bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity
Files
6f12ace02da493996e2c38ad0bcda30146b11efd
bluejay-infra/apps-gx10/fc-apple-mdm
History
Robot f78e6747b4 deploy(apple-mdm): route scep to noc1 ca 
Adds the GX10 /scep route to the noc1 Apple MDM SCEP CA without exposing NanoHUB APIs.
2026-06-18 11:23:00 -05:00
..
fc-apple-mdm.yaml
deploy(apple-mdm): route scep to noc1 ca
2026-06-18 11:23:00 -05:00
kustomization.yaml
deploy(gx10): add NanoHUB Apple MDM workload
2026-06-17 22:45:10 -05:00
README.md
deploy(apple-mdm): route scep to noc1 ca
2026-06-18 11:23:00 -05:00

README.md

FlowerCore Apple MDM on GX10

This directory deploys the NanoHUB v0.2.0 substrate for Apple MDM protocol traffic at https://mdm.iamworkin.lan.

Runtime

  • Namespace: fc-apple-mdm
  • Image: localhost/fc-apple-mdm-nanohub:v0.2.0-20260617
  • Upstream digest: ghcr.io/micromdm/nanohub:latest@sha256:e36a50db2dc3d2bf736645e58712f622c04b05b28487390981905ef4d0be5fbd
  • Persistent state: fc-apple-mdm-data on local-path, mounted at /var/lib/nanohub
  • File backend DSN: /var/lib/nanohub/db
  • Required secret: Secret/fc-apple-mdm-runtime, key NANOHUB_API_KEY
  • Optional later bridge secret: NANOHUB_WEBHOOK_URL
  • Required CA mount: ConfigMap/fc-apple-mdm-root-ca, key root_ca.crt
  • SCEP backend: noc1 systemd service step-ca-apple-mdm-scep, forwarded through selectorless Service/fc-apple-mdm-scep and EndpointSlice/fc-apple-mdm-scep-noc1 to 10.0.56.10:9080

NanoHUB API authentication is HTTP Basic with username nanohub and password from NANOHUB_API_KEY.

Public Surface

The Traefik route intentionally exposes only:

  • /version
  • /mdm
  • /checkin
  • /scep

NanoHUB APIs under /api/v1/* stay cluster-internal for MDM-N1. The DeviceManagement bridge can use the ClusterIP service directly once its NanoHUB client lane lands.

SCEP is backed by the dedicated Apple-MDM-specific RSA step-ca hierarchy on noc1, not by the IAmWorkin ACME CA. The live profile URL is:

https://mdm.iamworkin.lan/scep/apple-mdm-scep

Do not point APPLE_MDM_SCEP_URL at a placeholder URL or at the ECDSA IAmWorkin ACME CA; Smallstep SCEP requires an RSA intermediate/decrypter path.

Deployment Notes

  1. Create or refresh the runtime Kubernetes Secret from the 1Password item FlowerCore Apple MDM Runtime before sync. GX10 does not yet depend on the 1Password operator for this workload.
  2. Import localhost/fc-apple-mdm-nanohub:v0.2.0-20260617 into GX10 containerd before ArgoCD syncs. The deployment uses imagePullPolicy: Never.
  3. Ensure mdm.iamworkin.lan resolves to the GX10 Traefik VIP 10.0.57.202 before cert-manager requests Certificate/fc-apple-mdm-tls.
  4. Prove https://mdm.iamworkin.lan/version after ArgoCD converges.
  5. Prove SCEP CA publication with curl -sk -o /dev/null -w '%{http_code} %{size_download}\n' 'https://mdm.iamworkin.lan/scep/apple-mdm-scep?operation=GetCACert'.

This lane does not create an APNs MDM push certificate, enrollment profile, managed Wi-Fi payload, managed app install, or supervised iPad enrollment. Those remain MDM-N2 through MDM-N8.

Reference in New Issue View Git Blame Copy Permalink