bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity
Files
e543018bdcd505d8fc83fddf3f240d2a2c9857a4
bluejay-infra/apps-gx10/fc-apple-mdm/README.md

2.2 KiB
Raw Blame History

FlowerCore Apple MDM on GX10

This directory deploys the NanoHUB v0.2.0 substrate for Apple MDM protocol traffic at https://mdm.iamworkin.lan.

Runtime

  • Namespace: fc-apple-mdm
  • Image: localhost/fc-apple-mdm-nanohub:v0.2.0-20260617
  • Upstream digest: ghcr.io/micromdm/nanohub:latest@sha256:e36a50db2dc3d2bf736645e58712f622c04b05b28487390981905ef4d0be5fbd
  • Persistent state: fc-apple-mdm-data on local-path, mounted at /var/lib/nanohub
  • File backend DSN: /var/lib/nanohub/db
  • Required secret: Secret/fc-apple-mdm-runtime, key NANOHUB_API_KEY
  • Optional later bridge secret: NANOHUB_WEBHOOK_URL
  • Required CA mount: ConfigMap/fc-apple-mdm-root-ca, key root_ca.crt

NanoHUB API authentication is HTTP Basic with username nanohub and password from NANOHUB_API_KEY.

Public Surface

The Traefik route intentionally exposes only:

  • /version
  • /mdm
  • /checkin

NanoHUB APIs under /api/v1/* stay cluster-internal for MDM-N1. The DeviceManagement bridge can use the ClusterIP service directly once its NanoHUB client lane lands.

SCEP is intentionally not exposed here yet. NanoHUB/NanoMDM expects an external SCEP service; the next runtime lane should either add a dedicated SCEP route such as https://mdm.iamworkin.lan/scep/... backed by an Apple-MDM-specific CA, or set APPLE_MDM_SCEP_URL in the DeviceManagement runtime secret to another live SCEP endpoint. Do not point the profile at a placeholder URL.

Deployment Notes

  1. Create or refresh the runtime Kubernetes Secret from the 1Password item FlowerCore Apple MDM Runtime before sync. GX10 does not yet depend on the 1Password operator for this workload.
  2. Import localhost/fc-apple-mdm-nanohub:v0.2.0-20260617 into GX10 containerd before ArgoCD syncs. The deployment uses imagePullPolicy: Never.
  3. Ensure mdm.iamworkin.lan resolves to the GX10 Traefik VIP 10.0.57.202 before cert-manager requests Certificate/fc-apple-mdm-tls.
  4. Prove https://mdm.iamworkin.lan/version after ArgoCD converges.

This lane does not create an APNs MDM push certificate, enrollment profile, SCEP/device identity service, managed Wi-Fi payload, managed app install, or supervised iPad enrollment. Those remain MDM-N2 through MDM-N8.

Reference in New Issue View Git Blame Copy Permalink