Skip to content

feat(trakrf-backend): wire READER_FEED_MQTT_* env for reader live-view (TRA-902)#149

Merged
mikestankavich merged 1 commit into
mainfrom
worktree-miks2u+tra-902-backend-reader-feed-env
Jun 5, 2026
Merged

feat(trakrf-backend): wire READER_FEED_MQTT_* env for reader live-view (TRA-902)#149
mikestankavich merged 1 commit into
mainfrom
worktree-miks2u+tra-902-backend-reader-feed-env

Conversation

@mikestankavich

Copy link
Copy Markdown
Contributor

Final TRA-902 activation piece — pairs with the merged #148 (broker WSS listener + frontend-readonly read-only ACL).

Delivers the reader-feed config to the backend as Deployment env vars (GitOps-durable — ArgoCD self-heals the backend, so ad-hoc kubectl set env would be reverted). The backend (platform #455/#456, merged) stamps READER_FEED_MQTT_* into index.htmlwindow.__APP_CONFIG__.readerFeed; the SPA's Live Reads tab then subscribes the browser to the broker over WSS.

Changes (mirrors the mqttEnabled pattern)

  • helm/trakrf-backend: new readerFeed values block + a conditional env block (gated on readerFeed.url, like mqtt.host). READER_FEED_MQTT_URL/USERNAME/TOPIC as config; READER_FEED_MQTT_PASSWORD via secretKeyReftrakrf-mosquitto-auth/frontend_password (out of git). Off by default.
  • argocd/root: per-env readerFeedEnabled flag (preview=true, prod=false) + GKE-only inject of readerFeed.url = wss://mqtt.<env>.gke.trakrf.id:8084/mqtt.

Security

Creds land in pre-auth index.html (public) → least-privilege subscribe-only (the #148 ACL allows read trakrf.id/+/reads only — verified). prod stays off until the multi-tenant cross-org read gate is closed (documented on TRA-902).

Verification

helm template: preview renders all four READER_FEED_MQTT_* (incl. PASSWORD secretKeyRef); default/prod/aks render none; root chart injects the preview URL only (prod/aks none); helm lint (eks/aks) + root render pass.

Deploy

helm/ chart change → ArgoCD auto-syncs; backend rolls (maxSurge:0, single-pod) and serves the reader-feed config. The frontend-readonly user + WSS listener are already live (#148 + activated). After merge I'll confirm the backend carries the env + ping platform to validate end-to-end (DevTools __APP_CONFIG__.readerFeed, Live Reads tab).

🤖 Generated with Claude Code

…-view (TRA-902)

Final TRA-902 activation piece: deliver the reader-feed config to the backend as
Deployment env vars (GitOps-durable; ArgoCD self-heals the backend, so ad-hoc
`kubectl set env` would be reverted). The backend (platform #455/#456) stamps
these into index.html → window.__APP_CONFIG__.readerFeed; the SPA's Live Reads
tab subscribes the browser to the broker over WSS.

- helm/trakrf-backend: add a `readerFeed` values block + a conditional env block
  (gated on readerFeed.url, mirroring the mqtt.host trigger). READER_FEED_MQTT_URL
  /USERNAME/TOPIC as config; READER_FEED_MQTT_PASSWORD via secretKeyRef from
  trakrf-mosquitto-auth/frontend_password (out of git). Off by default.
- argocd/root: per-env `readerFeedEnabled` flag (preview=true, prod=false) +
  GKE-only inject of readerFeed.url = wss://mqtt.<env>.gke.trakrf.id:8084/mqtt.

Pairs with #148 (broker WSS listener + frontend-readonly read-only ACL). The
creds land in PRE-AUTH index.html (public) → least-privilege subscribe-only.
prod stays off until the multi-tenant cross-org read gate is closed (TRA-902
comment).

Verified: helm template — preview renders READER_FEED_MQTT_* (URL/USERNAME/TOPIC
+ PASSWORD secretKeyRef); default/prod/aks render none; root gke injects the
preview URL only; lint + root render pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@mikestankavich mikestankavich merged commit 34d39b0 into main Jun 5, 2026
19 checks passed
@mikestankavich mikestankavich deleted the worktree-miks2u+tra-902-backend-reader-feed-env branch June 5, 2026 00:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant