSingle("10.0.56.10");
var scepEndpointPort = scepEndpointSlice.MappingSequence("ports").Should().ContainSingle().Subject;
scepEndpointPort.Scalar("name").Should().Be("http");
scepEndpointPort.Scalar("port").Should().Be("9080");
var ingress = Single("IngressRoute", "fc-apple-mdm");
var route = ingress.MappingSequence("spec", "routes").Should().ContainSingle().Subject;
var match = route.Scalar("match");
var routes = ingress.MappingSequence("spec", "routes");
routes.Should().HaveCount(2);
var scepRoute = routes.Single(route => route.Scalar("match")?.Contains("PathPrefix(`/scep`)") == true);
var nanohubRoute = routes.Single(route => route.Scalar("match")?.Contains("PathPrefix(`/mdm`)") == true);
var match = nanohubRoute.Scalar("match");
match.Should().Contain("Host(`mdm.iamworkin.lan`)");
match.Should().Contain("PathPrefix(`/mdm`)");
@@ -83,6 +104,12 @@ public sealed class Gx10AppleMdmNanohubTests
match.Should().Contain("PathPrefix(`/version`)");
match.Should().NotContain("/api/v1");
match.Should().NotContain("PathPrefix(`/api`)");
scepRoute.Scalar("match").Should().Contain("Host(`mdm.iamworkin.lan`)");
scepRoute.Scalar("match").Should().Contain("PathPrefix(`/scep`)");
var scepRouteService = scepRoute.MappingSequence("services").Should().ContainSingle().Subject;
scepRouteService.Scalar("name").Should().Be("fc-apple-mdm-scep");
scepRouteService.Scalar("port").Should().Be("80");
}
[Fact]
@@ -94,6 +121,8 @@ public sealed class Gx10AppleMdmNanohubTests
readme.Should().Contain("Secret/fc-apple-mdm-runtime");
readme.Should().Contain("imagePullPolicy: Never");
readme.Should().Contain("10.0.57.202");
readme.Should().Contain("https://mdm.iamworkin.lan/scep/apple-mdm-scep");
readme.Should().Contain("Smallstep SCEP requires an RSA intermediate");
readme.Should().Contain("does not create an APNs MDM push certificate");
readme.Should().Contain("managed Wi-Fi payload");
}