1.5 KiB
FlowerCore SignalControl platform notes
This app owns the cluster web manager at signalcontrol.iamworkin.lan and documents the physical Pi pilot at signal-a.iamworkin.lan / pirelay.
mTLS enrollment pattern
Do not install or restart anything from this repo. The intended pirelay pattern is the Pi-signage step-ca-agent shape:
- stable node identity:
pirelay - local private key and CSR generated on the node
- CSR submitted through the approved DeviceManagement/step-ca enrollment path
- client certificate and chain stored node-local under
/etc/flowercore/signalcontrol/mtls/ - daily renewal timer, renewing only when fewer than 30 days remain
- certificate used for DM-agent to DM-web traffic and future SignalControl inter-service calls
Secrets, enrollment codes, private keys, p12 passphrases, and OIDC client secrets stay out of Git.
Telemetry
Monitoring manifests add a dedicated Prometheus job:
signalcontrol-pi-app- target
10.0.58.113:5200 - path
/metrics/prometheus - labels
instance="pirelay",host="signal-a.iamworkin.lan",service="signalcontrol-pi"
Host metrics continue through the edge-nodes node_exporter target at 10.0.58.113:9100.
Physical-control audit
The app ships with FlowerCore:SignalControl:PhysicalAudit:Enabled=false and ForwardingEnabled=false. Enabling local audit creates a SHA-256 hash chain for physical-control mutations. Forwarding to https://audit.iamworkin.lan/api/v1/audit/signalcontrol requires flipping the forwarding gate separately.
Telemetry reads and /metrics scrapes are not audited.