runners: bake step-ca root CA into image (v20260525-stepca)

Without the IAmWorkin step-ca root CA in the runner image's system
trust store, .NET HttpClient calls from CI tests against
`*.iamworkin.lan` (e.g. `https://selenium.iamworkin.lan/session`) fail
with `The remote certificate is invalid because of errors in the
certificate chain: PartialChain`. FlowerCore.Print.Web's
`WebScreenshotService` unit tests hit this on every build.

Drop the step-ca root PEM into `/usr/local/share/ca-certificates/`,
run `update-ca-certificates` once during apt install, and let OpenSSL +
.NET-on-Linux read the regenerated `/etc/ssl/certs/ca-certificates.crt`
automatically — no `SSL_CERT_FILE` env var, no per-Deployment volume
mount.

Image rebuilt + saved + imported on all 3 schedulable RKE2 nodes
(rke2-server, rke2-agent1, rke2-agent2) before this PR — verified with
`ctr images list -q | grep stepca` on each node.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/github-runner/Dockerfile

@@ -12,6 +12,15 @@ ENV PATH="/home/runner/_tool/Ruby/${RUBY_MINOR}/x64/bin:/opt/runner-toolcache/Ru
 
 USER root
 
+# Bake the IAmWorkin step-ca root CA into the system trust store. Without
+# this, .NET HttpClient calls from CI tests against *.iamworkin.lan
+# (e.g. https://selenium.iamworkin.lan/session) fail with `PartialChain`
+# because the runner image's default Ubuntu trust bundle doesn't include
+# our internal Root CA. update-ca-certificates regenerates
+# /etc/ssl/certs/ca-certificates.crt, which OpenSSL + .NET on Linux read
+# automatically — no SSL_CERT_FILE env var needed.
+COPY step-ca-root.crt /usr/local/share/ca-certificates/iamworkin-step-ca-root.crt
+
 RUN apt-get update \
     && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
         autoconf \
@@ -31,6 +40,7 @@ RUN apt-get update \
         pkg-config \
         uuid-dev \
         zlib1g-dev \
+    && update-ca-certificates \
     && curl -fsSL "https://github.com/rbenv/ruby-build/archive/refs/tags/${RUBY_BUILD_VERSION}.tar.gz" -o /tmp/ruby-build.tar.gz \
     && mkdir -p /tmp/ruby-build \
     && tar -xzf /tmp/ruby-build.tar.gz --strip-components=1 -C /tmp/ruby-build \

apps/github-runner/README.md

@@ -7,7 +7,7 @@ Deployments with `kubectl`; update this manifest and let ArgoCD reconcile.
 
 All repo-scoped Linux runners use:
 
-- `localhost/fc-github-runner:v20260520-ruby3.3.11`, derived from
+- `localhost/fc-github-runner:v20260525-ruby3.3.11-stepca`, derived from
   `myoung34/github-runner:latest`
 - `ACCESS_TOKEN` from the `github-runner-token` Secret
 - `RUN_AS_ROOT=false`
@@ -40,14 +40,26 @@ still mounts an `emptyDir` over `/home/runner`, so the `setup-runner-home` init
 container copies the baked toolcache from `/opt/runner-toolcache/Ruby` into
 `/home/runner/_tool/Ruby` before the runner container starts.
 
+The IAmWorkin step-ca root CA is also baked into the system trust store
+(`/usr/local/share/ca-certificates/iamworkin-step-ca-root.crt`, registered by
+`update-ca-certificates`). Without it, .NET HttpClient calls from CI tests
+against `*.iamworkin.lan` (e.g. `https://selenium.iamworkin.lan/session`)
+fail with `PartialChain`. To refresh the bundled cert when the root rotates,
+re-extract from the cluster and overwrite `step-ca-root.crt`:
+
+```bash
+kubectl get secret -n cert-manager step-ca-root \
+  -o jsonpath='{.data.ca\.crt}' | base64 -d > step-ca-root.crt
+```
+
 ```bash
 cd apps/github-runner
-podman build -t localhost/fc-github-runner:v20260520-ruby3.3.11 .
+podman build -t localhost/fc-github-runner:v20260525-ruby3.3.11-stepca .
-podman run --rm localhost/fc-github-runner:v20260520-ruby3.3.11 ruby -v
+podman run --rm localhost/fc-github-runner:v20260525-ruby3.3.11-stepca ruby -v
-podman run --rm localhost/fc-github-runner:v20260520-ruby3.3.11 \
+podman run --rm localhost/fc-github-runner:v20260525-ruby3.3.11-stepca \
   test -f /opt/runner-toolcache/Ruby/3.3/x64.complete
-podman save localhost/fc-github-runner:v20260520-ruby3.3.11 \
+podman save localhost/fc-github-runner:v20260525-ruby3.3.11-stepca \
-  -o fc-github-runner-v20260520-ruby3.3.11.tar
+  -o fc-github-runner-v20260525-ruby3.3.11-stepca.tar
 ```
 
