# FlowerCore Apple MDM on GX10 This directory deploys the NanoHUB `v0.2.0` substrate for Apple MDM protocol traffic at `https://mdm.iamworkin.lan`. ## Runtime - Namespace: `fc-apple-mdm` - Image: `localhost/fc-apple-mdm-nanohub:v0.2.0-20260617` - Upstream digest: `ghcr.io/micromdm/nanohub:latest@sha256:e36a50db2dc3d2bf736645e58712f622c04b05b28487390981905ef4d0be5fbd` - Persistent state: `fc-apple-mdm-data` on `local-path`, mounted at `/var/lib/nanohub` - File backend DSN: `/var/lib/nanohub/db` - Required secret: `Secret/fc-apple-mdm-runtime`, key `NANOHUB_API_KEY` - Optional later bridge secret: `NANOHUB_WEBHOOK_URL` - Required CA mount: `ConfigMap/fc-apple-mdm-root-ca`, key `root_ca.crt` - SCEP backend: noc1 systemd service `step-ca-apple-mdm-scep`, forwarded through selectorless `Service/fc-apple-mdm-scep` and `EndpointSlice/fc-apple-mdm-scep-noc1` to `10.0.56.10:9080` NanoHUB API authentication is HTTP Basic with username `nanohub` and password from `NANOHUB_API_KEY`. ## Public Surface The Traefik route intentionally exposes only: - `/version` - `/mdm` - `/checkin` - `/scep` NanoHUB APIs under `/api/v1/*` stay cluster-internal for MDM-N1. The DeviceManagement bridge can use the ClusterIP service directly once its NanoHUB client lane lands. SCEP is backed by the dedicated Apple-MDM-specific RSA step-ca hierarchy on noc1, not by the IAmWorkin ACME CA. The live profile URL is: ```text https://mdm.iamworkin.lan/scep/apple-mdm-scep ``` Do not point `APPLE_MDM_SCEP_URL` at a placeholder URL or at the ECDSA IAmWorkin ACME CA; Smallstep SCEP requires an RSA intermediate/decrypter path. ## Deployment Notes 1. Create or refresh the runtime Kubernetes Secret from the 1Password item `FlowerCore Apple MDM Runtime` before sync. GX10 does not yet depend on the 1Password operator for this workload. 2. Import `localhost/fc-apple-mdm-nanohub:v0.2.0-20260617` into GX10 containerd before ArgoCD syncs. The deployment uses `imagePullPolicy: Never`. 3. Ensure `mdm.iamworkin.lan` resolves to the GX10 Traefik VIP `10.0.57.202` before cert-manager requests `Certificate/fc-apple-mdm-tls`. 4. Prove `https://mdm.iamworkin.lan/version` after ArgoCD converges. 5. Prove SCEP CA publication with `curl -sk -o /dev/null -w '%{http_code} %{size_download}\n' 'https://mdm.iamworkin.lan/scep/apple-mdm-scep?operation=GetCACert'`. This lane does not create an APNs MDM push certificate, enrollment profile, managed Wi-Fi payload, managed app install, or supervised iPad enrollment. Those remain MDM-N2 through MDM-N8.