deploy: configure NC01 HWLAB monitor exposure

This commit is contained in:
root
2026-07-08 05:34:11 +02:00
parent 5dfb78f000
commit a328aa909e
41 changed files with 2522 additions and 110 deletions
+41
View File
@@ -0,0 +1,41 @@
# NC01 Reference
NC01 is the current host registered as a UniDesk provider-gateway node. Host maintenance uses `trans NC01 ...`; Kubernetes maintenance uses `trans NC01:k3s ...`.
## Source Of Truth
- Host k8s/provider config: `config/unidesk-host-k8s.yaml`.
- Host proxy config: `config/platform-infra/host-proxy.yaml#targets.NC01`; NC01 host-proxy uses `/root/vpn-server` as the VPN server source.
- HWLAB node/lane config: `config/hwlab-node-lanes.yaml#lanes.v03.targets.NC01`.
- HWLAB control-plane config: `config/hwlab-node-control-plane.yaml#nodes.NC01`.
- AgentRun config: `config/agentrun.yaml`, lane `nc01-v02`.
- NC01 host PostgreSQL config: `config/platform-db/postgres-nc01.yaml`.
## Fixed Repos
- HWLAB v0.3 fixed repo: `/root/hwlab`, branch `v0.3`.
- AgentRun v0.2 fixed repo: `/root/agentrun`, branch `v0.2`.
- UniDesk source/config authority remains `/root/unidesk`.
## Database Boundary
NC01 databases run on host-native PostgreSQL, not Docker or Kubernetes. Kubernetes workloads that need PostgreSQL must use YAML-declared external PostgreSQL bridge objects and Secrets.
For HWLAB v0.3, the Kubernetes Service `nc01-host-postgres` in namespace `hwlab-v03` points to host PostgreSQL at `10.42.0.1:5432`. Runtime database Secrets are sourced from `.state/secrets/hwlab/*` via YAML sourceRef and must only be reported as present/fingerprint metadata, never as full values.
## GitHub Token
The local GitHub token source is `.env/gh_token.txt`. It must be stored as a bare token and consumed through controlled YAML/sourceRef or temporary non-printing credential helpers. Do not place the token in command argv, logs, committed files, or rendered manifests.
## Public Exposure
NC01 HWLAB v0.3 does not require publicExposure unless YAML explicitly declares it and a real FRP token source is available. When publicExposure is absent, control-plane public probe is skipped and must not block runtime readiness.
Web-probe sentinel deployments that need public ingress must declare their own YAML publicExposure and Secret sourceRef. Do not create placeholder FRP tokens; a missing `platform-infra/pk01-frp.env` token source is a deployment blocker for FRP-backed public exposure.
## Validation Entrypoints
- Provider/trans: `scripts/trans NC01 argv true`.
- NC01 k8s route: `scripts/trans NC01:k3s kubectl get nodes -o wide`.
- HWLAB v0.3: `bun scripts/cli.ts hwlab nodes control-plane status --node NC01 --lane v03 --full`.
- AgentRun v0.2: `bun scripts/cli.ts agentrun control-plane status --node NC01 --lane nc01-v02`.