bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity

runners: bake step-ca root CA into image (v20260525-stepca)

Browse Source 
Without the IAmWorkin step-ca root CA in the runner image's system
trust store, .NET HttpClient calls from CI tests against
`*.iamworkin.lan` (e.g. `https://selenium.iamworkin.lan/session`) fail
with `The remote certificate is invalid because of errors in the
certificate chain: PartialChain`. FlowerCore.Print.Web's
`WebScreenshotService` unit tests hit this on every build.

Drop the step-ca root PEM into `/usr/local/share/ca-certificates/`,
run `update-ca-certificates` once during apt install, and let OpenSSL +
.NET-on-Linux read the regenerated `/etc/ssl/certs/ca-certificates.crt`
automatically — no `SSL_CERT_FILE` env var, no per-Deployment volume
mount.

Image rebuilt + saved + imported on all 3 schedulable RKE2 nodes
(rke2-server, rke2-agent1, rke2-agent2) before this PR — verified with
`ctr images list -q | grep stepca` on each node.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andrew Stoltz
2026-05-25 19:55:38 -05:00
parent bc28430d24
commit 2a1e842100
4 changed files with 100 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
apps/github-runner/github-runner.yaml
View File

@@ -22,7 +22,7 @@
# NUGET_PACKAGES, XDG_CACHE_HOME, and RUNNER_TOOL_CACHE are all pointed at
# writable mounted paths under /home/runner so actions/setup-dotnet does not
# attempt to install into /usr/share/dotnet.
# Ruby 3.3.11 is baked into localhost/fc-github-runner:v20260520-ruby3.3.11
# Ruby 3.3.11 is baked into localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
# under /opt/runner-toolcache; setup-runner-home copies it into
# /home/runner/_tool because the runner-home emptyDir masks image content
# under /home/runner at runtime.
@@ -157,7 +157,7 @@ spec:
# honors the deeper mount.
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -178,7 +178,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
# GitHub org/repo targeting.
@@ -334,7 +334,7 @@ spec:
# rather than re-applied per repo as flipped lanes land.
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -355,7 +355,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -472,7 +472,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -493,7 +493,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -604,7 +604,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -625,7 +625,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -736,7 +736,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -757,7 +757,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -868,7 +868,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -889,7 +889,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -1003,7 +1003,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -1024,7 +1024,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -1135,7 +1135,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -1156,7 +1156,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -1267,7 +1267,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -1288,7 +1288,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -1399,7 +1399,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -1420,7 +1420,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -1533,7 +1533,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -1554,7 +1554,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -1667,7 +1667,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -1688,7 +1688,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -1802,7 +1802,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -1823,7 +1823,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -1936,7 +1936,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -1957,7 +1957,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -2070,7 +2070,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -2091,7 +2091,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -2204,7 +2204,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -2225,7 +2225,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -2337,7 +2337,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -2358,7 +2358,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -2471,7 +2471,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -2492,7 +2492,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -2604,7 +2604,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -2625,7 +2625,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -2737,7 +2737,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -2758,7 +2758,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -2870,7 +2870,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -2891,7 +2891,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -3003,7 +3003,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -3024,7 +3024,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -3136,7 +3136,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -3157,7 +3157,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -3270,7 +3270,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -3291,7 +3291,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -3404,7 +3404,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -3425,7 +3425,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -3538,7 +3538,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -3559,7 +3559,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -3672,7 +3672,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -3693,7 +3693,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL
@@ -3806,7 +3806,7 @@ spec:
fsGroup: 1001
initContainers:
- name: setup-runner-home
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
command:
- sh
@@ -3827,7 +3827,7 @@ spec:
mountPath: /home/runner
containers:
- name: runner
image: localhost/fc-github-runner:v20260520-ruby3.3.11
image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
imagePullPolicy: Never
env:
- name: REPO_URL