 Import the saved image on every schedulable RKE2 node before ArgoCD rolls the
@@ -55,9 +67,9 @@ Deployments:
 
 ```bash
 for node in rke2-server rke2-agent1 rke2-agent2; do
-  scp fc-github-runner-v20260520-ruby3.3.11.tar "$node:/tmp/"
+  scp fc-github-runner-v20260525-ruby3.3.11-stepca.tar "$node:/tmp/"
-  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images rm localhost/fc-github-runner:v20260520-ruby3.3.11 || true'
+  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images rm localhost/fc-github-runner:v20260525-ruby3.3.11-stepca || true'
-  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images import /tmp/fc-github-runner-v20260520-ruby3.3.11.tar'
+  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images import /tmp/fc-github-runner-v20260525-ruby3.3.11-stepca.tar'
 done
 ```
 

apps/github-runner/github-runner.yaml

@@ -22,7 +22,7 @@
 #   NUGET_PACKAGES, XDG_CACHE_HOME, and RUNNER_TOOL_CACHE are all pointed at
 #   writable mounted paths under /home/runner so actions/setup-dotnet does not
 #   attempt to install into /usr/share/dotnet.
-#   Ruby 3.3.11 is baked into localhost/fc-github-runner:v20260520-ruby3.3.11
+#   Ruby 3.3.11 is baked into localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
 #   under /opt/runner-toolcache; setup-runner-home copies it into
 #   /home/runner/_tool because the runner-home emptyDir masks image content
 #   under /home/runner at runtime.
@@ -157,7 +157,7 @@ spec:
       # honors the deeper mount.
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -178,7 +178,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             # GitHub org/repo targeting.
@@ -334,7 +334,7 @@ spec:
       # rather than re-applied per repo as flipped lanes land.
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -355,7 +355,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -472,7 +472,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -493,7 +493,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -604,7 +604,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -625,7 +625,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -736,7 +736,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -757,7 +757,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -868,7 +868,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -889,7 +889,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -1003,7 +1003,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -1024,7 +1024,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -1135,7 +1135,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -1156,7 +1156,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -1267,7 +1267,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -1288,7 +1288,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -1399,7 +1399,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -1420,7 +1420,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -1533,7 +1533,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -1554,7 +1554,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -1667,7 +1667,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -1688,7 +1688,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -1802,7 +1802,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -1823,7 +1823,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -1936,7 +1936,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -1957,7 +1957,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -2070,7 +2070,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -2091,7 +2091,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -2204,7 +2204,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -2225,7 +2225,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -2337,7 +2337,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -2358,7 +2358,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -2471,7 +2471,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -2492,7 +2492,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -2604,7 +2604,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -2625,7 +2625,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -2737,7 +2737,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -2758,7 +2758,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -2870,7 +2870,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -2891,7 +2891,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -3003,7 +3003,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -3024,7 +3024,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -3136,7 +3136,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -3157,7 +3157,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -3270,7 +3270,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -3291,7 +3291,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -3404,7 +3404,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -3425,7 +3425,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -3538,7 +3538,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -3559,7 +3559,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -3672,7 +3672,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -3693,7 +3693,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -3806,7 +3806,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -3827,7 +3827,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL

