fix: retarget secret-plane poc to D518
This commit is contained in:
@@ -7,11 +7,17 @@ metadata:
|
||||
relatedIssues:
|
||||
- 2233
|
||||
defaults:
|
||||
targetId: D601
|
||||
targetId: D518
|
||||
targets:
|
||||
- id: D601
|
||||
route: D601:k3s
|
||||
namespace: platform-infra
|
||||
role: standby
|
||||
enabled: false
|
||||
createNamespace: true
|
||||
- id: D518
|
||||
route: D518:k3s
|
||||
namespace: platform-infra
|
||||
role: active
|
||||
enabled: true
|
||||
createNamespace: true
|
||||
@@ -50,10 +56,10 @@ syncProbe:
|
||||
vaultMountPath: secret
|
||||
remotePath: hwlab-secret-plane/poc
|
||||
remoteProperty: password
|
||||
expectedFingerprint: sha256:7b47b343642e442d94ae889778113b0137eb8db255d9c03cb42f2582adfa2f2f
|
||||
expectedFingerprint: sha256:e1e758e27c20234f18a8c7c43220fda341f6194c5bb0cedbf89ffe8078a19ba0
|
||||
testValueSource:
|
||||
mode: repo-poc-static
|
||||
value: hwlab-secret-plane-poc-d601
|
||||
value: hwlab-secret-plane-poc-d518
|
||||
consumer:
|
||||
deploymentName: hwlab-secret-plane-consumer
|
||||
envName: POC_PASSWORD
|
||||
|
||||
@@ -131,11 +131,11 @@ export async function runSecretPlaneCommand(config: UniDeskConfig, args: string[
|
||||
error: "unsupported-platform-infra-secret-plane-command",
|
||||
args,
|
||||
usage: [
|
||||
"bun scripts/cli.ts platform-infra secret-plane plan --target D601",
|
||||
"bun scripts/cli.ts platform-infra secret-plane apply --target D601 --dry-run",
|
||||
"bun scripts/cli.ts platform-infra secret-plane apply --target D601 --confirm",
|
||||
"bun scripts/cli.ts platform-infra secret-plane status --target D601",
|
||||
"bun scripts/cli.ts platform-infra secret-plane validate --target D601",
|
||||
"bun scripts/cli.ts platform-infra secret-plane plan --target D518",
|
||||
"bun scripts/cli.ts platform-infra secret-plane apply --target D518 --dry-run",
|
||||
"bun scripts/cli.ts platform-infra secret-plane apply --target D518 --confirm",
|
||||
"bun scripts/cli.ts platform-infra secret-plane status --target D518",
|
||||
"bun scripts/cli.ts platform-infra secret-plane validate --target D518",
|
||||
],
|
||||
};
|
||||
}
|
||||
@@ -1148,7 +1148,8 @@ function syncProbeSummary(secretPlane: SecretPlaneConfig): Record<string, unknow
|
||||
function policyChecks(secretPlane: SecretPlaneConfig, target: SecretPlaneTarget, yaml: string): Array<Record<string, unknown>> {
|
||||
const kinds = manifestObjectSummary(yaml).map((item) => item.kind);
|
||||
return [
|
||||
{ name: "target-is-d601", ok: target.id === "D601" && target.route === "D601:k3s", detail: "PoC stays on D601 per HWLAB#2233 correction." },
|
||||
{ name: "target-is-active", ok: target.role === "active", detail: "PoC target must be the YAML-selected active secret-plane target." },
|
||||
{ name: "target-route-is-k3s", ok: target.route === `${target.id}:k3s`, detail: "Secret plane deployment uses the selected node k3s route." },
|
||||
{ name: "namespace-is-platform-infra", ok: target.namespace === "platform-infra", detail: "Secret plane is external platform infrastructure and not an HWLAB namespace." },
|
||||
{ name: "no-hwlab-workloads", ok: !/namespace:\s*hwlab/iu.test(yaml) && !/hwlab-v0?3/iu.test(yaml), detail: "This PoC must not integrate into HWLAB v0.3 yet." },
|
||||
{ name: "no-nodeport-or-loadbalancer", ok: !/^\s*type:\s*(NodePort|LoadBalancer)\s*$/mu.test(yaml), detail: "Secret plane services stay ClusterIP-only." },
|
||||
@@ -1218,7 +1219,7 @@ function renderPlan(result: Record<string, unknown>): RenderedCliResult {
|
||||
` status: ${stringValue(next.status)}`,
|
||||
` validate: ${stringValue(next.validate)}`,
|
||||
"",
|
||||
"Boundary: D601 platform-infra only; no HWLAB v0.3 integration is rendered.",
|
||||
`Boundary: ${stringValue(target.id)} platform-infra only; no HWLAB v0.3 integration is rendered.`,
|
||||
"Disclosure: Secret values are not printed; only object/key/fingerprint summaries are shown.",
|
||||
]);
|
||||
}
|
||||
|
||||
@@ -360,13 +360,13 @@ export function platformInfraHelp(): unknown {
|
||||
"bun scripts/cli.ts platform-infra observability search --target D601 --grep 'no rollout found' [--lookback-minutes 360] [--candidate-limit 80] [--limit 20]",
|
||||
"bun scripts/cli.ts platform-infra observability diagnose-code-agent --target D601 --business-trace-id <trc_...> [--full|--raw]",
|
||||
"bun scripts/cli.ts platform-infra observability diagnose-code-agent --target D601 --run-id <run_...> [--command-id <cmd_...>] [--runner-job-id <rjob_...>]",
|
||||
"bun scripts/cli.ts platform-infra secret-plane plan --target D601",
|
||||
"bun scripts/cli.ts platform-infra secret-plane apply --target D601 --dry-run",
|
||||
"bun scripts/cli.ts platform-infra secret-plane apply --target D601 --confirm",
|
||||
"bun scripts/cli.ts platform-infra secret-plane status --target D601",
|
||||
"bun scripts/cli.ts platform-infra secret-plane validate --target D601",
|
||||
"bun scripts/cli.ts platform-infra secret-plane plan --target D518",
|
||||
"bun scripts/cli.ts platform-infra secret-plane apply --target D518 --dry-run",
|
||||
"bun scripts/cli.ts platform-infra secret-plane apply --target D518 --confirm",
|
||||
"bun scripts/cli.ts platform-infra secret-plane status --target D518",
|
||||
"bun scripts/cli.ts platform-infra secret-plane validate --target D518",
|
||||
],
|
||||
description: "Operate YAML-controlled platform-infra services such as Sub2API, LangBot, n8n, WeChat archive workflows, OpenTelemetry tracing and the independent D601 secret plane. Public services use PK01 Caddy+FRP rather than Kubernetes Ingress, NodePort, or LoadBalancer.",
|
||||
description: "Operate YAML-controlled platform-infra services such as Sub2API, LangBot, n8n, WeChat archive workflows, OpenTelemetry tracing and the independent target-scoped secret plane. Public services use PK01 Caddy+FRP rather than Kubernetes Ingress, NodePort, or LoadBalancer.",
|
||||
target,
|
||||
codexPool: {
|
||||
usage: [
|
||||
|
||||
Reference in New Issue
Block a user