d637fe9b30
Repeatability gap caught during 2026-05-07 morning regroup. The four
fc-desktop NetworkPolicies (desktop-isolation, fc-desktop-default-deny,
remotedesktop-web-isolation, cm-acme-http-solver-allow) were applied via
FlowerCore.RemoteDesktop/scripts/deploy-web.sh `kubectl apply` calls.
That meant a fresh cluster rebuild from bluejay-infra alone would miss
all of them — Browser Lab session isolation, control-plane allow-list,
and HTTP-01 cert renewal would silently fail to come up.
Canonical FC GitOps pattern is for NetworkPolicies to live alongside
other resources in bluejay-infra. Verified by audit: 6 of 11 cluster
NetworkPolicies (agent-zero, edge2-services, monitoring, noc-services,
telephony, voice) already follow this pattern. fc-desktop was the
outlier; selenium-netpol is also unmanaged and tracked separately.
Source-of-truth split (now documented in fc-desktop.yaml):
- bluejay-infra OWNS: Certificate + IngressRoute + all NetworkPolicies.
- FlowerCore.RemoteDesktop scripts/deploy-web.sh OWNS: Deployment +
Service ONLY (because `localhost/fc-desktop:linux-xfce` image refs
require manual ctr import on each node — Deployment in bluejay-infra
would race the image-import step).
Follow-up commits in FlowerCore.RemoteDesktop will:
- Remove the now-duplicate k8s/{networkpolicy,namespace-default-deny,
web-networkpolicy,acme-http01-solver-allow}.yaml files.
- Drop the 3 `kubectl_apply_file` lines from scripts/deploy-web.sh.
The 4 NPs in this commit are byte-for-byte identical to what's running in
the cluster today (verified via kubectl get -o yaml diff). ServerSideApply
in the bluejay-infra ApplicationSet will adopt the existing resources
without recreating them.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
54 lines
1.8 KiB
YAML
54 lines
1.8 KiB
YAML
# FlowerCore Remote Desktop — TLS + Ingress
|
|
#
|
|
# Source-of-truth split:
|
|
# - bluejay-infra OWNS: Certificate, IngressRoute, all NetworkPolicies
|
|
# (see network-policies.yaml in this directory).
|
|
# - FlowerCore.RemoteDesktop scripts/deploy-web.sh OWNS: Deployment +
|
|
# Service. Reason: image refs like `localhost/fc-desktop:linux-xfce`
|
|
# only exist on each node's containerd after a manual import, so a
|
|
# Deployment manifest in bluejay-infra would race the image-import
|
|
# step and crash-loop.
|
|
#
|
|
# NetworkPolicies moved into bluejay-infra 2026-05-07 — previously they
|
|
# were applied via the deploy script's kubectl apply calls, which broke
|
|
# cluster-rebuild repeatability. See
|
|
# feedback_networkpolicies_belong_in_bluejay_infra.md.
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: remotedesktop-web-tls
|
|
namespace: fc-desktop
|
|
spec:
|
|
secretName: remotedesktop-web-tls
|
|
issuerRef:
|
|
name: step-ca-acme
|
|
kind: ClusterIssuer
|
|
dnsNames:
|
|
- desktop.iamworkin.lan
|
|
---
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: IngressRoute
|
|
metadata:
|
|
name: remotedesktop-web
|
|
namespace: fc-desktop
|
|
spec:
|
|
entryPoints:
|
|
- websecure
|
|
routes:
|
|
# Host-level catch-all for desktop.iamworkin.lan. The /guacamole
|
|
# path-prefix match lives in apps/guacamole/guacamole.yaml as a
|
|
# separate IngressRoute in the guacamole namespace — the cluster
|
|
# Traefik disallows cross-namespace service refs, so the PathPrefix
|
|
# rule can't sit here. Traefik's router matching precedence gives
|
|
# longer/more-specific rules priority automatically, so as long as
|
|
# the guacamole IngressRoute exists it takes /guacamole traffic
|
|
# before this catch-all sees it.
|
|
- match: Host(`desktop.iamworkin.lan`)
|
|
kind: Rule
|
|
services:
|
|
- name: remotedesktop-web
|
|
port: 8080
|
|
tls:
|
|
secretName: remotedesktop-web-tls
|