apps/github-runner/step-ca-root.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxDCCAWqgAwIBAgIRAPY357G6ow6zMAL5+4bS2kkwCgYIKoZIzj0EAwIwQDEa
+MBgGA1UEChMRSUFtV29ya2luIEFDTUUgQ0ExIjAgBgNVBAMTGUlBbVdvcmtpbiBB
+Q01FIENBIFJvb3QgQ0EwHhcNMjYwMzA4MTgwNzExWhcNMzYwMzA1MTgwNzExWjBA
+MRowGAYDVQQKExFJQW1Xb3JraW4gQUNNRSBDQTEiMCAGA1UEAxMZSUFtV29ya2lu
+IEFDTUUgQ0EgUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJ2n04X1
+JZo5Zdq/i1Idv8+fqwZyAzBh7whbqj0SWsJL8UWRabCMqYCs7+dXO0xRSzqkwFDL
+x+vooOai8RgRNhajRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/
+AgEBMB0GA1UdDgQWBBRnuPPQR6iM/H6vOluiU3Sygayz8jAKBggqhkjOPQQDAgNI
+ADBFAiEArQK9dYPGmAZsdYnjziuFVVE5NKZUcceYvGfGC+tLXUsCIAudF2zJrCRq
+3mK50ZZET/fwTkJwiEF4824mjP8p1CKM
+-----END CERTIFICATE-----

apps/selenium/network-policy.yaml

@@ -24,7 +24,16 @@
 #     (10.0.57.16:5200), public internet 80/443 (excluding RFC1918), and
 #     fc-signage:5190 for the signage AAT lane.
 #   - Ingress: Traefik (4444 + 8089 ACME-solver-style), intra-pod,
-#     telephony / gitea / fc-system / fc-signage namespaces on 4444.
+#     telephony / gitea / fc-system / fc-signage / github-runner namespaces
+#     on 4444.
+#
+# 2026-05-25: added github-runner ingress on 4444 so CI jobs running in
+# self-hosted runner pods (e.g. FlowerCore.Print.Web `help-screenshots`)
+# can reach the grid. Without this allow, the session POST to
+# `selenium-hub.selenium.svc.cluster.local:4444` was DNAT'd to the hub
+# pod IP and then dropped at the Calico ingress hook — Selenium UI showed
+# 0/4 sessions while the .NET HTTP client timed out at 60s. Same family
+# as `feedback_netpol_dnat_backend_port`, wrong-source-namespace flavor.
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -203,6 +212,13 @@ spec:
     ports:
     - port: 4444
       protocol: TCP
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: github-runner
+    ports:
+    - port: 4444
+      protocol: TCP
   podSelector: {}
   policyTypes:
   - Ingress

