Extract Apple MDM initialization out of runServeCmd

[raju249]

Extracts the Apple MDM initialization out of runServeCmd into testable functions in a new cmd/fleet/mdm_apple.go. Continues the chain of extractions on this issue (#44929, #45343, #45583, #46166, #46421) toward the serve.go >60% coverage target discussed on #33370.

Five functions come out of the inline block:

• initAppleMDMStorages — constructs the MDM, DEP, and SCEP storages.
• initAppleMDMPushService — picks the no-op pusher under FLEET_DEV_MDM_APPLE_DISABLE_PUSH=1, otherwise the real APNs pusher.
• checkMDMAssetsExist — promotes the inline checkMDMAssets closure to a package function. It was already used at several call sites; they now all share this one.
• reconcileAppleMDMAPNsAndSCEPAssets / reconcileAppleMDMABMAssets — the APNs/SCEP and ABM asset reconciliation blocks.

Behavior is preserved — runServeCmd calls these in the same order with the same arguments, and the full cmd/fleet suite passes unchanged against MySQL + Redis. Each function returns early after initFatal so it's also safe when the caller's initFatal doesn't terminate (the case in tests).

On test scope: the new unit tests cover the dev-mode push gate, all four branches of checkMDMAssetsExist, and the no-op and missing-private-key paths of both reconcilers. The storage construction and the actual asset-insert paths need a real datastore, so those stay covered by the existing integration tests rather than new unit tests — I didn't want to stand up a full datastore mock for paths that are already exercised end-to-end.

Related issue: Refs #33370

Checklist for submitter

• Added/updated automated tests
• Changes file: not applicable — internal refactor with no user-visible behavior change

Summary by CodeRabbit

• New Features

  • Added Apple MDM initialization and configuration management for APNs, SCEP, and Apple Business Manager with automatic reconciliation of missing assets and a dev-mode option that disables push.

• Tests

  • Added unit tests covering push-service behavior, asset-existence checks, reconciliation logic, and fail-fast handling when required key material is missing.

[claude]

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f57d8c52-13b5-4a20-ae16-4eb6b05e252f

📥 Commits

Reviewing files that changed from the base of the PR and between 8f41c00 and 17d6232.

📒 Files selected for processing (2)

• cmd/fleet/mdm_apple.go
• cmd/fleet/mdm_apple_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• cmd/fleet/mdm_apple.go
• cmd/fleet/mdm_apple_test.go

---

Walkthrough

This PR refactors Apple MDM initialization logic by extracting inline code from serve.go into a new module (mdm_apple.go) with focused helper functions. New helpers construct MySQL-backed NanoMDM storages, initialize an APNs push service (or no-op in dev mode), and reconcile APNs/SCEP and ABM assets in the datastore. The reconciliation functions load configured certs/keys and insert them when missing, while handling duplicate-key errors gracefully. The serve.go file is refactored to call these helpers and to replace all checkMDMAssets calls with a new checkMDMAssetsExist function that treats not-found and partial-result conditions as "missing." Comprehensive unit tests validate helper behavior across success, missing configuration, and error paths.

Possibly related PRs

• fleetdm/fleet#46166: Both PRs modify Apple MDM APNs/SCEP reconciliation in serve.go, consolidating validation and datastore reconciliation logic via MDMConfig.ValidateAppleAPNSAndSCEPPair.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 58.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: extracting Apple MDM initialization logic from runServeCmd into separate, testable functions.
Description check	✅ Passed	The description provides comprehensive context: it explains the extraction's purpose, lists five extracted functions with their responsibilities, confirms behavior preservation, describes test coverage, and references related issues.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/fleet/mdm_apple.go`:
- Around line 62-66: The TLS config passed into buford.NewPushProviderFactory
(see pushProviderFactory / buford.NewPushProviderFactory and the tls.Config used
when constructing fleethttp.NewClient) must explicitly set MinVersion to
tls.VersionTLS12 to enforce TLS 1.2+ for APNs; update the tls.Config literal to
include MinVersion: tls.VersionTLS12 while keeping the existing Certificates
field so the client uses TLS 1.2 or higher.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a3f121e5-d769-480b-911f-0ef520ba1334

📥 Commits

Reviewing files that changed from the base of the PR and between 1f934e1 and 8f41c00.

📒 Files selected for processing (3)

• cmd/fleet/mdm_apple.go
• cmd/fleet/mdm_apple_test.go
• cmd/fleet/serve.go

[raju249]

Hey @getvictor @JordanMontgomery - Would you mind taking a review, please?

This PR extracts the Apple MDM related logic out of serve.go.

[codecov]

Codecov Report

❌ Patch coverage is 27.00730% with 100 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.79%. Comparing base (8eae1e9) to head (17d6232).
⚠️ Report is 34 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/fleet/mdm_apple.go	28.46%	93 Missing ⚠️
cmd/fleet/serve.go	0.00%	7 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #46517      +/-   ##
==========================================
- Coverage   66.92%   66.79%   -0.13%     
==========================================
  Files        2798     2801       +3     
  Lines      223420   223565     +145     
  Branches    11467    11467              
==========================================
- Hits       149519   149338     -181     
- Misses      60357    60668     +311     
- Partials    13544    13559      +15     

Flag	Coverage Δ
backend	68.54% <27.00%> (-0.15%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.