fix: retarget secret-plane poc to D518

This commit is contained in:
Codex
2026-06-28 06:16:37 +00:00
parent e2890bac64
commit 5e4f1f283f
3 changed files with 23 additions and 16 deletions
+9 -3
View File
@@ -7,11 +7,17 @@ metadata:
relatedIssues:
- 2233
defaults:
targetId: D601
targetId: D518
targets:
- id: D601
route: D601:k3s
namespace: platform-infra
role: standby
enabled: false
createNamespace: true
- id: D518
route: D518:k3s
namespace: platform-infra
role: active
enabled: true
createNamespace: true
@@ -50,10 +56,10 @@ syncProbe:
vaultMountPath: secret
remotePath: hwlab-secret-plane/poc
remoteProperty: password
expectedFingerprint: sha256:7b47b343642e442d94ae889778113b0137eb8db255d9c03cb42f2582adfa2f2f
expectedFingerprint: sha256:e1e758e27c20234f18a8c7c43220fda341f6194c5bb0cedbf89ffe8078a19ba0
testValueSource:
mode: repo-poc-static
value: hwlab-secret-plane-poc-d601
value: hwlab-secret-plane-poc-d518
consumer:
deploymentName: hwlab-secret-plane-consumer
envName: POC_PASSWORD
+8 -7
View File
@@ -131,11 +131,11 @@ export async function runSecretPlaneCommand(config: UniDeskConfig, args: string[
error: "unsupported-platform-infra-secret-plane-command",
args,
usage: [
"bun scripts/cli.ts platform-infra secret-plane plan --target D601",
"bun scripts/cli.ts platform-infra secret-plane apply --target D601 --dry-run",
"bun scripts/cli.ts platform-infra secret-plane apply --target D601 --confirm",
"bun scripts/cli.ts platform-infra secret-plane status --target D601",
"bun scripts/cli.ts platform-infra secret-plane validate --target D601",
"bun scripts/cli.ts platform-infra secret-plane plan --target D518",
"bun scripts/cli.ts platform-infra secret-plane apply --target D518 --dry-run",
"bun scripts/cli.ts platform-infra secret-plane apply --target D518 --confirm",
"bun scripts/cli.ts platform-infra secret-plane status --target D518",
"bun scripts/cli.ts platform-infra secret-plane validate --target D518",
],
};
}
@@ -1148,7 +1148,8 @@ function syncProbeSummary(secretPlane: SecretPlaneConfig): Record<string, unknow
function policyChecks(secretPlane: SecretPlaneConfig, target: SecretPlaneTarget, yaml: string): Array<Record<string, unknown>> {
const kinds = manifestObjectSummary(yaml).map((item) => item.kind);
return [
{ name: "target-is-d601", ok: target.id === "D601" && target.route === "D601:k3s", detail: "PoC stays on D601 per HWLAB#2233 correction." },
{ name: "target-is-active", ok: target.role === "active", detail: "PoC target must be the YAML-selected active secret-plane target." },
{ name: "target-route-is-k3s", ok: target.route === `${target.id}:k3s`, detail: "Secret plane deployment uses the selected node k3s route." },
{ name: "namespace-is-platform-infra", ok: target.namespace === "platform-infra", detail: "Secret plane is external platform infrastructure and not an HWLAB namespace." },
{ name: "no-hwlab-workloads", ok: !/namespace:\s*hwlab/iu.test(yaml) && !/hwlab-v0?3/iu.test(yaml), detail: "This PoC must not integrate into HWLAB v0.3 yet." },
{ name: "no-nodeport-or-loadbalancer", ok: !/^\s*type:\s*(NodePort|LoadBalancer)\s*$/mu.test(yaml), detail: "Secret plane services stay ClusterIP-only." },
@@ -1218,7 +1219,7 @@ function renderPlan(result: Record<string, unknown>): RenderedCliResult {
` status: ${stringValue(next.status)}`,
` validate: ${stringValue(next.validate)}`,
"",
"Boundary: D601 platform-infra only; no HWLAB v0.3 integration is rendered.",
`Boundary: ${stringValue(target.id)} platform-infra only; no HWLAB v0.3 integration is rendered.`,
"Disclosure: Secret values are not printed; only object/key/fingerprint summaries are shown.",
]);
}
+6 -6
View File
@@ -360,13 +360,13 @@ export function platformInfraHelp(): unknown {
"bun scripts/cli.ts platform-infra observability search --target D601 --grep 'no rollout found' [--lookback-minutes 360] [--candidate-limit 80] [--limit 20]",
"bun scripts/cli.ts platform-infra observability diagnose-code-agent --target D601 --business-trace-id <trc_...> [--full|--raw]",
"bun scripts/cli.ts platform-infra observability diagnose-code-agent --target D601 --run-id <run_...> [--command-id <cmd_...>] [--runner-job-id <rjob_...>]",
"bun scripts/cli.ts platform-infra secret-plane plan --target D601",
"bun scripts/cli.ts platform-infra secret-plane apply --target D601 --dry-run",
"bun scripts/cli.ts platform-infra secret-plane apply --target D601 --confirm",
"bun scripts/cli.ts platform-infra secret-plane status --target D601",
"bun scripts/cli.ts platform-infra secret-plane validate --target D601",
"bun scripts/cli.ts platform-infra secret-plane plan --target D518",
"bun scripts/cli.ts platform-infra secret-plane apply --target D518 --dry-run",
"bun scripts/cli.ts platform-infra secret-plane apply --target D518 --confirm",
"bun scripts/cli.ts platform-infra secret-plane status --target D518",
"bun scripts/cli.ts platform-infra secret-plane validate --target D518",
],
description: "Operate YAML-controlled platform-infra services such as Sub2API, LangBot, n8n, WeChat archive workflows, OpenTelemetry tracing and the independent D601 secret plane. Public services use PK01 Caddy+FRP rather than Kubernetes Ingress, NodePort, or LoadBalancer.",
description: "Operate YAML-controlled platform-infra services such as Sub2API, LangBot, n8n, WeChat archive workflows, OpenTelemetry tracing and the independent target-scoped secret plane. Public services use PK01 Caddy+FRP rather than Kubernetes Ingress, NodePort, or LoadBalancer.",
target,
codexPool: {
usage: [