apps/selenium/selenium-grid.yaml

@@ -0,0 +1,412 @@
+# Selenium Grid 4 — RKE2 deployment
+#
+# Hub + chrome + firefox + edge browser nodes serving fleet-wide AAT runs from
+# the GitHub Actions self-hosted runners. ArgoCD owns this namespace from
+# 2026-05-25 (`infra-selenium` Application; previously these resources were
+# orphan kubectl-applied since 2026-03-15).
+#
+# Endpoints:
+#   - Internal cluster: http://selenium-hub.selenium.svc.cluster.local:4444
+#   - LAN LoadBalancer (MetalLB): http://10.0.56.208:4444
+#   - Traefik public: https://selenium.iamworkin.lan
+#
+# Browser maxSessions:
+#   - chrome 2  (bumped from 1 on 2026-05-25 morning-routine — AAT-heavy
+#                Print.Web help-screenshots was the global bottleneck;
+#                see commit history for ops/runner-replica-rightsize)
+#   - firefox 1
+#   - edge 1
+#
+# Screenshots + video recording write to NFS via the chrome video sidecar.
+# See: CLAUDE.md "Selenium Grid & Visual AAT Testing" + bluejay-infra ADR notes.
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: selenium-hub
+    app.kubernetes.io/name: selenium-hub
+    app.kubernetes.io/part-of: selenium-grid
+  name: selenium-hub
+  namespace: selenium
+spec:
+  ports:
+  - name: web
+    port: 4444
+    targetPort: 4444
+  - name: publish
+    port: 4442
+    targetPort: 4442
+  - name: subscribe
+    port: 4443
+    targetPort: 4443
+  selector:
+    app: selenium-hub
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    metallb.io/ip-allocated-from-pool: bluejay-pool
+    metallb.universe.tf/loadBalancerIPs: 10.0.56.208
+  labels:
+    app: selenium-hub
+    component: external-access
+  name: selenium-hub-external
+  namespace: selenium
+spec:
+  clusterIP: 10.43.90.147
+  clusterIPs:
+  - 10.43.90.147
+  externalTrafficPolicy: Local
+  healthCheckNodePort: 32213
+  ports:
+  - name: web
+    nodePort: 32411
+    port: 4444
+    targetPort: 4444
+  - name: publish
+    nodePort: 32068
+    port: 4442
+    targetPort: 4442
+  - name: subscribe
+    nodePort: 31000
+    port: 4443
+    targetPort: 4443
+  selector:
+    app: selenium-hub
+  type: LoadBalancer
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: selenium-hub
+    app.kubernetes.io/name: selenium-hub
+    app.kubernetes.io/part-of: selenium-grid
+  name: selenium-hub
+  namespace: selenium
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: selenium-hub
+  template:
+    metadata:
+      labels:
+        app: selenium-hub
+        app.kubernetes.io/name: selenium-hub
+        app.kubernetes.io/part-of: selenium-grid
+    spec:
+      containers:
+      - env:
+        - name: SE_NODE_SESSION_TIMEOUT
+          value: '300'
+        - name: SE_SESSION_REQUEST_TIMEOUT
+          value: '300'
+        - name: SE_SESSION_RETRY_INTERVAL
+          value: '5'
+        - name: JAVA_OPTS
+          value: -Xmx512m
+        image: selenium/hub:4.27.0
+        livenessProbe:
+          httpGet:
+            path: /wd/hub/status
+            port: 4444
+          initialDelaySeconds: 30
+          periodSeconds: 15
+          timeoutSeconds: 5
+        name: selenium-hub
+        ports:
+        - containerPort: 4444
+          name: web
+        - containerPort: 4442
+          name: publish
+        - containerPort: 4443
+          name: subscribe
+        readinessProbe:
+          httpGet:
+            path: /wd/hub/status
+            port: 4444
+          initialDelaySeconds: 10
+          periodSeconds: 5
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: 500m
+            memory: 1Gi
+          requests:
+            cpu: 250m
+            memory: 512Mi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: selenium-node-chrome
+    app.kubernetes.io/name: selenium-node-chrome
+    app.kubernetes.io/part-of: selenium-grid
+  name: selenium-node-chrome
+  namespace: selenium
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: selenium-node-chrome
+  template:
+    metadata:
+      labels:
+        app: selenium-node-chrome
+        app.kubernetes.io/name: selenium-node-chrome
+        app.kubernetes.io/part-of: selenium-grid
+    spec:
+      containers:
+      - env:
+        - name: SE_EVENT_BUS_HOST
+          value: selenium-hub
+        - name: SE_EVENT_BUS_PUBLISH_PORT
+          value: '4442'
+        - name: SE_EVENT_BUS_SUBSCRIBE_PORT
+          value: '4443'
+        - name: SE_NODE_MAX_SESSIONS
+          value: '2'
+        - name: SE_NODE_OVERRIDE_MAX_SESSIONS
+          value: 'false'
+        - name: SE_VNC_NO_PASSWORD
+          value: '1'
+        - name: SE_SCREEN_WIDTH
+          value: '1920'
+        - name: SE_SCREEN_HEIGHT
+          value: '1080'
+        - name: SE_NODE_SESSION_TIMEOUT
+          value: '300'
+        image: selenium/node-chrome:4.27.0
+        livenessProbe:
+          httpGet:
+            path: /status
+            port: 5555
+          initialDelaySeconds: 30
+          periodSeconds: 15
+        name: selenium-chrome
+        ports:
+        - containerPort: 5555
+          name: node
+        readinessProbe:
+          httpGet:
+            path: /status
+            port: 5555
+          initialDelaySeconds: 15
+          periodSeconds: 5
+        resources:
