bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity
Files
8ac3557b018aa7398b95e6d8c8f81b2673e13d4f
bluejay-infra/apps/fc-apple-mdm/README.md
Robot 8ac3557b01 fc-apple-mdm: add NanoHUB GitOps workload
2026-06-17 17:57:17 -05:00

2.8 KiB
Raw Blame History

FlowerCore Apple MDM Infra

This app hosts the private NanoHUB bootstrap service for FlowerCore iPad management at https://mdm.iamworkin.lan.

Runtime Shape

  • Namespace: fc-apple-mdm
  • Host: mdm.iamworkin.lan
  • Image: localhost/fc-apple-mdm-nanohub:v0.2.0-20260617
  • Upstream baseline: NanoHUB v0.2.0, published 2025-12-25
  • Persistent data: fc-apple-mdm-data mounted at /var/lib/nanohub
  • NanoHUB file backend root: /var/lib/nanohub/db
  • Runtime secret: OnePasswordItem/fc-apple-mdm-runtime
  • Required secret field: NANOHUB_API_KEY
  • Optional secret field: NANOHUB_WEBHOOK_URL

NanoHUB listens on HTTP :9004 inside the pod; Traefik owns TLS using Certificate/fc-apple-mdm-tls. The public route intentionally exposes only /mdm, /checkin, and /version. The NanoHUB APIs under /api/v1/* stay cluster-internal for MDM-N1 and are intended for the FlowerCore DeviceManagement bridge.

NanoHUB Endpoints

  • Device command/report and default check-in endpoint: /mdm
  • Separate check-in endpoint enabled by NANOHUB_CHECKIN=true: /checkin
  • Health/version endpoint: /version
  • Internal NanoMDM API: /api/v1/nanomdm/
  • Internal NanoCMD API: /api/v1/nanocmd/
  • Internal KMFDDM API: /api/v1/ddm/

NanoHUB API authentication is HTTP Basic with username nanohub and password from NANOHUB_API_KEY.

Operator Gates

  1. Create FlowerCore Apple MDM Runtime in the IAmWorkin 1Password vault with field NANOHUB_API_KEY. Add NANOHUB_WEBHOOK_URL only after the DeviceManagement Nano bridge endpoint is live.

  2. Add or confirm mdm.iamworkin.lan -> 10.0.56.200 in FlowerCore.DNS/pfSense before cert-manager syncs the certificate.

  3. Mirror or build the pinned NanoHUB image, then import it on every schedulable RKE2 node:

    podman pull --arch arm64 ghcr.io/micromdm/nanohub:latest@sha256:e36a50db2dc3d2bf736645e58712f622c04b05b28487390981905ef4d0be5fbd
podman tag ghcr.io/micromdm/nanohub@sha256:e36a50db2dc3d2bf736645e58712f622c04b05b28487390981905ef4d0be5fbd localhost/fc-apple-mdm-nanohub:v0.2.0-20260617
podman save localhost/fc-apple-mdm-nanohub:v0.2.0-20260617 -o fc-apple-mdm-nanohub-v0.2.0-20260617.tar
# copy to each RKE2 node, then:
sudo ctr -n k8s.io images import fc-apple-mdm-nanohub-v0.2.0-20260617.tar

    If GHCR changes or becomes unavailable, rebuild/import from nanohub-linux-arm64-v0.2.0.zip with SHA-256 b05968322a9bc34e79169ebee28d16554046f981eaee48a12cf80899f51a9dbd.

  4. Sync the ArgoCD app and prove https://mdm.iamworkin.lan/version.

Support Boundary

This MDM-N1 lane deploys the protocol substrate only. It does not create an APNs MDM push certificate, enrollment profile, SCEP/device identity service, managed Wi-Fi payload, managed app install, or supervised iPad enrollment. Those stay in MDM-N2 through MDM-N8.

Reference in New Issue View Git Blame Copy Permalink