Jean-Gabriel Gill-Couture
8a609c5342
The operator was opening a bare async_nats::connect with no auth, which would fail closed against a callout-protected NATS. Wires it through the same JWT-bearer flow the agent uses, sharing the recently-extracted harmony-fleet-auth crate. Operator side ------------- * main.rs: read FLEET_OPERATOR_CREDENTIALS_TOML (TOML snippet, same shape as the agent's [credentials] block — single CredentialsSection struct, just a different byte source). Empty string bypasses (callout-less dev only, with a loud warning). * chart.rs: ChartOptions gains an optional OperatorCredentials field. When set, build_chart's Deployment mounts a Secret as both envFrom (TOML payload → FLEET_OPERATOR_CREDENTIALS_TOML) and a volume mount for the JSON keyfile at the configured key_path (defaults to /etc/fleet-operator/zitadel-key.json). On-disk helm chart still emits credentials: None — those are environment- specific and out of scope for a redistributable chart. * Public manifest builders (build_service_account, build_cluster_role, build_cluster_role_binding, build_operator_deployment, operator_secret) so the e2e bring-up can apply each resource via K8sResourceScore without re-implementing the manifests. * mod chart now lives in lib.rs so external consumers (the e2e bring-up) can reach into it. E2e bring-up ------------ * Bring-up gains a separate `fleet-operator` machine user with the fleet-admin role grant — distinct from the manual-admin `fleet-ops` user so audit logs can tell automated operator actions apart from human ones. * New steps 8/10 (build + sideload operator image) and 9/10 (apply CRDs + RBAC + Secret + Deployment + wait for Ready). Devices step becomes 10/10. * Reuses harmony_fleet_operator's manifest builders + operator_secret via K8sResourceScore — no duplicated YAML, no shell-out. Tests ----- * All existing tests pass (harmony-fleet-auth: 18, harmony-fleet-agent: 7, harmony-fleet-operator: 2). E2e walking-skeleton is exercised by the next phase's clean rerun.
48 lines
1.4 KiB
TOML
48 lines
1.4 KiB
TOML
[package]
|
|
name = "example-fleet-e2e-demo"
|
|
edition = "2024"
|
|
version.workspace = true
|
|
readme.workspace = true
|
|
license.workspace = true
|
|
description = "VM-based end-to-end rehearsal: k3d + Zitadel + NATS auth callout + libvirt VM agents + operator → CR → podman → status"
|
|
|
|
[lib]
|
|
name = "example_fleet_e2e_demo"
|
|
path = "src/lib.rs"
|
|
|
|
[[bin]]
|
|
name = "fleet-e2e-demo"
|
|
path = "src/main.rs"
|
|
|
|
[[test]]
|
|
name = "e2e_walking_skeleton"
|
|
path = "tests/e2e_walking_skeleton.rs"
|
|
|
|
[dependencies]
|
|
harmony = { path = "../../harmony", features = ["kvm"] }
|
|
harmony-k8s = { path = "../../harmony-k8s" }
|
|
harmony_types = { path = "../../harmony_types" }
|
|
example-fleet-auth-callout = { path = "../fleet_auth_callout" }
|
|
harmony-nats-callout = { path = "../../nats/callout" }
|
|
harmony-reconciler-contracts = { path = "../../harmony-reconciler-contracts" }
|
|
harmony-fleet-operator = { path = "../../fleet/harmony-fleet-operator" }
|
|
k3d-rs = { path = "../../k3d" }
|
|
async-nats.workspace = true
|
|
nkeys = "0.4"
|
|
tokio = { workspace = true, features = ["full"] }
|
|
tokio-test.workspace = true
|
|
serde.workspace = true
|
|
serde_json.workspace = true
|
|
anyhow.workspace = true
|
|
log.workspace = true
|
|
env_logger.workspace = true
|
|
tracing.workspace = true
|
|
tracing-subscriber.workspace = true
|
|
futures-util.workspace = true
|
|
k8s-openapi.workspace = true
|
|
kube.workspace = true
|
|
clap = { version = "4", features = ["derive", "env"] }
|
|
directories = "6.0.0"
|
|
tempfile = "3"
|
|
url.workspace = true
|