+          limits:
+            cpu: '1'
+            memory: 1Gi
+          requests:
+            cpu: 500m
+            memory: 512Mi
+        volumeMounts:
+        - mountPath: /dev/shm
+          name: dshm
+      - env:
+        - name: DISPLAY_CONTAINER_NAME
+          value: localhost
+        - name: SE_SCREEN_WIDTH
+          value: '1920'
+        - name: SE_SCREEN_HEIGHT
+          value: '1080'
+        - name: SE_VIDEO_FILE_NAME
+          value: auto
+        - name: SE_VIDEO_UPLOAD_ENABLED
+          value: 'false'
+        image: selenium/video:ffmpeg-7.1-20250101
+        name: video
+        resources:
+          limits:
+            cpu: 500m
+            memory: 768Mi
+          requests:
+            cpu: 250m
+            memory: 384Mi
+        volumeMounts:
+        - mountPath: /videos
+          name: selenium-videos
+      volumes:
+      - emptyDir:
+          medium: Memory
+          sizeLimit: 2Gi
+        name: dshm
+      - emptyDir:
+          sizeLimit: 5Gi
+        name: selenium-videos
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: selenium-node-firefox
+    app.kubernetes.io/name: selenium-node-firefox
+    app.kubernetes.io/part-of: selenium-grid
+  name: selenium-node-firefox
+  namespace: selenium
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: selenium-node-firefox
+  template:
+    metadata:
+      labels:
+        app: selenium-node-firefox
+        app.kubernetes.io/name: selenium-node-firefox
+        app.kubernetes.io/part-of: selenium-grid
+    spec:
+      containers:
+      - env:
+        - name: SE_EVENT_BUS_HOST
+          value: selenium-hub
+        - name: SE_EVENT_BUS_PUBLISH_PORT
+          value: '4442'
+        - name: SE_EVENT_BUS_SUBSCRIBE_PORT
+          value: '4443'
+        - name: SE_NODE_MAX_SESSIONS
+          value: '1'
+        - name: SE_NODE_OVERRIDE_MAX_SESSIONS
+          value: 'true'
+        - name: SE_VNC_NO_PASSWORD
+          value: '1'
+        - name: SE_START_VNC
+          value: 'false'
+        - name: SE_SCREEN_WIDTH
+          value: '1920'
+        - name: SE_SCREEN_HEIGHT
+          value: '1080'
+        - name: SE_NODE_SESSION_TIMEOUT
+          value: '300'
+        image: selenium/node-firefox:4.27.0
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /status
+            port: 5555
+          initialDelaySeconds: 30
+          periodSeconds: 15
+          timeoutSeconds: 5
+        name: selenium-firefox
+        ports:
+        - containerPort: 5555
+          name: node
+        readinessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /status
+            port: 5555
+          initialDelaySeconds: 15
+          periodSeconds: 5
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: '1'
+            memory: 2Gi
+          requests:
+            cpu: 500m
+            memory: 1Gi
+        volumeMounts:
+        - mountPath: /dev/shm
+          name: dshm
+      volumes:
+      - emptyDir:
+          medium: Memory
+          sizeLimit: 2Gi
+        name: dshm
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: selenium-node-edge
+    app.kubernetes.io/name: selenium-node-edge
+    app.kubernetes.io/part-of: selenium-grid
+  name: selenium-node-edge
+  namespace: selenium
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: selenium-node-edge
+  template:
+    metadata:
+      labels:
+        app: selenium-node-edge
+        app.kubernetes.io/name: selenium-node-edge
+        app.kubernetes.io/part-of: selenium-grid
+    spec:
+      containers:
+      - env:
+        - name: SE_EVENT_BUS_HOST
+          value: selenium-hub
+        - name: SE_EVENT_BUS_PUBLISH_PORT
+          value: '4442'
+        - name: SE_EVENT_BUS_SUBSCRIBE_PORT
+          value: '4443'
+        - name: SE_NODE_MAX_SESSIONS
+          value: '1'
+        - name: SE_NODE_OVERRIDE_MAX_SESSIONS
+          value: 'true'
+        - name: SE_VNC_NO_PASSWORD
+          value: '1'
+        - name: SE_SCREEN_WIDTH
+          value: '1920'
+        - name: SE_SCREEN_HEIGHT
+          value: '1080'
+        - name: SE_NODE_SESSION_TIMEOUT
+          value: '300'
+        image: selenium/node-edge:4.27.0
+        livenessProbe:
+          httpGet:
+            path: /status
+            port: 5555
+          initialDelaySeconds: 30
+          periodSeconds: 15
+        name: selenium-edge
+        ports:
+        - containerPort: 5555
+          name: node
+        readinessProbe:
+          httpGet:
+            path: /status
+            port: 5555
+          initialDelaySeconds: 15
+          periodSeconds: 5
+        resources:
+          limits:
+            cpu: '1'
+            memory: 1Gi
+          requests:
+            cpu: 500m
+            memory: 512Mi
+        volumeMounts:
+        - mountPath: /dev/shm
+          name: dshm
+      volumes:
+      - emptyDir:
+          medium: Memory
+          sizeLimit: 2Gi
+        name: dshm
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: selenium-hub
+  namespace: selenium
+spec:
+  entryPoints:
+  - websecure
+  routes:
+  - kind: Rule
+    match: Host(`selenium.iamworkin.lan`)
+    services:
+    - name: selenium-hub
+      port: 4444
+  tls:
+    secretName: selenium-tls