Add step-ca agent issuer manifest

2026-05-19 17:52:58 -05:00
parent ca574c2280
commit 46bbd00d09
2 changed files with 79 additions and 0 deletions
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -432,6 +432,7 @@ public sealed class FleetManifestLintTests
            "1password-item.yaml",
            "argocd-application.yaml",
            "certificate-web.yaml",
+            "clusterissuer-step-ca-agent.yaml",
            "clusterrole-operator.yaml",
            "clusterrolebinding-operator.yaml",
            "deployment-operator.yaml",
@@ -516,6 +517,53 @@ public sealed class FleetManifestLintTests
            .ContainSingle("devices.iamworkin.lan");
    }

+    [Fact]
+    public void FcDeviceManagement_StepCaAgentIssuerMustTargetNocProvisioner()
+    {
+        var issuer = FcDeviceManagementDocuments()
+            .Single(document => document.Kind == "StepClusterIssuer" && document.Name == "step-ca-agent");
+
+        issuer.Scalar("apiVersion").Should().Be("certmanager.step.sm/v1beta1");
+        issuer.Scalar("spec", "url").Should().Be("https://10.0.56.10:9443");
+        issuer.Scalar("spec", "caBundle").Should().NotBeNullOrWhiteSpace();
+        issuer.Scalar("spec", "provisioner", "name").Should().Be("step-ca-agent");
+        issuer.Scalar("spec", "provisioner", "kid").Should().Be("RF3A9welUYVOWBX8tr19aWyA2kQlxoGZN1dRwTElUEM");
+    }
+
+    [Fact]
+    public void FcDeviceManagement_StepCaAgentIssuerMustReferencePasswordSecretOnly()
+    {
+        var issuer = FcDeviceManagementDocuments()
+            .Single(document => document.Kind == "StepClusterIssuer" && document.Name == "step-ca-agent");
+
+        issuer.Scalar("spec", "provisioner", "passwordRef", "name")
+            .Should()
+            .Be("step-ca-agent-provisioner-password");
+        issuer.Scalar("spec", "provisioner", "passwordRef", "namespace").Should().Be("cert-manager");
+        issuer.Scalar("spec", "provisioner", "passwordRef", "key").Should().Be("password");
+
+        var issuerText = File.ReadAllText(Path.Combine(Inventory.BluejayRoot, "apps", "fc-devicemgmt", "clusterissuer-step-ca-agent.yaml"));
+        issuerText.Should().NotContain("stringData:");
+        issuerText.Should().NotContain("password:");
+        issuerText.Should().NotContain("privateKey");
+    }
+
+    [Fact]
+    public void FcDeviceManagement_StepCaAgentIssuerMustCarryTraceabilityMetadata()
+    {
+        var issuer = FcDeviceManagementDocuments()
+            .Single(document => document.Kind == "StepClusterIssuer" && document.Name == "step-ca-agent");
+
+        issuer.Scalar("metadata", "labels", "app.kubernetes.io/managed-by").Should().Be("argocd");
+        issuer.Scalar("metadata", "labels", "flowercore.io/tenant-id").Should().Be("system");
+        issuer.Scalar("metadata", "annotations", "flowercore.io/provisioner-source")
+            .Should()
+            .Be("profile::pki::stepca");
+        issuer.Scalar("metadata", "annotations", "flowercore.io/secret-source")
+            .Should()
+            .Be("cert-manager/step-ca-agent-provisioner-password");
+    }
+
    [Fact]
    public void FcDeviceManagement_OperatorRbacMustCoverDevicesAndOwnerLookup()
    {