diff --git a/config/platform-infra/secret-plane.yaml b/config/platform-infra/secret-plane.yaml index 5cd1af3b..9d20c5b9 100644 --- a/config/platform-infra/secret-plane.yaml +++ b/config/platform-infra/secret-plane.yaml @@ -7,11 +7,17 @@ metadata: relatedIssues: - 2233 defaults: - targetId: D601 + targetId: D518 targets: - id: D601 route: D601:k3s namespace: platform-infra + role: standby + enabled: false + createNamespace: true + - id: D518 + route: D518:k3s + namespace: platform-infra role: active enabled: true createNamespace: true @@ -50,10 +56,10 @@ syncProbe: vaultMountPath: secret remotePath: hwlab-secret-plane/poc remoteProperty: password - expectedFingerprint: sha256:7b47b343642e442d94ae889778113b0137eb8db255d9c03cb42f2582adfa2f2f + expectedFingerprint: sha256:e1e758e27c20234f18a8c7c43220fda341f6194c5bb0cedbf89ffe8078a19ba0 testValueSource: mode: repo-poc-static - value: hwlab-secret-plane-poc-d601 + value: hwlab-secret-plane-poc-d518 consumer: deploymentName: hwlab-secret-plane-consumer envName: POC_PASSWORD diff --git a/scripts/src/platform-infra-secret-plane.ts b/scripts/src/platform-infra-secret-plane.ts index 44a233a7..a2b0245e 100644 --- a/scripts/src/platform-infra-secret-plane.ts +++ b/scripts/src/platform-infra-secret-plane.ts @@ -131,11 +131,11 @@ export async function runSecretPlaneCommand(config: UniDeskConfig, args: string[ error: "unsupported-platform-infra-secret-plane-command", args, usage: [ - "bun scripts/cli.ts platform-infra secret-plane plan --target D601", - "bun scripts/cli.ts platform-infra secret-plane apply --target D601 --dry-run", - "bun scripts/cli.ts platform-infra secret-plane apply --target D601 --confirm", - "bun scripts/cli.ts platform-infra secret-plane status --target D601", - "bun scripts/cli.ts platform-infra secret-plane validate --target D601", + "bun scripts/cli.ts platform-infra secret-plane plan --target D518", + "bun scripts/cli.ts platform-infra secret-plane apply --target D518 --dry-run", + "bun scripts/cli.ts platform-infra secret-plane apply --target D518 --confirm", + "bun scripts/cli.ts platform-infra secret-plane status --target D518", + "bun scripts/cli.ts platform-infra secret-plane validate --target D518", ], }; } @@ -1148,7 +1148,8 @@ function syncProbeSummary(secretPlane: SecretPlaneConfig): Record> { const kinds = manifestObjectSummary(yaml).map((item) => item.kind); return [ - { name: "target-is-d601", ok: target.id === "D601" && target.route === "D601:k3s", detail: "PoC stays on D601 per HWLAB#2233 correction." }, + { name: "target-is-active", ok: target.role === "active", detail: "PoC target must be the YAML-selected active secret-plane target." }, + { name: "target-route-is-k3s", ok: target.route === `${target.id}:k3s`, detail: "Secret plane deployment uses the selected node k3s route." }, { name: "namespace-is-platform-infra", ok: target.namespace === "platform-infra", detail: "Secret plane is external platform infrastructure and not an HWLAB namespace." }, { name: "no-hwlab-workloads", ok: !/namespace:\s*hwlab/iu.test(yaml) && !/hwlab-v0?3/iu.test(yaml), detail: "This PoC must not integrate into HWLAB v0.3 yet." }, { name: "no-nodeport-or-loadbalancer", ok: !/^\s*type:\s*(NodePort|LoadBalancer)\s*$/mu.test(yaml), detail: "Secret plane services stay ClusterIP-only." }, @@ -1218,7 +1219,7 @@ function renderPlan(result: Record): RenderedCliResult { ` status: ${stringValue(next.status)}`, ` validate: ${stringValue(next.validate)}`, "", - "Boundary: D601 platform-infra only; no HWLAB v0.3 integration is rendered.", + `Boundary: ${stringValue(target.id)} platform-infra only; no HWLAB v0.3 integration is rendered.`, "Disclosure: Secret values are not printed; only object/key/fingerprint summaries are shown.", ]); } diff --git a/scripts/src/platform-infra/entry.ts b/scripts/src/platform-infra/entry.ts index 79c8f4dd..546142ca 100644 --- a/scripts/src/platform-infra/entry.ts +++ b/scripts/src/platform-infra/entry.ts @@ -360,13 +360,13 @@ export function platformInfraHelp(): unknown { "bun scripts/cli.ts platform-infra observability search --target D601 --grep 'no rollout found' [--lookback-minutes 360] [--candidate-limit 80] [--limit 20]", "bun scripts/cli.ts platform-infra observability diagnose-code-agent --target D601 --business-trace-id [--full|--raw]", "bun scripts/cli.ts platform-infra observability diagnose-code-agent --target D601 --run-id [--command-id ] [--runner-job-id ]", - "bun scripts/cli.ts platform-infra secret-plane plan --target D601", - "bun scripts/cli.ts platform-infra secret-plane apply --target D601 --dry-run", - "bun scripts/cli.ts platform-infra secret-plane apply --target D601 --confirm", - "bun scripts/cli.ts platform-infra secret-plane status --target D601", - "bun scripts/cli.ts platform-infra secret-plane validate --target D601", + "bun scripts/cli.ts platform-infra secret-plane plan --target D518", + "bun scripts/cli.ts platform-infra secret-plane apply --target D518 --dry-run", + "bun scripts/cli.ts platform-infra secret-plane apply --target D518 --confirm", + "bun scripts/cli.ts platform-infra secret-plane status --target D518", + "bun scripts/cli.ts platform-infra secret-plane validate --target D518", ], - description: "Operate YAML-controlled platform-infra services such as Sub2API, LangBot, n8n, WeChat archive workflows, OpenTelemetry tracing and the independent D601 secret plane. Public services use PK01 Caddy+FRP rather than Kubernetes Ingress, NodePort, or LoadBalancer.", + description: "Operate YAML-controlled platform-infra services such as Sub2API, LangBot, n8n, WeChat archive workflows, OpenTelemetry tracing and the independent target-scoped secret plane. Public services use PK01 Caddy+FRP rather than Kubernetes Ingress, NodePort, or LoadBalancer.", target, codexPool: { usage: [