Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions argocd/root/templates/trakrf-backend.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,12 @@
{{- if $cfg.mqttEnabled }}
{{- $base = printf "%smqtt:\n host: mqtt.%s.gke.trakrf.id\n clientId: trakrf-backend-%s-%s\n" $base $env $.Values.cluster $env }}
{{- end }}
{{- /* TRA-902: reader live-view feed. readerFeed.url is the chart's enable
trigger (per-env WSS host); username/topic/password(secretKeyRef) come
from the chart defaults. GKE-only (broker WSS is gke). */ -}}
{{- if and $cfg.readerFeedEnabled (eq $.Values.cluster "gke") }}
{{- $base = printf "%sreaderFeed:\n url: wss://mqtt.%s.gke.trakrf.id:8084/mqtt\n" $base $env }}
{{- end }}
{{- $ingress := "ingress:\n enabled: false\n" }}
{{- if $cfg.ingressEnabled }}
{{- $ingressCtx := dict
Expand Down
8 changes: 8 additions & 0 deletions argocd/root/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,12 @@ namespaces:
# until cutover (see TRA-920 prod checklist). GKE-only
# (broker host is .gke.); harmless if ever set on a
# cluster whose backend image predates TRA-900.
# readerFeedEnabled — TRA-902: injects READER_FEED_MQTT_* env onto the
# backend (wss://mqtt.<env>.gke.trakrf.id:8084/mqtt
# + frontend-readonly creds) so the SPA Live Reads
# tab subscribes the browser to the broker. GKE-only.
# preview=true; prod=false until the multi-tenant
# cross-org gate is closed (see TRA-902 comment).
# imageTag — trakrf-backend image tag override. Empty falls
# back to chart default (helm/trakrf-backend/values-<cluster>.yaml).
# On GKE BOTH envs are image-updater-tracked
Expand Down Expand Up @@ -80,6 +86,7 @@ envs:
appTrakrfIdHost: app.preview.trakrf.id
mqttIp: ""
mqttEnabled: true
readerFeedEnabled: true # TRA-902: Live Reads tab WSS feed
imageTag: ""
environmentLabel: preview
jwtExpirationSeconds: "900"
Expand All @@ -95,6 +102,7 @@ envs:
appTrakrfIdHost: app.trakrf.id
mqttIp: ""
mqttEnabled: false # flip to true at prod cutover — see TRA-920 prod checklist
readerFeedEnabled: false # Live Reads stays off until the multi-tenant gate (see TRA-902)
# imageTag="" — prod is image-updater-tracked (TRA-351 option b): the
# trakrf-backend-prod ImageUpdater CR pins the resolved :prod DIGEST into
# the Application (immutable ref → kubelet pulls the exact build, fixing
Expand Down
18 changes: 18 additions & 0 deletions helm/trakrf-backend/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,24 @@ spec:
- name: MQTT_CLIENT_ID
value: {{ .Values.mqtt.clientId | quote }}
{{- end }}
{{- if .Values.readerFeed.url }}
# Reader live-view feed (TRA-902). The backend stamps these into
# index.html (window.__APP_CONFIG__.readerFeed); the SPA's Live Reads
# tab connects the browser to the broker over WSS as the read-only
# frontend-readonly user. These land in pre-auth index.html (public);
# password is sourced from the secret (out of git), ACL = subscribe-only.
- name: READER_FEED_MQTT_URL
value: {{ .Values.readerFeed.url | quote }}
- name: READER_FEED_MQTT_USERNAME
value: {{ .Values.readerFeed.username | quote }}
- name: READER_FEED_MQTT_TOPIC
value: {{ .Values.readerFeed.topic | quote }}
- name: READER_FEED_MQTT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.readerFeed.passwordSecret }}
key: {{ .Values.readerFeed.passwordSecretKey }}
{{- end }}
envFrom:
- configMapRef:
name: {{ include "trakrf-backend.fullname" . }}
Expand Down
17 changes: 17 additions & 0 deletions helm/trakrf-backend/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,23 @@ mqtt:
# mosquitto-secrets`, mirrored into the env namespace by Reflector.
authSecret: trakrf-mosquitto-auth

# Reader live-view feed (TRA-902). The backend stamps these into index.html
# (window.__APP_CONFIG__.readerFeed) so the SPA's Live Reads tab subscribes the
# browser directly to the broker over WSS as the read-only frontend-readonly
# user (read trakrf.id/+/reads only). url empty = disabled (no READER_FEED_* env
# rendered); preview turns it on via the root chart. The password comes from the
# trakrf-mosquitto-auth secret (frontend_password key, added by `just
# mosquitto-secrets`) — out of git. These land in PRE-AUTH index.html (public),
# hence least-privilege subscribe-only; cross-org read exposure is a documented
# pre-prod gate (see TRA-902).
readerFeed:
# wss://mqtt.<env>.gke.trakrf.id:8084/mqtt — injected per-env by the root chart.
url: ""
username: frontend-readonly
topic: "trakrf.id/+/reads"
passwordSecret: trakrf-mosquitto-auth
passwordSecretKey: frontend_password

# Non-secret config (ConfigMap)
config:
appEnv: production
Expand Down
Loading