Andrew Stoltz
8a960ffc73
feat(fc-distribution): K8s manifest for Phase 1 edition publisher
...
Adds apps/fc-distribution/{fc-distribution.yaml,kustomization.yaml,README.md}.
Ships the FlowerCore.Distribution service (Blazor + REST + MCP) backed by
Synology NFS for SQLite catalog + content-addressed blob root.
Contents:
- Namespace fc-distribution
- 3x OnePasswordItem (FlowerCore Code Signing CA informational + per-edition
signing keys for kiosk-standard and aistation-field)
- Deployment: localhost/fc-distribution:v202604232000 (already imported to
rke2-server via ctr), pinned to rke2-server nodeSelector because Synology
NFS ACL restricts writes to that node, emptyDir for /tmp + /app/logs,
inline NFS for /data (subPath distribution/data) and /blobs (subPath
distribution/blobs), Secret volume mounts for /signing/<edition>.
readOnlyRootFilesystem + runAsUser 1654 + drop ALL capabilities.
Probes: startup + readiness on /healthz, liveness on tcpSocket (defense
against future auth middleware accidentally gating /healthz).
- Service (ClusterIP :80 -> container :8080)
- Certificate (cert-manager ClusterIssuer step-ca-acme, dist.iamworkin.lan,
90d / 30d renew). pfSense Unbound override dist.iamworkin.lan ->
10.0.56.200 already in place (req'd for HTTP-01).
- IngressRoute (Traefik websecure, Host rule on dist.iamworkin.lan)
Env var keys align with the scaffold:
FlowerCore__Database__ConnectionStrings__Sqlite
FlowerCore__Distribution__Blobs__Root
FlowerCore__Distribution__Signing__EditionCerts__<slug>__{CertPath,KeyPath}
Consumer: ProvisioningAgent (USB-side, Phase 2) — see
FlowerCore.Notes/docs/infrastructure/usb-provisioning-architecture.md.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-23 15:59:50 -05:00
