deploy: configure NC01 HWLAB monitor exposure
This commit is contained in:
@@ -0,0 +1,41 @@
|
||||
# NC01 Reference
|
||||
|
||||
NC01 is the current host registered as a UniDesk provider-gateway node. Host maintenance uses `trans NC01 ...`; Kubernetes maintenance uses `trans NC01:k3s ...`.
|
||||
|
||||
## Source Of Truth
|
||||
|
||||
- Host k8s/provider config: `config/unidesk-host-k8s.yaml`.
|
||||
- Host proxy config: `config/platform-infra/host-proxy.yaml#targets.NC01`; NC01 host-proxy uses `/root/vpn-server` as the VPN server source.
|
||||
- HWLAB node/lane config: `config/hwlab-node-lanes.yaml#lanes.v03.targets.NC01`.
|
||||
- HWLAB control-plane config: `config/hwlab-node-control-plane.yaml#nodes.NC01`.
|
||||
- AgentRun config: `config/agentrun.yaml`, lane `nc01-v02`.
|
||||
- NC01 host PostgreSQL config: `config/platform-db/postgres-nc01.yaml`.
|
||||
|
||||
## Fixed Repos
|
||||
|
||||
- HWLAB v0.3 fixed repo: `/root/hwlab`, branch `v0.3`.
|
||||
- AgentRun v0.2 fixed repo: `/root/agentrun`, branch `v0.2`.
|
||||
- UniDesk source/config authority remains `/root/unidesk`.
|
||||
|
||||
## Database Boundary
|
||||
|
||||
NC01 databases run on host-native PostgreSQL, not Docker or Kubernetes. Kubernetes workloads that need PostgreSQL must use YAML-declared external PostgreSQL bridge objects and Secrets.
|
||||
|
||||
For HWLAB v0.3, the Kubernetes Service `nc01-host-postgres` in namespace `hwlab-v03` points to host PostgreSQL at `10.42.0.1:5432`. Runtime database Secrets are sourced from `.state/secrets/hwlab/*` via YAML sourceRef and must only be reported as present/fingerprint metadata, never as full values.
|
||||
|
||||
## GitHub Token
|
||||
|
||||
The local GitHub token source is `.env/gh_token.txt`. It must be stored as a bare token and consumed through controlled YAML/sourceRef or temporary non-printing credential helpers. Do not place the token in command argv, logs, committed files, or rendered manifests.
|
||||
|
||||
## Public Exposure
|
||||
|
||||
NC01 HWLAB v0.3 does not require publicExposure unless YAML explicitly declares it and a real FRP token source is available. When publicExposure is absent, control-plane public probe is skipped and must not block runtime readiness.
|
||||
|
||||
Web-probe sentinel deployments that need public ingress must declare their own YAML publicExposure and Secret sourceRef. Do not create placeholder FRP tokens; a missing `platform-infra/pk01-frp.env` token source is a deployment blocker for FRP-backed public exposure.
|
||||
|
||||
## Validation Entrypoints
|
||||
|
||||
- Provider/trans: `scripts/trans NC01 argv true`.
|
||||
- NC01 k8s route: `scripts/trans NC01:k3s kubectl get nodes -o wide`.
|
||||
- HWLAB v0.3: `bun scripts/cli.ts hwlab nodes control-plane status --node NC01 --lane v03 --full`.
|
||||
- AgentRun v0.2: `bun scripts/cli.ts agentrun control-plane status --node NC01 --lane nc01-v02`.
|
||||
Reference in New Issue
Block a user