feat(web-probe): add multi-sentinel registry

This commit is contained in:
Codex
2026-06-26 12:42:04 +00:00
parent 7b3df965cc
commit 4e0f1cba21
25 changed files with 1038 additions and 140 deletions
@@ -0,0 +1,49 @@
version: 1
kind: HwlabWebProbeSentinelCicd
metadata:
id: d601-v03-web-probe-sentinel-auth-session-switch-cicd
owner: UniDesk
specRef: PJ2026-01060508
sentinel:
cicd:
controlPlaneConfigRef: config/hwlab-node-control-plane.yaml#targets[0]
source:
repository: pikasTech/unidesk
branch: master
gitSshUrl: ssh://git@ssh.github.com:443/pikasTech/unidesk.git
gitMirrorReadUrl: http://git-mirror-http.devops-infra.svc.cluster.local:8080/pikasTech/unidesk.git
buildContext: .
entrypoint: scripts/web-probe-sentinel-service.ts
checkoutPaths:
- scripts
- config
- package.json
- bun.lock
- bun.lockb
builder:
namespace: devops-infra
sourceMode: sparse-git-checkout
jobPrefix: web-probe-sentinel-auth-switch-publish
gitSshSecretName: git-mirror-github-ssh
dockerSocketPath: /var/run/docker.sock
activeDeadlineSeconds: 900
ttlSecondsAfterFinished: 3600
gitopsPath: deploy/gitops/node/d601/web-probe-sentinel-auth-switch
argo:
namespace: argocd
projectName: hwlab-d601
applicationName: hwlab-web-probe-sentinel-auth-switch
repoURL: http://git-mirror-http.devops-infra.svc.cluster.local:8080/pikasTech/HWLAB.git
targetRevision: v0.3-gitops
image:
repository: 127.0.0.1:5000/hwlab/web-probe-sentinel-auth-switch
tagSource: source-commit
baseImageRef: config/hwlab-node-control-plane.yaml#targets[0].tekton.toolsImage.output
envRecipeRef: config/hwlab-web-probe-sentinel/runtime.auth-session-switch.d601-v03.yaml#sentinel.runtime
maintenance:
startCommand: sentinel maintenance start
stopCommand: sentinel maintenance stop
targetValidation:
scenarioId: workbench-auth-session-switch-2users
maxSeconds: 300
serviceUnavailablePolicy: structured-failure
@@ -0,0 +1,15 @@
version: 1
kind: HwlabWebProbeSentinelPromptSet
metadata:
id: d601-v03-web-probe-sentinel-auth-session-switch-prompt-set
owner: UniDesk
specRef: PJ2026-01060508
sentinel:
promptSet:
id: auth-session-switch-no-prompt
providerProfile: session-switch-sentinel
providerProfileMode: exact
promptSourceRef: hwlab/web-probe-sentinel-auth-switch.env
promptSourceKey: AUTH_SWITCH_UNUSED_PROMPTS_JSON
promptCount: 0
redaction: hash-and-byte-count
@@ -0,0 +1,37 @@
version: 1
kind: HwlabWebProbeSentinelPublicExposure
metadata:
id: d601-v03-web-probe-sentinel-auth-session-switch-public-exposure
owner: UniDesk
specRef: PJ2026-01060508
sentinel:
publicExposure:
enabled: true
mode: pk01-caddy-frp-path
publicBaseUrl: https://monitor.pikapython.com/sentinels/workbench-auth-session-switch-2users
hostname: monitor.pikapython.com
routePrefix: /sentinels/workbench-auth-session-switch-2users
expectedA: 82.156.23.220
frpc:
deploymentName: hwlab-web-probe-sentinel-auth-switch-frpc
image: 127.0.0.1:5000/hwlab/frpc:v0.68.1
serverAddr: 82.156.23.220
serverPort: 22000
tokenSourceRef: platform-infra/pk01-frp.env
tokenSourceKey: FRP_TOKEN
secretName: hwlab-web-probe-sentinel-auth-switch-frpc
secretKey: frpc.toml
tokenKey: token
httpProxy:
name: hwlab-d601-v03-web-probe-sentinel-auth-switch
remotePort: 22091
localIP: hwlab-web-probe-sentinel-auth-switch.hwlab-v03.svc.cluster.local
localPort: 8080
caddy:
route: PK01
configPath: /etc/caddy/Caddyfile
serviceName: caddy
email: ops@pikapython.com
tls: auto
responseHeaderTimeoutSeconds: 600
managedBlockOwner: hwlab-web-probe-sentinel-auth-switch-d601-v03
@@ -10,6 +10,7 @@ sentinel:
mode: pk01-caddy-frp
publicBaseUrl: https://monitor.pikapython.com
hostname: monitor.pikapython.com
routePrefix: /
expectedA: 82.156.23.220
frpc:
deploymentName: hwlab-web-probe-sentinel-frpc
@@ -0,0 +1,22 @@
version: 1
kind: HwlabWebProbeSentinelReportViews
metadata:
id: d601-v03-web-probe-sentinel-auth-session-switch-report-views
owner: UniDesk
specRef: PJ2026-01060508
sentinel:
reportViews:
defaultView: auth-session-switch-summary
views:
- summary
- auth-session-switch-summary
- findings
- trace-frame
pageSize: 20
maxPageSize: 100
rawAccess: explicit-only
redaction:
prompt: hash-and-byte-count
assistantFinal: summary-and-hash
providerPayload: denied
secrets: denied
