рабочий вариант, но скороть 10 МБит
This commit is contained in:
+17
-8
@@ -9,7 +9,7 @@ organization users.
|
||||
Architecture boundary:
|
||||
|
||||
- WEB is HTTP/HTTPS ingress and presentation.
|
||||
- Cluster configuration belongs to Control Plane APIs.
|
||||
- Cluster configuration is reached through the panel service gateway; the farm transport behind it remains QUIC fabric.
|
||||
- PostgreSQL remains the source of truth.
|
||||
- Dynamic admin pages must be safe, scoped, schema-driven projections.
|
||||
- Secrets, internal topology, peer caches, route caches, and raw credentials
|
||||
@@ -33,6 +33,7 @@ Implemented platform-owner sections:
|
||||
- node inventory
|
||||
- node membership disable and identity revoke boundaries
|
||||
- join token creation with signed authority envelope visibility
|
||||
- signed join bundle generation for docker/linux/windows node installs
|
||||
- join request approve/reject with signed approval envelope visibility
|
||||
- role assignment
|
||||
- workload desired-state setting
|
||||
@@ -86,18 +87,18 @@ http://127.0.0.1:5173
|
||||
The admin console should run on a dedicated admin host/port. It is not intended
|
||||
to be the public product landing page on generic `80/443` web ingress.
|
||||
|
||||
Default backend API inside the panel:
|
||||
Panel service gateway inside the UI:
|
||||
|
||||
```text
|
||||
/api/v1
|
||||
```
|
||||
|
||||
The local Vite dev server proxies `/api` to the remote test backend
|
||||
`http://192.168.200.61:8080` by default, avoiding browser CORS issues while
|
||||
keeping the Control Plane API unchanged. Override the proxy target when needed:
|
||||
The browser never asks the operator for a farm HTTP endpoint. During local
|
||||
development the Vite dev server proxies `/api` to the panel service gateway.
|
||||
Override the local proxy target only for developer work:
|
||||
|
||||
```powershell
|
||||
$env:RAP_ADMIN_API_PROXY = "http://192.168.200.61:8080"
|
||||
$env:RAP_ADMIN_API_PROXY = "http://<panel-service-host>:<port>"
|
||||
npm run dev -- --port 5173
|
||||
```
|
||||
|
||||
@@ -108,7 +109,7 @@ password fields; it does not expose API URLs or language/settings to
|
||||
unauthenticated users.
|
||||
|
||||
After authentication the panel verifies platform-owner/platform-admin access
|
||||
through Control Plane APIs before opening the console. Users without product-owner
|
||||
through the panel service gateway before opening the console. Users without product-owner
|
||||
scope must not see this panel. Organization admins and organization users require
|
||||
separate scoped panels.
|
||||
|
||||
@@ -116,10 +117,18 @@ Language selection is available only after login in the profile area. It is stor
|
||||
as a user-scoped browser preference for this MVP. Backend user-profile persistence
|
||||
for language/locale is a later Control Plane profile setting.
|
||||
|
||||
The panel shows real Control Plane data only. If cluster counts are zero, the
|
||||
The panel shows real farm data only. If cluster counts are zero, the
|
||||
cluster has no approved node-agent nodes, roles, workloads, VPN records, or mesh
|
||||
observations yet.
|
||||
|
||||
Current node enrollment surface is bundle-first:
|
||||
|
||||
- the panel creates a one-time install token
|
||||
- the panel requests a signed join bundle from the panel service gateway
|
||||
- the operator downloads or posts that bundle to the target machine
|
||||
- `rap-host-agent install* --join-bundle ...` performs first install
|
||||
- after first start, node enrollment, update, and control traffic use QUIC fabric
|
||||
|
||||
## Safety Rules
|
||||
|
||||
- The console is platform-owner/platform-admin only.
|
||||
|
||||
Reference in New Issue
Block a user