From f7299ebe2bff2a267e7632c290a97424a8f5137d Mon Sep 17 00:00:00 2001 From: Jean-Gabriel Gill-Couture Date: Sun, 31 May 2026 09:13:39 -0400 Subject: [PATCH 1/2] refactor(fleet-deploy): rename HARMONY_SECRET_NAMESPACE to HARMONY_CONFIG_NAMESPACE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The env var name was a misnomer — ConfigClient resolves both config and secrets, not just secrets. The struct field was already config_namespace. Legacy SecretManager keeps the old var; this forces migration to ConfigClient for new code. --- ROADMAP/fleet_platform/v0_3_plan.md | 12 +++++------- fleet/harmony-fleet-deploy/src/main.rs | 18 ++++++++++++++---- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/ROADMAP/fleet_platform/v0_3_plan.md b/ROADMAP/fleet_platform/v0_3_plan.md index d241ef40..5aa5917e 100644 --- a/ROADMAP/fleet_platform/v0_3_plan.md +++ b/ROADMAP/fleet_platform/v0_3_plan.md @@ -9,7 +9,7 @@ Written 2026-05-31. Picks up after OpenBao + Zitadel + NATS + callout + operator - [x] NATS + auth callout deployed in `fleet-staging` namespace - [x] Operator deployed (older version, 2-3 weeks old) - [x] Config-driven OpenBao installer (`examples/openbao`) -- [x] `harmony-fleet-deploy` binary reads `FleetDeploySecrets` from OpenBao +- [x] `harmony-fleet-deploy` binary reads `FleetDeployConfig` + `FleetDeploySecrets` from OpenBao ## Immediate next steps @@ -34,8 +34,7 @@ Written 2026-05-31. Picks up after OpenBao + Zitadel + NATS + callout + operator - [ ] Create `.envrc` with minimal env: ```bash export OPENBAO_URL=https://secrets-stg.cb1.nationtech.io - export HARMONY_SECRET_NAMESPACE=fleet-staging - export HARMONY_FLEET_NAMESPACE=fleet-staging + export HARMONY_CONFIG_NAMESPACE=fleet-staging # export OPENBAO_TOKEN= ``` - [ ] Write deploy invocation (shell script or just `harmony-fleet-deploy` call): @@ -78,15 +77,14 @@ Written 2026-05-31. Picks up after OpenBao + Zitadel + NATS + callout + operator ```bash OPENBAO_URL=https://secrets-stg.cb1.nationtech.io -HARMONY_SECRET_NAMESPACE=fleet-staging +HARMONY_CONFIG_NAMESPACE=fleet-staging # SSO auth or root token (SSO is the goal) ``` ### OpenBao (read via ConfigClient) +- `FleetDeployConfig` (k8s namespaces, NATS URL, chart coords) at `secret/data/fleet-staging/FleetDeployConfig` - `FleetDeploySecrets` (operator creds) at `secret/data/fleet-staging/FleetDeploySecrets` -- k8s namespaces (`fleet-staging`, `zitadel-staging`, `openbao-staging`) as config values -- Chart registry/project coords as config values ## Missing features (post-UI) @@ -95,7 +93,7 @@ HARMONY_SECRET_NAMESPACE=fleet-staging - [ ] Per-device OpenBao policies (templated policies, one role per device type) - [ ] Device identity claim in JWT (Zitadel `client_id` with `device-` prefix) - [ ] OpenBao JWT auth role granularity (extend `OpenbaoJwtAuth` to list of roles) -- [ ] Move k8s namespaces + chart coords into `ConfigClient` config struct (env = only identifier + auth) +- [x] Move k8s namespaces + chart coords into `ConfigClient` config struct (env = only identifier + auth) ### Operator capabilities diff --git a/fleet/harmony-fleet-deploy/src/main.rs b/fleet/harmony-fleet-deploy/src/main.rs index 86994420..f0afc9a7 100644 --- a/fleet/harmony-fleet-deploy/src/main.rs +++ b/fleet/harmony-fleet-deploy/src/main.rs @@ -15,7 +15,9 @@ use harmony::inventory::Inventory; use harmony::topology::K8sAnywhereTopology; use harmony_cli::Args as HarmonyCliArgs; use harmony_config::ConfigClient; -use harmony_fleet_deploy::{FleetDeployConfig, FleetDeploySecrets, FleetOperatorScore, version_from_tag}; +use harmony_fleet_deploy::{ + FleetDeployConfig, FleetDeploySecrets, FleetOperatorScore, version_from_tag, +}; #[derive(Parser, Debug)] #[command( @@ -46,7 +48,11 @@ struct CliConfig { operator_chart_project: Option, /// Config namespace `FleetDeploySecrets` and `FleetDeployConfig` resolve under (Env → OpenBao). - #[arg(long, env = "HARMONY_SECRET_NAMESPACE", default_value = "fleet-staging")] + #[arg( + long, + env = "HARMONY_CONFIG_NAMESPACE", + default_value = "fleet-staging" + )] config_namespace: String, #[command(flatten)] @@ -96,8 +102,12 @@ async fn main() -> Result<()> { }; let namespace = cli.namespace.unwrap_or(config.namespace); - let registry = cli.operator_chart_registry.unwrap_or(config.operator_chart_registry); - let project = cli.operator_chart_project.unwrap_or(config.operator_chart_project); + let registry = cli + .operator_chart_registry + .unwrap_or(config.operator_chart_registry); + let project = cli + .operator_chart_project + .unwrap_or(config.operator_chart_project); let operator = FleetOperatorScore::new() .namespace(namespace) -- 2.39.5 From 2e9052b21702fb177c100bbd11cae1191b597d60 Mon Sep 17 00:00:00 2001 From: Jean-Gabriel Gill-Couture Date: Sun, 31 May 2026 10:12:54 -0400 Subject: [PATCH 2/2] fix(openbao): remove extra blank line in example Pre-existing formatting issue caught by cargo fmt --check. --- examples/openbao/src/main.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/openbao/src/main.rs b/examples/openbao/src/main.rs index c539e2f8..f5824b3e 100644 --- a/examples/openbao/src/main.rs +++ b/examples/openbao/src/main.rs @@ -84,7 +84,6 @@ async fn main() -> Result<()> { "host must be set (e.g. secrets-stg.)" ); - let instance = OpenbaoInstance { namespace: cfg.namespace.clone(), release: cfg.release.clone(), -- 2.39.5