@@ -0,0 +1,33 @@
version: 1
kind: HwlabWebProbeSentinelRuntime
metadata:
id: d601-v03-web-probe-sentinel-auth-session-switch-runtime
owner: UniDesk
specRef: PJ2026-01060508
sentinel:
runtime:
target:
node: D601
lane: v03
publicOriginRef: config/hwlab-node-lanes.yaml#lanes.v03.targets.D601.public.webUrl
observeWrapperRef: config/hwlab-node-lanes.yaml#lanes.v03.targets.D601.observability.webProbe.sentinels[1]
namespace: hwlab-v03
serviceAccountName: hwlab-web-probe-sentinel-auth-switch
deploymentName: hwlab-web-probe-sentinel-auth-switch
serviceName: hwlab-web-probe-sentinel-auth-switch
listenHost: 0.0.0.0
servicePort: 8080
pvcName: hwlab-web-probe-sentinel-auth-switch-state
pvcStorage: 10Gi
stateRoot: /var/lib/web-probe-sentinel-auth-switch
imageRef: 127.0.0.1:5000/hwlab/web-probe-sentinel-auth-switch:source-commit
replicas: 1
healthPath: /api/health
metricsPath: /metrics
scheduler:
intervalMs: 600000
heartbeatStaleSeconds: 900
maxConcurrentRuns: 1
sqlite:
path: /var/lib/web-probe-sentinel-auth-switch/index.sqlite
busyTimeoutMs: 2000
@@ -10,7 +10,7 @@ sentinel:
node: D601
lane: v03
publicOriginRef: config/hwlab-node-lanes.yaml#lanes.v03.targets.D601.public.webUrl
observeWrapperRef: config/hwlab-node-lanes.yaml#lanes.v03.targets.D601.observability.webProbe.sentinel
observeWrapperRef: config/hwlab-node-lanes.yaml#lanes.v03.targets.D601.observability.webProbe.sentinels[0]
namespace: hwlab-v03
serviceAccountName: hwlab-web-probe-sentinel
deploymentName: hwlab-web-probe-sentinel
@@ -25,8 +25,8 @@ sentinel:
healthPath: /api/health
metricsPath: /metrics
scheduler:
intervalMs: 30000
heartbeatStaleSeconds: 120
intervalMs: 600000
heartbeatStaleSeconds: 900
maxConcurrentRuns: 1
sqlite:
path: /var/lib/web-probe-sentinel/index.sqlite
@@ -0,0 +1,47 @@
version: 1
kind: HwlabWebProbeSentinelSecrets
metadata:
id: d601-v03-web-probe-sentinel-auth-session-switch-secrets
owner: UniDesk
specRef: PJ2026-01060508
sentinel:
secrets:
sources:
- purpose: bootstrap-admin
sourceRef: hwlab/d601-v03-bootstrap-admin.env
sourceKey: HWLAB_BOOTSTRAP_ADMIN_PASSWORD
- purpose: account-a
sourceRef: hwlab/web-probe-sentinel-auth-switch-account-a.env
sourceKey: ACCOUNT_A_JSON
- purpose: account-b
sourceRef: hwlab/web-probe-sentinel-auth-switch-account-b.env
sourceKey: ACCOUNT_B_JSON
- purpose: prompt-set
sourceRef: hwlab/web-probe-sentinel-auth-switch.env
sourceKey: AUTH_SWITCH_UNUSED_PROMPTS_JSON
- purpose: frp-token
sourceRef: platform-infra/pk01-frp.env
sourceKey: FRP_TOKEN
runtimeSecrets:
- name: hwlab-web-probe-sentinel-auth-switch-bootstrap
namespace: hwlab-v03
data:
- sourcePurpose: bootstrap-admin
targetKey: bootstrap-admin-password
- name: hwlab-web-probe-sentinel-auth-switch-accounts
namespace: hwlab-v03
data:
- sourcePurpose: account-a
targetKey: account-a.json
- sourcePurpose: account-b
targetKey: account-b.json
- name: hwlab-web-probe-sentinel-auth-switch-prompt-set
namespace: hwlab-v03
data:
- sourcePurpose: prompt-set
targetKey: prompts.json
- name: hwlab-web-probe-sentinel-auth-switch-frpc
namespace: hwlab-v03
data:
- sourcePurpose: frp-token
targetKey: token
@@ -0,0 +1,41 @@
version: 1
kind: HwlabWebProbeSentinelWorkflow
metadata:
id: d601-v03-web-probe-sentinel-auth-session-switch-workflow
owner: UniDesk
specRef: PJ2026-01060508
sentinel:
workflow:
id: workbench-auth-session-switch-2users
enabled: true
cadence: 10m
observeTargetPath: /workbench
sampleIntervalMs: 1000
screenshotIntervalMs: 60000
maxRunSeconds: 900
providerProfile: session-switch-sentinel
providerProfileMode: exact
promptSetRef: config/hwlab-web-probe-sentinel/prompt-set.auth-session-switch.yaml#sentinel.promptSet
reportViewRef: config/hwlab-web-probe-sentinel/report-views.auth-session-switch.yaml#sentinel.reportViews
accounts:
- id: account-a
sourcePurpose: account-a
usernameKey: username
passwordKey: password
- id: account-b
sourcePurpose: account-b
usernameKey: username
passwordKey: password
commandSequence:
- type: loginAccount
accountId: account-a
- type: listSessions
- type: logout
- type: loginAccount
accountId: account-b
- type: listSessions
- type: switchSessions
fromAccountId: account-b
toAccountId: account-a
- type: listSessions
- type: logout