GloriousFlywheel Dashboard Control Plane Assumptions 2026-04-16
Snapshot date: 2026-04-16
Purpose
Capture the exact stack, module, and app-level assumptions that still keep the runner dashboard control plane GitLab-native even after the local-first backend/init cleanup.
This note sharpens the remaining #169 and #172 work.
Companion notes:
gloriousflywheel-deployment-authority-decision-2026-04-15.mdgloriousflywheel-deployment-authority-execution-plan-2026-04-15.md- gloriousflywheel-program-surface-2026-04-15.md
- gloriousflywheel-milestone-execution-matrix-2026-04-15.md
Current Repo Facts
Direct inspection on 2026-04-16 shows:
tofu/stacks/runner-dashboard/main.tfandtofu/modules/runner-dashboard/main.tfstill require a GitLab-backed control shape:- GitLab OAuth client ID and secret
- GitLab URL
- GitLab API token
- GitLab group ID and project ID
runner_stack_namefor GitOps tfvars mutation
- the dashboard module writes
GITLAB_*,RUNNER_STACK_NAME, andATTIC_DEFAULT_ENVinto the app ConfigMap and Secret - app auth is mixed-mode at the edge:
hooks.server.tsaccepts proxy-header auth for tailscale and mTLS- WebAuthn is present
- but the primary interactive login and callback path is still GitLab OAuth
- dashboard data and runner control remain GitLab-native:
/api/runnersand/api/runners/[name]call GitLab group runner APIs- pause/resume routes call GitLab runner pause/resume APIs
- GitOps mutation remains GitLab-native:
app/src/lib/server/gitops/repository.tsreads and writes repo files through GitLab project APIsapp/src/lib/server/gitops/pipeline.tscreates GitLab branches and merge requests
- ARC is present mainly as a read-side substrate:
- the dashboard module supports ARC namespaces in RBAC and config
- the app has Kubernetes readers for ARC resources
- but there is no parallel GitHub-native control or mutation path
Exact Classification
1. Access Auth Is Mixed-Mode
Current supported envelopes:
- GitLab OAuth
- WebAuthn after OAuth bootstrap
- Tailscale proxy-header auth
- mTLS proxy-header auth
Important limit:
- tailscale and mTLS currently change the access envelope, not the underlying runner control authority
2. Runner Inventory And Control Are GitLab-Native
The dashboard still treats GitLab as the authoritative source for:
- runner listing
- runner detail lookup
- pause
- resume
If GITLAB_TOKEN and GITLAB_GROUP_ID are absent, the app falls back to mock
data rather than a parallel real control plane.
3. GitOps Mutation Is GitLab-Native
The dashboard’s change submission flow still assumes:
- GitLab project repository APIs
- GitLab branches
- GitLab merge requests
That is not yet a forge-neutral or GitHub-native path.
4. Kubernetes Access Is More Generic Than Control
The stack and module already support:
- generic kubeconfig context selection
- ARC namespaces
- caddy tailscale and mTLS ingress modes
So the infrastructure edge is ahead of the dashboard control plane itself.
What This Means For #169
The remaining #169 gap is not root init anymore. It is concentrated in the
runner-dashboard stack and app contract:
- stack and module variable surfaces still encode GitLab-first control inputs
- app auth, data, and GitOps mutation still assume GitLab as the current control authority
- comments and examples need to describe this honestly until the redesign happens
What This Means For #172
#172 should not treat tailscale or mTLS ingress as sufficient on their own.
That work still needs an answer for:
- what replaces GitLab as the authoritative control API, if anything
- whether monitoring and mutation should be split into separate surfaces
- whether GitHub ARC control is a real target or only read-side visibility
Recommendation
Recommended next execution order:
- reclassify runner-dashboard comments, variable descriptions, and docs to describe the current GitLab-backed control plane honestly
- fix any app-level bugs that obscure the current control contract
- decide whether the dashboard remains GitLab-backed legacy support or gets a new control authority
- only then redesign auth, GitOps mutation, and runner control around a new operator plane
Exit Condition
- the repo has one explicit note describing what is still GitLab-native in the dashboard control plane
#169and#172no longer rely on vague “legacy assumptions” language- future dashboard redesign work can target named control-plane seams