Namespace: fc-apple-mdm
Image: localhost/fc-apple-mdm-nanohub:v0.2.0-20260617
Upstream digest: ghcr.io/micromdm/nanohub:latest@sha256:e36a50db2dc3d2bf736645e58712f622c04b05b28487390981905ef4d0be5fbd
Persistent state: fc-apple-mdm-data on local-path, mounted at /var/lib/nanohub
File backend DSN: /var/lib/nanohub/db
Required secret: Secret/fc-apple-mdm-runtime, key NANOHUB_API_KEY
Optional later bridge secret: NANOHUB_WEBHOOK_URL
Required CA mount: ConfigMap/fc-apple-mdm-root-ca, key root_ca.crt

NanoHUB API authentication is HTTP Basic with username nanohub and password from NANOHUB_API_KEY.

Public Surface

The Traefik route intentionally exposes only:

/version
/mdm
/checkin

NanoHUB APIs under /api/v1/* stay cluster-internal for MDM-N1. The DeviceManagement bridge can use the ClusterIP service directly once its NanoHUB client lane lands.

Deployment Notes

Create or refresh the runtime Kubernetes Secret from the 1Password item FlowerCore Apple MDM Runtime before sync. GX10 does not yet depend on the 1Password operator for this workload.
Import localhost/fc-apple-mdm-nanohub:v0.2.0-20260617 into GX10 containerd before ArgoCD syncs. The deployment uses imagePullPolicy: Never.
Ensure mdm.iamworkin.lan resolves to the GX10 Traefik VIP 10.0.57.202 before cert-manager requests Certificate/fc-apple-mdm-tls.
Prove https://mdm.iamworkin.lan/version after ArgoCD converges.

This lane does not create an APNs MDM push certificate, enrollment profile, SCEP/device identity service, managed Wi-Fi payload, managed app install, or supervised iPad enrollment. Those remain MDM-N2 through MDM-N8.